The first security patch that needs to be applied to Windows 2003 Server validates, rather than tarnishes, the design by default approach taken in developing Microsoft's flagship server OS.
Microsoft took the highly unusual step of ringing around journalists this afternoon to put this positive spin on the announcement of a patch for Internet Explorer designed to fix two newly discovered security vulnerabilities. The cumulative patch also includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
Simon Conant, a Security Program Manager at Microsoft, explained that although the vulnerabilities covered by the patch are 'critical' for versions of IE running on machines running MS clients, such as XP, the problem is only 'moderate' for Internet Explorer on Windows Server 2003.
The lesser risk for Win Server 2003 arises because, by default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks attacks based on the vulnerabilities which on other systems might allow an attacker to execute code on a user's system.
Despite this mitigating factor, Conant still encourages Windows Server 2003 users to apply Microsoft's patch because the "underlying issue is still there".
Although this is an IE problem, it still gives risk to apply the first patches to Windows Server 2003 but Conant said the lesser impact of the vulnerabilities on that platform demonstrate that Microsoft's more security-conscious approach is paying off.
Be that as is may, let's not forget that the flaws addressed by the patch are potentially devastating for the vast majority of Microsoft's installed base (who are running XP, Win 2000, 98, Me and NT).
A security advisory for Microsoft explains the underlying cause of the problems.
First up, there's a buffer overrun vulnerability that occurs because IE "does not properly determine an object type returned from a web server". In common with such buffer overflow exploits this creates a mechanism for attackers to inject hostile code onto vulnerable boxes by either tempting users to visit maliciously constructed Web sites or sending an HTML email that attempted to exploit the vulnerability.
There's also a flaw that results because IE does not implement an appropriate block on a file download dialog box. Again this vulnerability creates a possible means for an attacker to run arbitrary code on a user's system.
Credit for discovering the evil duo goes to eEye security.
More details on the issue, and links to patches, can be found in Microsoft's advisory. Microsoft strongly recommends that you apply its "critical" (except for Win Server 2003) security patches. ®
Wakey, Wakey it's Patching Day. Again
MS relieves patching 'pain point'
IT managers trust Microsoft on security...
Cost of securing Windows Server 2003? Nearly $200m
Trustworthy Computing does Moon Walk (but not yet)
Security 'impossible' for Win9x, buy XP now, says MS exec