Guest editorial by Jason Miller
Microsoft has released six new security bulletins for December. They have also released two new security advisories as well as one bulletin that has been re-released. In addition to the Microsoft releases, even though Adobe’s quarterly security update is scheduled for next month, they are planning to release a security bulletin for Adobe Flash and Adobe Air today.
A quick rundown of today’s patches:
MS09-072 is the first security bulletin administrators should address on their network. This bulletin is a cumulative update for Internet Explorer. Microsoft usually releases a cumulative update for Internet Explorer every other month, and typically contains multiple fixes in it. This bulletin addresses five vulnerabilities, with one of the vulnerabilities publically known. There is one vulnerability patched with this bulletin that administrators should pay close attention to. Microsoft released a Security Advisory for this vulnerability late last month in Security Advisory 977981.
With this bulletin, the advisory expires if administrators patch the vulnerable versions of Internet Explorer. The vulnerability specifically deals with malicious Active-X controls that were built with a vulnerable ATL. The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft. All five vulnerabilities will target any user that browses to a malicious web site with an unpatched Internet Explorer. In this scenario, this can lead to remote code execution on the target system.
MS09-070 affects Microsoft Active Directory Federation Service (ADFS). Web servers that have ADFS enabled are at risk, clients are not at risk from this vulnerability. The attacker needs to be an authenticated user to carry out an attack, so this reduces the risk of this vulnerability. Companies that have implemented ADFS on their network should apply this patch as soon as possible.
MS09-071 affects Microsoft Internet Authentication Server (IAS) on servers and clients except for Windows 7 and Windows 2008 R2. IAS is a technology from Microsoft that allows such business services as Wireless and VPN connections. This security bulletin addresses two vulnerabilities. One of these vulnerabilities is publically known, but the vulnerability is not being actively exploited at this time. An attacker can send a malicious packet to a vulnerable server that can result in remote code execution. Interesting enough, Client systems do not have the vulnerable files on the system as they are not part of the base operating system, but Microsoft is providing a patch for Windows Client system. However, third party products can be installed on client systems that can be vulnerable.
MS09-069 affects the Microsoft LSASS service on Windows 2000, XP and 2003. An attacker can send a specially crafted packet to a target machine that will cause the system to be unresponsive. The LSASS service can use up all system resources that will cause the machine to be unresponsive. Users will need to reboot their systems to gain back those resources and make the system responsive once again. This security bulletin addresses one vulnerability that is not publically known at this time.
MS09-073 affects WordPad on Windows XP and 2003 as well as Office Text Converters for Office XP and 2003. This security bulletin fixes one software vulnerability which is not publically known at this time. A user with a vulnerable operating system or Microsoft Office program will need to be enticed into opening a malicious Word 97 document. Upon opening, the document will be converted to a new version of a Word document. A successful exploit can lead to remote code execution.
MS09-074 affects Microsoft Project. The one security vulnerability this bulletin addresses is not publically known at this time. In an attack scenario, a user would need to be enticed into opening a malicious Project document. This can lead to remote code execution.
Microsoft has also re-released security bulletin MS08-037. The bulletin was updated to include the DNS client on Windows 2000 Service Pack 4. Anyone who has previously installed this patch will need to apply this lastest patch offering.
On the Security Advisory front, Microsoft released two new security advisories.
Microsoft Security Advisory (954157): This security advisory does not offer a patch and Microsoft is not planning on release for this product. This advisory explains to customers how to disable the Indeo codec on their systems. The workaround will prevent malicious websites from exploiting vulnerable systems that can lead to remote code execution on the target system.
Microsoft Security Advisory (974926): This security advisory informs customers of a potential man in the middle attack. In this scenario, the attacker would need valid user credentials that are passed between system. Microsoft is offering up two non-security patches to help administrators harden their systems. Both of these patches were offered a few months ago.
Adobe is also joining this patch Tuesday with the release of a new Adobe Flash Player and Adobe Air. This security patch will address critical software vulnerabilities. There is no word from Adobe yet on how many vulnerabilities are addressed and if they are publically known or exploited at this time. Any Adobe Flash Player less than version 10.0.32.18 and any Adobe Air less than version is affected by this vulnerability(ies).
* Jason Miller is data and security team leader at Shavlik Technologies.