Microsoft has released nine bulletins today, five of them Critical, four of them Important. The bulletins cover a gamut of affected products – almost everything in your enterprise will need to be patched today with the exception of Internet Explorer. No IE patches this month! The majority of bulletin releases these days relate to client-side vulnerabilities – visit an evil website, open an evil document, or read an evil email and you’ll get hacked. These vulns are of greatest concern on the desktop where end users are filling time between Mafia Wars power-ups and Facebook updates by visiting websites that may be hosting content of questionable repute. This month, there are five bulletins addressing these types of issues.
The remaining five bulletins address server-side vulnerabilities. These are the ones that keep network administrators up at night. The attacker simply needs network access to the system in question and they can run code of their choice on the server. This month, there is one flaw that lets anyone with network access own a WINS server, two flaws that let authenticated users own any system, and one flaw that lets unauthenticated users create a denial of service against some IIS 7 webservers.
I always encourage patching the server-side issues as soon as possible. Maybe best to form two teams and patch server-side and client-side issues simultaneously.
Now, on to the bulletins. Starting with the more interesting ones…
MS09-036 is a bulletin that will impact folks running websites on IIS7. Attackers can send some packets to your webserver and cause it to stop functioning (Denial of Service). Microsoft has already had some reports that this attack has been spotted on the Internet. IIS7 websites are safe if they are running in ‘Classic’ mode. IIS7 sites running in ‘Integrated’ (non-classic) mode are vulnerable. I’m not exactly sure what the default mode is when setting up an IIS7 website. The patch for this IIS issue is really a patch for .Net Framework versions 2 and 3. If you’re running IIS7 (classic or otherwise), I’d recommend patching this one soon, unless you want your .asp and .aspx pages to stop functioning.
MS09-037 is a really ugly collection of ActiveX controls that have been patched for the ATL vulnerabilities described in the out of band bulletin MS09-035 from earlier this month. Microsoft identified 5 ActiveX controls that were using a vulnerable version of the ATL templates. These ActiveX controls could be executed when visiting evil websites – causing them to execute evil code on your system. Although Microsoft references a Video Control fix in this bulletin, this is NOT the same ActiveX control that was kill-bitted in MS09-032.
MS09-042 is a Telnet bulletin that is really a throwback to the credential reflection vulnerabilities discussed in MS08-068 (and originally identified back in 201). This is a variant on the HTTP attack vector discussed in 08-068. In this instance, the attacker encourages a user to click on a hyperlink where the link is an evil Telnet server. The evil Telnet server obtains a form of your Windows username and password – they can replay this set of credentials back against your box to login to your system as you – without every knowing your password! This attack has been publicly known for a long time – so best to patch all of your desktops for this issue before the bad guys start standing up evil Telnet servers. (you may be safe from this attack if you’re on a corporate network that’s blocking inbound NetBIOS ports 139 and 445 – as those are the ports the attacker will most likely try and use to login to your system with the captured credentials). See this post for more information on credential reflection attacks.
MS09-039 is a Critical issue for network admins managing WINS servers on their Microsoft networks (and every MS network has at least one of these). This is an unauthenticated server-side attack – the bad guy simply points and shoots some packets at the WINS server and they can execute code of their choice on that server. This attack is most likely to come from inside your network as the necessary ports to execute the attack are usually blocked at the Internet firewall. Patch this right away on your WINS servers.
* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company.