Microsoft issues new Windows security advisories
Microsoft issued even more details about Windows security concerns, even after releasing its August security update on Tuesday.
Late yesterday, Microsoft announced two security advisories. One is new, while the other updates a previously issued advisory. Meanwhile, IT pros already are tying to cope with this month's massive security update.
The updated advisory simply states that Microsoft has concluded its investigation into a security advisory issued in February. That problem concerns the Transport Layer Security and Secure Sockets Layer (TLS/SSL) protocols in general, and the Windows Secure Channel security package in particular.
The issue was addressed with critical security bulletin MS10-049 in Microsoft's August patch. It's designed address the flaw in Windows Server 2008, Windows 7 and 12 other supported versions of the Windows OS, including XP and Vista.
Left unpatched, the Windows Secure Channel vulnerability could allow attackers the ability to perform "man-in-the-middle" attacks via TLS/SSL connections. The problem is of general concern, and Microsoft's issuance of a fix suggests that broad industry engagement occurred, according to Jason Miller, data and security team manager at Shavlik Technologies.
"In recent months, we have heard of Microsoft working with other vendors such as Adobe to address vulnerabilities as a whole and not as a one-company issue," Miller said. "The release of MS10-049 shows that Microsoft is again working with the industry with vulnerability management."
Miller added that the fix from Microsoft had long been in the works. The TLS/SSL vulnerability was "not just Microsoft's problem" as it affected the "IT industry as a whole," he said.
Windows Service Isolation Flaw
Next up, Microsoft issued a new security advisory on Tuesday concerning a Windows Service Isolation feature that could enable elevation-of-privilege exploits. The operating systems involved include Windows XP, Windows Vista and Windows 7, as well as Windows Server 2003 and Windows Server 2008.
Microsoft said that an attacker could use this feature to elevate processes running on a Windows-based "NetworkService account" to the "LocalSystem account" on a server. It could give the attacker the ability to take control of a system.
At-risk Microsoft products include the Windows telephony application programming interfaces, SQL Server and Internet Information Services (IIS) in Windows Server 2003 and Windows Server 2008.
Because there is no known vulnerability and only a "potential" likelihood of such attacks at this time, Microsoft did not specify whether the issue would warrant further actions, such as the issuance of workarounds or patches. However, in this Knowledge Base article, the software giant describes various access control tools in both IIS and SQL that can restrict entry into the NetworkService account.
No Security Advisory for Clipboard Issue
On Wednesday, Microsoft provided an updated statement on the zero-day Windows kernel-level clipboard vulnerability uncovered last week by independent security researchers. The software giant said it will not release a security advisory for the heap overflow problem affecting all supported Windows versions.
For this issue to be exploited, it has to be an inside job, according to the rationale of the Microsoft security team. Redmond said "an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system."
This assessment rules out the prospect that an urgent out-of-band patch will arrive soon. However, Microsoft promised that the issue would be fixed in a future security update. Microsoft Security Response Center spokesperson Jerry Bryant wrote that Microsoft "will continue monitoring the threat landscape and alert customers if anything changes."
Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.