Microsoft’s monthly patch addresses fifteen vulnerabilities
by Steve Ragan - Nov 11 2009, 16:25It’s that time of the month again for Microsoft, as the software giant issued six security bulletins to address fifteen flaws in Microsoft Windows and Microsoft Office. In addition, they re-released two bulletins to add new updates for Windows 2000 SP4.
Microsoft released three critical patches and three important patches on Tuesday, none of which impact Windows 7 or Windows Server 2008 R2. It should be noted that four of this month’s patches are replacements for previously released bulletins. We received some feedback from there experts, as we do each month. Here are there thoughts on what Microsoft released this month.
When asked, Amol Sarwate, manager of vulnerabilities research lab at Qualys singled out MS09-065 as the patch to watch. It was rated as Critical due to the EOT (Embedded Open Type Font) vulnerability, in which an attacker can execute arbitrary commands on the victim’s computer.
Successful exploitation of MS09-065 can be achieved by enticing the victim to visit a web page with malicious EOT fonts or by opening an e-mail that contains malicious content. Adding to the fun of this vulnerability is the proof of concept that was publically disclosed. Sarwate isn’t alone in his opinions, several experts agreed with his line of thought.
“MS09-065 is top priority, and is a much greater risk for client side than servers. The EOT font parsing flaw can be used to execute code at the highest possible privilege level (the kernel) directly from Internet Explorer. Standard user-level defenses, like sandboxing, will have no effect on the exploitation of this flaw," commented HD Moore, who recently became the CSO at Rapid7.
Sheldon Malm, Rapid7’s senior director of security strategy added, “This month’s sleeper threat is in MS09-067. While only rated Important, it is listed as highly exploitable by Microsoft and has 8 distinct vulnerabilities affecting Excel – all of which are potential Remote Code Execution. After MS09-065, this one is arguably the next highest priority with so many vulnerabilities in play.”
Often dismissed by researchers, the Denial of Service issue addressed in MS09-066 needs to be patched quickly said Josh Abraham, adding his insight to the advice offered by his Rapid7 collogues. “Since this vulnerability affects Active Directory, a Denial of Service across Domain Controllers would have a significant impact on enterprise customers’ daily activities.”
“The critical vulnerabilities expose Windows users to serious attacks,” said Dave Marcus, McAfee Labs director of security research and communications. “We can expect that security researchers will be looking to reverse engineer today’s patches, which may very well lead to exploits being created,” said Marcus.
Even Marcus agreed that MS09-065 is the top patch this month, mirroring the thoughts offered by HD Moore and Amol Sarwate.
Last week there was some confusion over the Microsoft's advanced notice for bulletin 1, which only affects Vista and Server 2008, but doesn't affect Windows 7, explained Andrew Storms, Director of Security Operations, at nCircle.
That confusion was cleared up on Tuesday.
“The bug affects the 'Web Services on Devices API', a product only introduced in Vista. It's interesting to note that the bug appears to have been already fixed and released with Windows 7 RTM. Today's patch for Vista and 2008 is part of Microsoft’s broader SDL strategy to ensure bugs are tested and fixed on all supported platforms.”
The entire bulletin summary for this month from Microsoft can be found here. The patches are being pushed via automatic updates, and should be applied as soon as possible.
Comment on this Story