As
part of its scheduled batch of patches for November, Microsoft today
issued six security bulletins with fixes for a total of 15
vulnerabilities affecting its Windows and Office product lines.
Three of the six bulletins are rated “critical,” meaning they can be
used to launch remote code execution or worm attacks without any user
action. One of the Windows vulnerabilities could expose users to
drive-by malware attacks via the browser, Microsoft warned.
Four of the six bulletins include patches for Windows and Windows
Server and two affect Microsoft Office products (Excel and Word).
Microsoft is urging Windows users to pay special attention to MS09-065, a “critical” bulletin that patches three documented vulnerabilities in Windows Kernel-Mode drivers.
“We recommend customers prioritize and deploy this update immediately.”
That vulnerability only affects Windows 2000 SP4, Windows XP SP2 and
SP3, and Windows Server 2003 SP2 (it does not affect Windows Vista or
Windows Server 2008 so if you are using either of these platforms, you
can lower the deployment priority to a two). The vulnerability was
publicly disclosed and could be used to create a malicious web page
which could potentially exploit vulnerable systems just by visiting the
website. The other two vulnerabilities are Elevation of Privilege (EoP)
which would require the attacker to have valid logon credentials in
order to be able to exploit.
Microsoft expects to see functional exploit code for this flaw very soon.
This Patch Tuesday also brings:
- MS09-063 (Maximum severity rating of Critical): Resolves one privately reported vulnerability in Windows, which could allow remote code execution
if an affected Windows system receives a specially crafted packet. An
attacker who successfully exploited this vulnerability could take
complete control of an affected system. - MS09-064 (Maximum severity rating of Critical): Patches one privately reported vulnerability in Windows, which could allow remote code execution
if an attacker sent a specially crafted network message to a computer
running the License Logging Server. An attacker who successfully
exploited this vulnerability could take complete control of the system. - MS09-066
(Maximum severity rating of Important): This update resolves one
privately reported vulnerability in Windows, which could allow denial
of service if stack space was exhausted during execution of certain
types of LDAP or LDAPS requests. - MS09-067
(Maximum severity rating of Important): This update resolves eight
privately reported vulnerabilities in Office, which could allow remote
code execution if a user opens a specially crafted Excel file. An
attacker who successfully exploited any of these vulnerabilities could
gain the same user rights as the local user. - MS09-068
(Maximum severity rating of Important): This update resolves one
privately reported vulnerability in Office, which could allow remote
code execution if a user opens a specially crafted Word file. An
attacker who successfully exploited this vulnerability could take
complete control of an affected system.
Microsoft also reissued MS09-045 and MS09-051 to address detection and minor problem issues.
On the MSRC blog,
Microsoft is offering charts explaining the severity and exploitability
of each vulnerability and visual guidance on how to properly prioritize
and deploy the updates.
The company’s Security Research & Defense Blog offers a technical breakdown of some of the more serious vulnerabilities.