Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft downplays Server bug threat, say researchers

Gregg Keizer, Computerworld | May 10, 2011
Microsoft is downplaying the threat posed by one of the three bugs the company patched today, said security researchers.

Carey said that hackers could use fuzzers -- tools that hammer at an application looking for a weakness -- to quickly locate the flaw in WINS. "We think it will be easy to do, and that they'll figure it out quickly," he said.

The most likely attack would not be against a Windows Server directly, but against a desktop or notebook PC within the network, Carey continued. "They could exploit a client [with another vulnerability] then pivot the attack to the server," he said. Once a hacker compromised a Windows Server system, he could pillage the machine for confidential information, account log-in credentials and the like.

"I think this will be packaged with a number of other vulnerabilities," said Miller, talking about the possible use of the flaw. "Servers are a prime target."

Microsoft urged network administrators to patch the WINS vulnerability as soon as possible.

"The nice thing is that this is a light month," said Miller. "It should give everyone a chance to get ahead of the game."

That's especially important considering Microsoft's schedule, which ships a larger number of updates in even-numbered months. "We'll probably be back to [updates in] double-digits in June," said Storms.

Today's other update, dubbed MS11-036, patches a pair of bugs in PowerPoint, the presentation manager included with Microsoft's Office suite. One of the vulnerabilities affects Office XP, Office 2003 and Office 2007 on Windows, Office for Mac 2004 and Office for Mac 2008. The second impacts only Office XP and Office 2003.

Neither of the bugs exists within the newest versions, Office 2010 on Windows or Office for Mac 2011.

"This one is in line with the general file format vulnerabilities we see almost every month," said Storms.

Storms' comment was on the mark: Microsoft patched three PowerPoint vulnerabilities in April, and two in November 2010.

Tuesday's patch for PowerPoint 2002 -- the version bundled with Office XP -- may be one of the last for that program: The 10-year-old suite will not receive security updates after July 12.

Microsoft also made good on a promise last week when it said it would tweak its Exploitability Index, the rating system that forecasts the likelihood a vulnerability will be exploited in the coming month.

Today's index showed separate ratings for the newest editions of its software and the older versions.

Microsoft rated the exploitability of the WINS bug as a "2," indicating that it believed that "inconsistent exploit code [is] likely" to appear in the next 30 days.

Today's patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).


Previous Page  1  2 

Sign up for Computerworld eNewsletters.