Microsoft issued just one security update for Windows, the lowest number on a Patch Tuesday since January 2009.
Microsoft security bulletin MS10-001 affects a vulnerability in the embedded Open Type font engine. The security bulletin is rated as Critical, but that rating really only applies to Windows 2000 systems. For all other versions of Windows, this flaw is rated as a Low severity.
And for once, researchers urged users to spend their patching time dealing with updates from Adobe rather than Microsoft's fix.
The patch addresses a bug in how Windows Embedded OpenType (EOT) font engine decompresses specially-crafted EOT fonts, said the Microsoft bulletin. EOT fonts are a compact form of fonts designed for use on Web pages, but they can also be used in Word and PowerPoint documents.
This was the second EOT bug fix in the last three months. In November, Microsoft patched a flaw in how the Windows kernel parsed EOT fonts.
Although the vulnerability could result in remote code execution -- security speak that means an attacker could use the bug to hijack a PC -- only Windows 2000 got the critical ranking. All others were tagged with the lowest threat rating in Microsoft's four-step scoring system.
Microsoft explained why in several ways. "These [other] Windows operating systems contain the vulnerable code but do not use this code in a way that may expose the vulnerability," the company said in the security bulletin.
"Due to the nature of bounds-checking performed on 32-bit systems XP and later, the only buffer+index combinations which would pass the old checks will point into address 0x80000000 and above," Brian Cavenah from the Microsoft Security Research Center engineering staff. "Because these regions cannot be accessed while running at IOPL 3, the process will crash (Access Violate) and the attempt to run arbitrary code would fail," Cavenah said on a company blog today.
Andrews Storms, director of security operations at nCircle Network Security, put that into plain English. "Versions newer than Windows 2000 have security provisions that prevents code execution of this vulnerability," he said. "Specifically, it's in the way that memory mapping happens. Running code will register certain opcodes in Windows XP and newer, and those versions then know not to allow code execution."
Richie Lai, the director of vulnerability research at security company Qualys, described it slightly differently. "It's more a hardening of the way Windows manages memory," he said, referring to the changes in Windows XP and later.
In fact, Storms suggests putting the time normally spent on assessing and implementing patches into other worthwhile endeavours. "I think this is one they probably wished they didn't have to patch," Storms argued, noting the impending retirement of Windows 2000 from Microsoft support. "Windows 2000 is on its last legs, and except for it, they wouldn't have bothered."
"This is a very light Patch Tuesday from Microsoft and IT security teams should be taking advantage of the situation to address housekeeping items. Take the time this month to find every out-of-date Microsoft system and apply any necessary patches from those 2009 vulnerabilities."
Adobe and Oracle Join the Fray
While Adobe and Oracle don't follow the same security update and patch release cycle as Microsoft, both coincidentally released critical updates of their own today.
nCircle's Storms noted "Once considered the safest document format, Adobe PDF has fallen prey to a rash of serious security threats. After a solid year of security issues, Adobe's product security and secure product development practices are being seriously questioned. It's ironic to consider that we may have reached the point where Microsoft Office documents are now more secure than PDF documents."
Oracle joined the party as well, rolling out a quarterly patch of its own. The Oracle update contains a total of 24 updates affecting seven different Oracle products. Most of the vulnerabilities are remotely exploitable without authentication, making them critical security concerns. Database servers should not be exposed to the network, but IT administrators need to scrutinize affected application servers to determine the amount of risk the servers are exposed to.
Qualys' Kandek also noted that a Intevydis, a Russian security research firm, announced last week that it plans to publish server-based zero-day vulnerabilities over the next three weeks. "The first two are live and have POC [proof-of-concept] code for Sun Directory Server 7.0 and Tivoli Directory Server 6.2. We are monitoring these releases and will keep you updated on further developments."
Microsoft did not patch the Windows 7 bug crash bug that went public nearly two months ago. Last week, Microsoft acknowledged it didn't have a fix finished for the vulnerability in SMB (Server Message Block), a Microsoft-made network file and print-sharing protocol that, if exploited, crashes Windows 7 and Windows Server 2008 R2 machines so thoroughly that users have had to power off the system to regain control. Microsoft has maintained that the vulnerability cannot be used to hijack PCs.
"It is interesting to note that the SMB [denial-of-service] exposure is not being addressed, although Microsoft has been open about the fact that it would not be included, and does not have a history of rushing updates for denial-of-service conditions," said Josh Abraham, a security researcher with Rapid7, in an e-mail Tuesday.
This month's security update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.