Microsoft sets records on Patch Tuesday

by Steve Ragan - Oct 14 2009, 17:38

On Tuesday, Microsoft set records by releasing patches for 34 vulnerabilities. The vulnerabilities, patched in 13 bulletins, affected Windows, Internet Explorer, the .NET framework, Microsoft Office, SQL Server, Forefront, Silverlight, and more.

As mentioned, there are 13 bulletins, eight are rated Critical by Microsoft and five are deemed Important. Of those, nine have been previously disclosed, allowing leaving some users and systems vulnerable for quite a while.

“There are a lot of vulnerabilities being covered and a lot of information to go through. This is, I believe, the biggest Patch Tuesday I've ever seen. There's a little something for everything... a mix of Remote Code Execution, Spoofing, Denial of Service, and Privilege Escalation,” commented nCircle’s Tyler Reguly.

“The bug that is likely to have biggest impact on Microsoft users will be MS09-051, the speech codec bug that already has limited exploits in the wild. This is a typical file parsing issue and similar vulnerabilities have allowed attackers to create drive-by attacks that infect unsuspecting video viewers,” said Andrew Storms of nCircle.

MS09-051 earns a ranking of 1 on Microsoft’s Exploitability Index, due largely to the fact that there are existing exploits already online. However, now that there are patches, criminals will likely up the ante and spend more time targeting the flaw.

When it comes to the issues in SMBv2 (MS09-050) and IIS (MS09-053), Josh Abraham, security researcher at Rapid7 said, “While previous vulnerability databases have listed [MS09-050] as a Denial of Service, today’s update confirms what the folks at Metasploit have been saying: it’s Remote Code Execution.”

“This is now linked to 3 unauthenticated vulnerabilities and the CVE-2009-3103 description, which led many to believe this was limited to DoS, will need to be updated. If you’ve deployed Vista or Server 2008 in your environment, get this patch tested and deployed immediately.”

When talking about the issues in IIS vulnerability, which has seen both limited attacks and plenty of research for almost six weeks, Abraham said that it should be one of the top three patches if your company runs IIS 5.0 on Windows 2000.

MS09-056, listed as Important by Microsoft, is another issue this month that experts weighed in on. MS-09-056 deals with issues in the CryptoAPI used by Windows that, if exploited, would allow spoofing. When it comes to the Exploitability Index listing, Microsoft listed this bulletin as a level three.

Calling MS09-056 the most interesting update this month, albeit not the most critical, Sheldon Malm, senior director of security strategy at Rapid7 said, “While a flaw in the Windows CryptoAPI will get a lot of press because of its connection to trusted Security services, it is not the most critical thing to update this month. On any other month, this would grab a lot of headlines.”

Storms almost mirrored Malm in his comments, noting that while MS09-056 isn’t high on the severity rankings, “it does offer some insight into Microsoft security processes.”

“Microsoft couldn't fix all the problems with nefarious web SSL certifications, so they apparently reached out to all trusted root certificate authorities to make sure they have a process that disallows signatures of null byte certificates.”

Reguly agreed, “I'm really glad to see the SSL issues fixed. Having just come off a discussion on SSL Failures at SecTOR, and given the discussion it has generated all over, this was a high priority to see fixed.”

“We've seen two public certs posted that can be used to take advantage of the null byte issue, and having this go un-patched was detrimental to user trust. It is time for vendors to make a bigger effort when it comes to SSL. It is flawed in so many ways that it’s very difficult to expect it to provide any additional security these days, and resolving this issue is a big step in the right direction.”

Lastly, another interesting note about Tuesday’s releases is the number of fixes aimed at Windows 7.

“Five of the security bulletins released today fix security vulnerabilities in the yet-to-be-released operating system, indicating that Windows 7 will bring little change when it comes to the security of Windows,” noted McAfee in a email discussing thoughts on the monthly Microsoft release.

While the debate over the security in Windows 7 is far from over, it could be seen as a plus that Microsoft is patching things for their new system all the way up to the final release.

In addition to all the other releases, Microsoft also re-released MS08-069 to add detection for MSXML on Windows 7 and Server 2008 R2. The overview for October’s releases from Microsoft is here.

 

Around the Web