Microsoft pushes monthly patches - six bulletins fix nine vulnerabilities

by Steve Ragan - Jul 14 2009, 19:00

In their monthly patch cycle, Microsoft released six security bulletins addressing nine vulnerabilities in Windows, Microsoft Office, Internet Security and Acceleration (ISA) Server, Virtual PC and Virtual Server. One of the bulletins, MS09-032, corrects a 0-Day ActiveX flaw in Microsoft DirectShow. Missing from this month’s patch cycle is a fix for the Spreadsheet ActiveX Control in Microsoft Office Web Components, disclosed on Monday.

The patch that will get the most attention this month is MS09-032, which is a cumulative update of ActiveX Kill Bits. Earlier this month, Microsoft acknowledged the first of two ActiveX “browse and get owned” bugs, when they released Security Advisory 972890. The fist ActiveX flaw centered on a stack overflow in DirectShow MPEG2TuneRequest. If exploited, the flaw would allow code execution and system compromise. Not a week later, Microsoft acknowledged a second ActiveX vulnerability, targeting the Spreadsheet ActiveX Control in Microsoft Office Web Components. Like the first vulnerability, if exploited, the Web Components flaw will lead to code execution.

"Typically, the fear is that you're downloading and installing a malicious ActiveX control from an untrustworthy source, but here we're seeing the dangers from vulnerabilities in multiple non-malicious ActiveX controls from a known trusted source, Microsoft. In both situations, implementing the best practice of least privilege can have significant security benefits. Removing administrator rights from end-users dramatically reduces the attack surface and is an absolutely essential first step in any client-side security strategy," said Eric Voskuil, CTO of BeyondTrust.

In their defense, Microsoft proved that some of their new security measures are working. In both cases of the ActiveX exploits circulating online, Vista and server 2008, boosted by stronger system controls, are unaffected by the vulnerabilities.

Another bulletin, MS09-028, addresses a 0-Day disclosed in May. This flaw, also related to DirectShow, exploited a vulnerability DirectShow’s code to process QuickTime format. Microsoft said that the time that, “…the vulnerability is in the Microsoft’s quartz.dll and it’s possible to craft an attack to call that DLL on the system regardless of whether Apple’s QuickTime is present.”

Users of Windows Vista, Windows Server 2008, and Windows 7 RC1 were not affected by the DirectShow flaws disclosed in May.

MS09-029, deals with two vulnerabilities in Embedded OpenType (EOT) Font Engine. Attacks on EOT that were successful would lead to a system compromise, for this bulletin, all versions of Windows are affected; including Vista and Server 2008.

MS09-033 centers on issues in all versions of Virtual Server and Virtual PC. If exploited, an attacker would have control of the guest operating system.
“This is classified as "important" because local access to the guest OS is required. This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user to access to privileged kernel mode,” pointed out Qualys’ CTO Wolfgang Kandek in an email to The Tech Herald.

Microsoft proxy server ISA 2006 has a vulnerability rated as "important" that allows remote unauthenticated users to access the server. The bulletin, MS09-031, outlines the problems, but there is more indepth information on the ISA blog.

“However paired with [the] knowledge of [an] administrators user name attackers can take full control of the server. As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organizations are using ISA with the Radius configuration,” Kandek added.

Lastly, MS09-030 is an advisory for the Publisher component in the MS Office 2007. The vulnerability hinges on a malicious Publisher file that if opened would lead to code execution.

Of the six bulletins, three are rated as critical and three are rated as important. However, eight of the nine vulnerabilities addressed have earned an Exploitability Index ranking of 1, meaning there is a high likelihood of exploits being developed and deployed by attackers.

More information on this month’s patches is here.

Around the Web