Microsoft has released ten bulletins, amounting to 31 patches for various vulnerabilities in Internet Explorer, IIS, and Microsoft Office. In addition, Microsoft also released updates to address vulnerabilities in Microsoft Office for Mac and Microsoft Works.
Microsoft pushes 31 fixes for Patch Tuesday(IMG:J.Anderson)
These additional two are the remainder for last month’s security release, which addressed a vulnerability in PowerPoint. Moreover, one of the updates this month, MS09-019, addresses the vulnerability used against Internet Explorer 8 during the CanSecWest conference.
Of the 31 vulnerabilities addressed in this month’s release, fifteen of them are listed with an Exploitability Index (EI) ranking of 1, meaning there is a high probability that working exploits could be developed for the disclosed issues. One of them, an ASLR+DEP .NET bypass, is known publically, as it was used at CanSecWest to attack Internet Explorer 8 during the Pwn2Own contest. The IE 8 vulnerability does not affect Windows 7 RC (build 7100) but does affect Windows 7 Beta.
Another Internet Explorer vulnerability, one that specifically affects IE versions 5, 6, and 7 under Windows 2000/2003/XP and Vista, was disclosed by Core Security today.
A vulnerability researcher working in CoreLabs, the research arm of Core Security Technologies, discovered that in some cases, when affected versions of Internet Explorer are used to access an external website, the browser does not apply the appropriate security permissions, thus allowing unknown sites or applications to be treated as trusted URLs.
“This is a tangible threat to millions of individuals and organizations that use Internet Explorer to browse the web and the discovery of this vulnerability in IE highlights the reality that no vendor is immune to the perils of client application security,” said Ivan Arce, CTO of Core Security Technologies.
While on the subject of client application security, there were six critical bulletins released by Microsoft today, each of them with an EI ranking of 1. MS09-018, deals with vulnerabilities in Active Directory on Windows Server 2000 and 2003, as well as Active Directory Application Mode (ADAM) when installed on Windows XP and Server 2003. The AD flaw allows remote code execution.
MS09-019 deals with the CanSecWest flaw discussed earlier. MS09-021 (critical in Office 2000 only) addresses seven vulnerabilities in Excel. MS09-022 addresses three vulnerabilities in Windows Print Spooler. MS09-024 and MS09-027 (critical in Office 2000 only) deal with issues in Microsoft Works converters and issues in Microsoft Word respectively. In each of the cases where the bulletin is critical for Office 2000 only, Microsoft rates them as important for all other versions.
“It is notable that four of the 10 security bulletins address publicly disclosed vulnerabilities: one in Internet Explorer, one in RPC, two in the Windows kernel and one in IIS. Microsoft's response time for last month's zero-day IIS vulnerability was faster than expected, but the DirectShow QuickTime parser vulnerability that became public on May 28 remains unpatched,” said Tas Giakouminakis, CTO of Rapid7.
“The active directory vulnerability (MS09-018) had the potential to be devastating for enterprise environments because it affects domain controllers, but fortunately it is ranked critical only for Windows 2000 systems. On Windows Server 2003 the vulnerability leads only to a denial of service. Of more concern are the print spooler vulnerabilities in MS09-022. One of these is a critical remote code execution on Windows 2000, while the other two allow authenticated users to elevate their privileges on all versions of Windows.”
Microsoft is still suggesting three workarounds help limit the attack surface used by the DirectShow vulnerability. While they are not something that remove the underlying vulnerability itself, they will help IT mitigate various risks until an official patch is deployed.
The first workaround is accomplished by simply unregistering quartz.dll, or you can disable the parsing of QuickTime content in quartz.dll. You can also modify the ACL in quartz.dll, which makes it more restrictive, as well as limit shell attack vectors by using Windows Classic Folders on non-multimedia folder types. Each of the workarounds is listed in detail here .
However, for most users, the 'Fix it for me' feature on the associated Knowledge Base article will offer a quick and painless solution. The 'Fix it for me' offering can be run online (through: http://support.microsoft.com/kb/971778 ) or downloaded to a CD or Flash Drive for later deployment.
Microsoft has also released two security advisories. The first advisory, 969898 , is for a new set of ActiveX kill bits. The list of kill bits in this rollup includes an update for Microsoft Visual Basic 6.0 SP6, and ActiveX controls developed by Derivco, eBay, and HP. The second advisory, 971888 , is providing a non-security update for DNS devolution.
“While this is a non-security update, it changes the security configuration of systems it is applied to and that is why we are releasing it with an advisory. This advisory is also related to the WPAD issue for which we originally released Security Advisory 945731 and subsequently Security Bulletin MS09-008 ,” Microsoft said on the MSRC blog.
More information is here , the patches are expected to move to Windows Update and other services shortly.
Comment on this Story