Critical Windows Kernel Flaw Highlights Patch Tuesday

Guest editorial by Jason MillerMicrosoft
has released six new security bulletins in November’s Patch Tuesday. 
Administrators are getting a bit of a break after last month’s mammoth security
bulletin release.

Guest editorial by Jason Miller

Microsoft
has released six new security bulletins in November’s Patch Tuesday. 
Administrators are getting a bit of a break after last month’s mammoth security
bulletin release.

MS09-065
is the first bulletin administrators should address.  This bulletin
affects the Windows Kernel and can lead to remote execution on a target
system.  This bulletin addresses three vulnerabilities.  One of the
vulnerabilities was disclosed to Microsoft, but it was also disclosed
publicly.  This could lead to a quick turn around on exploits for this
vulnerability.  This vulnerability affects the way the Windows Kernel
parses Embedded OpenType fonts.  These are typical on websites.  If a
user visits a specially crafted website, an attacker can take control of the
system.  The internet is one of the most popular attack vectors, so this
should be patched as soon as possible on your workstations.

MS09-063
affects Windows Vista and 2008 only.  The vulnerability affects a service
that is on by default on those systems:  Web Services on Devices API
(WSDAPI).  An evil attacker can send a specially crafted network packet to
a target system.  If successful, the attacker can take complete control of
the system.  It is interesting that a new service that helps with the
“user experience” can cause so much harm.  The WSDAPI service
allows users to easily find devices such as printers and cameras on their
network.  This vulnerability is also not publically known at this
time. 

The
next two security bulletins address vulnerabilities in Microsoft Excel and
Microsoft Word.  MS09-067 addresses eight vulnerabilities in which none
are publicly known for Microsoft Excel.  MS09-068 affects Microsoft Word
and addresses one vulnerability that is not publicly known.  To exploit
these vulnerabilities for both bulletins, a user must open a specially crafted
Excel/Word document.  This could be done through a website or through an
email attachment.  If opened, the malicious document could lead to remote
code execution on the target system.  Both bulletins affect Office for Mac
as well.

MS09-064 is an interesting vulnerability. 
If this was released six years ago, this vulnerability would be rated extremely
critical.  This bulletin addresses a vulnerability that only affects
Windows 2000, specifically the License Logging Server.  This service is on
by default on Windows 2000 systems.  An attacker can send a specially
crafted packet to the target system that can result in remote code execution on
the target system.  As Windows 2000 is an aging technology, this may not
affect too many organizations.  It is important to note any computer
running Windows 2000 today is typically a server.  This could make this
bulletin extremely critical as it could be a primary device on your network.

MS09-066 affects corporate networks as it addresses a vulnerability in Active
Directory.  A successful exploit can result in denial of service on the
system.  This vulnerability will be difficult to exploit though.  All
operating systems other than Windows 2000 require valid credentials to send a
specially crafted packet.  If an attacker already had valid credentials,
they would do more damage than a denial of service attack on a server. 
For Windows 2000 servers, like MS09-064, these machines should be patched
immediately.  A specially crafted packet sent to a Windows 2000 machine
can result in an unresponsive machine that requires an unscheduled reboot.

Jason Miller is data and security team leader at Shavlik Technologies

Suggested articles