Microsoft
today shipped six bulletins with patches for a total of 12 documented
security vulnerabilities in a wide range of widely deployed software
products. Three of the six bulletins are rated “critical,” Microsoft’s
highest severity rating.
The most serious issues affect the company’s Internet Explorer browser, including the newest IE 8 on Windows 7.
The Internet Explorer bulletin (MS09-072) covers five documented vulnerabilities that affect all supported versions of the browser (IE 5, 6, 7 and 8). As previously reported, there is public exploit code available for one of the IE vulnerabilities.
Here’s why this is considered a high-priority update for all affected Windows users:
The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
An interesting sidebar: All five of the IE vulnerabilities were
purchased by a third-party company that buys software flaw information
in exchange for the exclusive rights to broker the disclosure process
with affected vendors.
This month’s Patch Tuesday batch also covers two potential worm
holes in Microsoft Windows (Internet Authentication Service). The
update (MS09-071)
patches critical flaws that could allow remote code execution if
messages received by the Internet Authentication Service server are
copied incorrectly into memory when handling PEAP authentication
attempts.
An
attacker who successfully exploited either of these vulnerabilities
could take complete control of an affected system. Servers using
Internet Authentication Service are only affected when using PEAP with
MS-CHAP v2 authentication.
The third critical bulletin (MS09-074)
addresses a security flaw in the Microsoft Office Project software. The
vulnerability could allow remote code execution if a user opens a
specially crafted Project file.
Microsoft also shipped three “important” bulletins to cover the following:
- MS09-069:
Vulnerability in Local Security Authority Subsystem Service. This
security update resolves a privately reported vulnerability in
Microsoft Windows. The vulnerability could allow a denial of service if
a remote, authenticated attacker, while communicating through Internet
Protocol security (IPsec), sends a specially crafted ISAKMP message to
the Local Security Authority Subsystem Service (LSASS) on an affected
system. - MS09-070:
Vulnerabilities in Active Directory Federation Services. Resolves two
privately reported vulnerabilities in Microsoft Windows. The more
severe of these vulnerabilities could allow remote code execution if an
attacker sent a specially crafted HTTP request to an ADFS-enabled Web
server. An attacker would need to be an authenticated user in order to
exploit either of these vulnerabilities. - MS09-073:
Vulnerability in WordPad and Office Text Converters. Patches a
privately reported vulnerability in Microsoft WordPad and Microsoft
Office text converters. The vulnerability could allow remote code
execution if a specially crafted Word 97 file is opened in WordPad or
Microsoft Office Word. An attacker who successfully exploited this
vulnerability could gain the same privileges as the user. Users whose
accounts are configured to have fewer privileges on the system could be
less impacted than users who operate with administrative privileges.
Microsoft’s Security Research & Defense blog offers this nifty chart to help Windows suers prioritize the deployment of the other updates appropriately.
| Bulletin | Most likely attack vector | Bulletin severity | Max Exploit- ability Index | Likely first 30 days impact | Platform mitigations |
| MS09-072 (IE) | Attacker hosts a malicious webpage, lures victim to it. | Critical | 1 | Public exploit code already exists for CVE-2009-3672 affecting IE6 and IE7. We expect to see exploits for other vulnerabilities that affect other IE versions within 30 days. |
DEP is enabled by default for IE8 on Windows XP SP3, Windows Vista SP1 and later, Windows Server 2008, and Windows 7.
DEP makes exploiting the public vulnerability significantly more difficult. |
| MS09-073 (Wordpad converter) | Attacker sends malicious .doc file (saved in legacy Word version 8 format) to victim who opens it in Wordpad. | Critical | 2 | Less likely to be exploited in first 30 days. | Affects only older platforms. |
| MS09-071 (IAS) | Attacker on a wireless LAN attacks the Microsoft IAS server providing the 802.1x authentication and encryption via PEAP. Attack would be via the RADIUS protocol. |
Critical | 2 | Less likely to be exploited in first 30 days. | |
| MS09-074 (Project) | Attacker sends a malicious Project file (MPP) to victim who opens it with Project 2003 or earlier. | Critical (Critical on Project 2000 only) | 2 | Less likely to be exploited in first 30 days. | Affects only older versions of Project. |
| MS09-070 (ADFS) | Attacker able to authenticate to ADFS running in IIS can execute code within the IIS worker process. | Important | 1 | While an exploit may be developed in the first 30 days, the risk to most organizations is low because attack surface is only exposed to authenticated attackers. |
|
| MS09-069 (LSASS) | Attacker on enterprise network authenticates to a server and remotely causes CPU exhaustion. | Important | 3 | Unlikely to be exploited in first 30 days. | No chance of code execution |
