Microsoft to fix password flaw, says researcher

SkyRecon talks up LSASS bug hours before Microsoft issues patch

Breaking an unwritten code of conduct, security researchers at SkyRecon Systems said that a password vulnerability they had reported to Microsoft Corp. will be patched by the developer later today.

Typically, researchers who work with Microsoft wait for the software company to release its monthly patches before they go public with their own accounts or advisories.

"The patch is coming out later today," said Sean Martin, a researcher at the security firm, when asked why SkyRecon disclosed the vulnerability prior to Microsoft issuing a fix.

According to Martin, the vulnerability lets attackers elevate access privileges and run code in Windows' LSASS (Local Security Authority Subsystem Service), the process responsible for enforcing security policy in the operating system. "Someone could use this to gain system-level access and extract passwords out of the Windows storage," Martin said this morning, several hours before Microsoft was scheduled to roll out January's security updates.

Microsoft last patched LSASS in April 2004; within weeks of posting MS04-011, the Sasser worm used the bug to wreak havoc around the world.

Today's vulnerability should be considerably less dangerous; last week Microsoft classified a then-vague vulnerability as "important" rather than the top-end "critical" and labeled it as a "local elevation of privilege," which means that an attack requires local access.

Martin confirmed today that the SkyRecon bug and the rights elevation flaw Microsoft previewed last Thursday are one and the same.

The bug affects Windows 2000, Windows XP and Windows Server 2003, but not Windows Vista, according to the advance notification.

Martin also said SkyRecon believes attackers would be able to access all Windows passwords by exploiting the LSASS vulnerability, even those that had been encrypted.

Microsoft generally releases its second-Tuesday-of-the-month security updates between 1 p.m. and 2 p.m. EST.

Microsoft starts '08 by patching 3 bugs

But researchers wonder: Where's the fix for the WPAD problem?

Microsoft Corp. today released just two security updates that patch three vulnerabilities in Windows, marking the beginning of the bug year with a relatively slow start, said researchers.

Just one of the three flaws is rated "critical," the highest ranking Microsoft uses, while the other two were tagged as "important" and "moderate," the next two steps in the company's four-stage scoring system.

MS08-001, the update that addresses two bugs in a trio of Windows' TCP/IP protocols, was the obvious pick for immediate deployment. "This is a classic kind of IP attack," said Andrew Storms, director of security operations at nCircle Inc. "All an attacker needs is a well-crafted multicast packet."

Amol Sarwate, manager of Qualys Inc.'s vulnerability lab, agreed. "An attack doesn't require any user intervention," he said, "such as clicking on a link or opening an attachment. An attack only requires remotely sent packets."

The three vulnerable protocols patched by the update include IGMP (Internet Group Management Protocol), MLD (Multicast Listener Discovery) and ICMP (Internet Control Message Protocol). The first two are used in over-IP multicasting -- the classic example of that one-to-many technology is a webcast -- while the third, ICMP, is a maintenance protocol that manages more mundane things: network connectivity and routing.

Storms downplayed the threat posed by the bugs patched in MS08-001. "The good news is that in the enterprise many servers don't have multicast [protocols] enabled, and the firewall blocks [the traffic] on client machines."

Sarwate, on the other hand, considers the danger to be more significant. "The protocols can easily be enabled [on servers]," he said. "Companies may have enabled them, especially IGMP for group management applications in mixed environments with both Unix and Windows systems."

By default, both IGMP and MLD are enabled on client PCs running Windows XP or Windows Vista; that's why Microsoft slapped the "critical" label on both operating systems and why researchers who reported the bug to Microsoft urged watchfulness।

"The lack of user interaction, widespread availability of the protocols and the possibility of complete compromise of targeted systems means that administrators should treat this vulnerability as highly critical," said IBM's X-Force in its own advisory. "This [is] a possible target for botnets, such as the Storm {Trojan]."

As reported earlier today, the MS08-002 bulletin patched a privilege-elevation bug in the LSASS (Local Security Authority Subsystem Service) process within Windows 2000, XP and Server 2003.

Both Storms and Sarwate, however, also remarked on what was not included in today's batch: a fix for the Web Proxy Autodiscovery (WPAD) bug that Microsoft acknowledged a month ago. The WPAD vulnerability -- actually a flaw in how Windows PCs look up DNS information -- was originally patched in 1999 but resurfaced recently when a researcher pointed out that it had crept back into later versions of the operating system.

"If Microsoft acknowledges an issue, they usually fix it in the next patch cycle," noted Sarwate. "But it's not being addressed. I was sort of hoping it would be fixed in the January releases."

All in all, however, it wasn't a bad way for IT administrators and Windows users to start 2008. In comparison, January 2007 featured four security updates that patched 10 different vulnerabilities. "This is a fairly light load to begin the year," Sarwate said.

"But I think this will be a big year for patches," countered Storms. "Both of these [bulletins] today are well-representing trends. Researchers are looking into the past to see vulnerabilities [they can use] in the future.

"I expect we'll see more [graphics device interface] vulnerabilities in Windows this year, more [Windows Metafile Format] bugs and more file-parsing bugs in 2008," he predicted.

January's patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Microsoft apologizes to Corel, users for Office 2003 SP3 muck-up

It also offers downloads to ease unblocking of old file formats

Microsoft Corp. yesterday apologized to rival software vendor Corel Corp. for saying that Corel's file format posed a security risk. Microsoft also issued new tools to let users of Office 2003 SP3 unblock a host of barred file types.

In a posting to his own blog, David LeBlanc, a senior software development engineer with the Microsoft Office team, admitted the company's mistake in attributing security problems to certain file formats, including the one used by CorelDraw.

"We stated that it was the file formats that were insecure, but this is actually not correct," LeBlanc said, referring to a description in a now-changed support document. "A file format isn't insecure -- it's the code that reads the format that's more or less secure. The parsers we use for these older formats aren't as robust as the code we've written more recently, which is part of our decision to disable them by default.

"Some of the formats blocked are from products built by companies other than Microsoft, and we apologize for implying that there were any problems in those companies' file formats," said LeBlanc. He did not specifically name Corel.

But it was Corel that publicly squawked when it realized Microsoft had blocked its .cdr file format -- still used by its CorelDraw graphics application -- in last September's Office 2003 Service Pack 3 update. "We didn't know where the issue was coming from," Gerard Metrallier, Corel's director of product management, graphics, said yesterday.

LeBlanc also echoed the mea culpa made Friday by Reed Shaffner, product manager for Office, who acknowledged that Microsoft had done a poor job communicating the changes to users, and had failed customers when it posted daunting work-arounds that required manual editing of the Windows registry.

"We also recognize that we have not made any of this as usable as we'd like, and we apologize that this hasn't been as well documented or as easy as you need it to be," LeBlanc said।

"We did not provide an easy way for end users to change this behavior so they could open these older files." To make amends, Microsoft has posted several files on its Web site that automate registry changes.

The revised support document lists four downloads that users can run to unblock Word, Excel, PowerPoint and Corel files. Other downloads are available that reverse the file-blocking.

Microsoft's rewritten Knowledge Base article also fingered the company's own code, not the file formats, as the security concern. "By default, these file types are blocked because the parsing code that Office 2003 uses to open and save the file types is less secure. Therefore, opening and saving these file types may pose a risk to you," the revision read. That was a change from the earlier version, which had claimed: "By default, these file formats are blocked because they are less secure. They may pose a risk to you."

Like Shaffner on Friday, LeBlanc defended the original decision to block the older file formats. "We noticed that the attackers seemed to be preferentially hitting the parsers for the older formats, and if the great majority of you don't need the older format, it's risk without reward," he said. "This was the thinking behind disabling the older formats by default in Office 2007 and eventually Office 2003 SP3."

He also repeated an argument used by Shaffner, who said that the files were not permanently barred from Office 2003; what was new in SP3 were default settings that blocked the files. Said LeBlanc: "Something I want to be very clear about -- we are not removing your ability to read these files. If you need them, the parsers are still there. All we've changed is the default."

That difference was lost on some users. "People have naturally come to expect any application to be able to read earlier versions of its own data formats," said an anonymous reader commenting on an earlier Computerworld story about Office 2003 SP3.

Other users thought they saw more between the lines. "Remember when Microsoft was all up in arms when Massachusetts decided to standardize on OpenOffice and open document formats?" wrote reader Brian Hoffman in another comment. "[Massachusetts'] concern was that older documents may no longer be accessible at some future date if they continued to use a proprietary system and format. Looks like they were right and Microsoft should be embarrassed instead of spinning it as a feature."

For his part, LeBlanc promised that the Office team had learned a lesson -- if not the one Hoffman hoped. "We'll try harder to make enabling older formats much more user-friendly in the future," he said.

Warner Bros. to back Blu-ray Disc exclusively

Warner said it would continue releasing in the HD-DVD format until the end of May

Time Warner Inc.'s Warner Bros. studio on Friday said it would exclusively release high-definition DVDs in Sony Corp.'s Blu-ray format, dealing a big blow to Toshiba Corp.'s rival HD-DVD technology.

Warner Bros., Hollywood's biggest seller of DVDs, representing about 18 to 20% of sales in the U.S., was one of the few studios that backed both formats.

All sides of the format war had agreed it was confusing to consumers and a stumbling block for a potential multibillion-dollar industry.

Total DVD unit sales fell 4.5% in 2007, the first major year-over-year decline since the disc format debuted in 1997, according to Adams Media Research. Sales fell 4.8% to $15.7 billion.

"The window of opportunity for high-definition DVD could be missed if format confusion continues to linger. We believe that exclusively distributing in Blu-ray will further the potential for mass market success and ultimately benefit retailers, producers, and most importantly, consumers," Warner Bros. Chairman and CEO Barry Meyer said in a statement.

News Corp.'s 20th Century Fox, Walt Disney Co. and Lionsgate are among studios backing the Blu-ray format. Viacom Inc.'s Paramount studios and General Electric's NBC Universal release movies in HD-DVD format.

Warner said it would continue releasing in the HD-DVD format until the end of May, although those releases would follow the standard DVD and Blu-ray releases.