Microsoft addresses eight vulnerabilities with recent update

by Steve Ragan - Sep 9 2009, 16:00

On Tuesday, Microsoft addressed eight vulnerabilities in their monthly update. The fixes address problems in the JScript scripting engine, ActiveX control for DHTML editing, Wireless Frame Parsing, Windows Media, and TCP/IP. As expected, the IIS and SMB vulnerabilities remain unpatched.

“MS09-045 is not a typical update from Microsoft and is particularly dangerous since it positions JavaScript as a weapon of choice by attackers,” said Josh Abraham, security researcher for Rapid7.

“This is to be expected, since most of the vulnerability scanners are unable to help with JavaScript, giving attackers an incentive to look for more JavaScript-based methods. The activity on the attackers’ side with JavaScript is in stark contrast to the 3 years that have passed since the JScript bulletin that this update replaces.”

Abraham added that after all the ATL buzz in August, Microsoft is apparently going back to the basics with the TCP/IP updates in MS09-048. Between the two, the TCP/IP fix and the JScript fix are taking most of the attention this month. “Microsoft hasn't seen a serious bug in its' TCP/IP stack in a long time,” said Andrew Storms of nCircle. “So it's pretty likely this is the exploit most people will focus on.”

"These vulnerabilities (MS09-045 and MS09-048) are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," said Dave Marcus, director of security research and communications for McAfee Avert Labs.

It’s interesting to note that the TCP/IP fix comes just after a new attack against SMB was released to the public. The two combined, are likely to shake a lot of people's confidence in the integrity of Microsoft's networking stack, commented Storms.

On Monday, proof of concept code targeting the Microsoft Server Message Block (SMB) Protocol was released, forcing Microsoft to deal with a second unpatched vulnerability. Late last evening Microsoft sent word that they have released Security Advisory 975497 to address the issue.

The SMB attack works against Windows Vista, Server 2008, and Windows 7 RC. After some testing, Microsoft says that Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by this vulnerability.

MS09-049 also offers some interest this month to researchers. Businesses with users outside the office, constantly on the go with corporate laptops, will need to ensure that security and encryption is in place on files stored on the laptops. “MS09-049 is going to introduce serious risk for these road warriors, especially if they are away for extended periods of time without regular patching,” said Tyler Reguly of nCircle.

“The WLAN service is vulnerable in Vista and 2K8 only. It amuses me that after going through the rigorous Microsoft SDLC process we're seeing vulnerabilities that affect only the newest Windows products. Today we're seeing this WLAN vulnerability and the SMB2 vulnerability-- one that you would expect fuzzing to have caught.”

MS09-045 and MS09-047, which address vulnerabilities that indirectly target Internet Explorer and Windows Media Player, are seeing some heightened attention as well. Both were given an Exploitability Index rating of one (1), and both are classic forms of attack on end users. For a successful exploitation, an attacker only needs to trick someone into loading a malicious page.

Likewise, MS09-046, which centers on vulnerabilities in the DHTML Editing Component ActiveX control, can be exploited this way. At the same time, Microsoft assigned an Exploitability Index rating of two (2) for this flaw, so attacks are somewhat possible.

Both the SMB and the IIS vulnerabilities remain unpatched, leading some security analysts to speculate that Microsoft will go out-of-band to patch them. However, Microsoft has not commented on this, despite attacks seen online targeting IIS.

The outline for the September patches is here.

Security Advisories for the IIS vulnerability and the SMB vulnerability are here and here respectively.

 

Around the Web