Microsoft patches critical Kernel flaw but not Excel vulnerability
by Steve Ragan - Mar 10 2009, 21:25On Tuesday, Microsoft released three bulletins and patched eight issues, leaving one of the most talked about for a later date, or so it would seem. Moreover, a patch to address issues in Excel was not released today, as many security watchers had hoped it would be.
So, unless it comes 'out-of-cycle', we'll have to wait another month. Along with the releases on Tuesday, Microsoft also updated an older bulletin relating to GDI+.
The critical issue addressed by this month’s series of patches lies in the Kernel of Microsoft Windows. It is because of that fact alone this patch is going to be a nightmare for IT.
“When working on the core infrastructure, it opens up other applications to potential risk making a simple patch deployment impossible. To make sure this is secure, IT departments will have to do reboot all Windows machines in the entire enterprise. When at the server software level, rebooting is a very disruptive event making servers further exposed to vulnerabilities,” explained Paul Henry, Security Forensic Analyst at Lumension.
“In order for this vulnerability to be removed, IT will have to bring down the servers with the additional challenge of continuing to maintain service level agreements,” he added.
The vulnerability in MS09-006, the sole critical patch this month, can trigger code execution remotely if users are tricked into viewing an EMF or WMF image file. It is because of this that an earlier GDI+ related bulletin was updated. Over the past few years, GDI+ has seen its fair share of patches related to various vulnerabilities.
“This vulnerability provides numerous attack vectors - it can be hosted on a web page, sent in an email, or even exploited locally,” said Holly Stewart from IBM’s X-Force Threat Response team. “Even though the use of malicious images has been in practice for some time, many end users still do not consider images, documents, and other seemingly "friendly" file formats to be malicious. The lack of user awareness and availability of multiple vectors for this one make it one of the most serious of the bunch.”
Another reason for the re-release of the older GDI+ bulletin (MS08-052) is to address an issue whereby users applied the original update to systems running XP Service Pack 2 or Windows Server 2003 Service Pack 1 and upgraded to the newer service packs. By doing so, the security applied by the original patch was lost leaving systems vulnerable to attack.
“Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse engineer today’s patches, which may very well lead to exploits being created,” commented Dave Marcus of McAfee’s Avert Labs.
While listed as 'important', MS09-007 addresses a Spoofing issue within SChannel (Secure Channel) that could allow an attacker, “...to log onto an SSL protected server which is configured to use certificate based client authentication with only the public key component of a certificate, not the associated private key,” Microsoft said.
The unique nature of this vulnerability makes it hard to predict who is affected and who is not, as that would depend on how a network is set up. More information from the IT side of things can be found here.
The final patch this month, MS09-008, deals with DNS issues. Two vulnerabilities in Windows DNS server and Windows WINS server could allow an attacker to redirect traffic on a network and poison it, if you will.
“The new DNS cache poisoning vulnerabilities that Microsoft announced today come on the heels of a recent paper discussing cache poisoning techniques against Djbdns. These disclosures demonstrate that cache poisoning attacks are still a serious concern,” said Tom Cross, a manager of IBM’s X-Force Advanced Research.
“Even fully patched DNS servers can be poisoned if an attacker has enough bandwidth and time at his or her disposal. Fortunately, it is possible to detect cache poisoning attempts on computer networks, but only if administrators deploy monitoring systems and use them properly.”
The updates are ready for download now. They are also being pushed over Windows and Microsoft Update to business and home users.
Comment on this Story