Microsoft released its monthly security updates today and put special urgency on a cumulative security update for Internet Explorer 9. Critical vulnerabilities were found in the way the browser handles objects in memory which could lead to an attacker remotely executing code. Victims would have to land on a website hosting an exploit, Microsoft said. The company said there are no public exploits for this vulnerability.
This month’s updates also include the first patches for Windows 8 and Windows RT systems, both of which are less than a month old. Of the six updates, four are rated critical and repair flaws in Microsoft Windows Shell, the Windows Kernel, IIS, .NET and Excel.
The IE update does not impact IE 7, 8 or 10, Microsoft said. The vulnerabilities—use after free flaws in the CFormElement, CTreePos and CTreeNode–exist in the way IT accesses objects that have not been correctly initialized or deleted. They are detailed in CVE 2012-1538, CVE-2012-1539 and CVE-2012-4775 respectively. As a workaround, Microsoft recommends setting IE security zone settings to high to block ActiveX Controls and Active Scripting.
Three remote execution vulnerabilities in the Windows Kernel were also patched, the most serious occurring when users open infected Office or PDF documents or land on an attacker’s page that embeds TrueType font files. These three flaws affect Windows 8, 7, XP and Windows Server 2008.
“An attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft said. “An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.”
The two other kernel flaws are privilege escalation vulnerabilities that occur when the kernel mode drive fails to properly handle objects in memory.
Microsoft also addressed a pair of critical integer overflow and underflow vulnerabilities in Windows Shell that could lead to remote code execution. A user would have to open a malicious Windows Briefcase to trigger an attack.
The final set of critical vulnerabilities were patched in the .NET Framework. Microsoft said the most serious is a remote code execution bug would be triggered if a user deploys a malicious proxy auto configuration file which would inject code into a running application.
“The security update addresses the vulnerabilities by updating how the .NET Framework sanitizes output based on the trust level of the calling code, validates the permissions of objects performing reflection, loads external libraries, and optimizes code in memory,” Microsoft said.
Five .NET flaws were patched; two other remote code execution flaws and two privilege escalation vulnerabilities.
Microsoft also patched a remote execution vulnerability in Excel. The patch corrects the way in which Excel parses and validates data, Microsoft said. In addition to the SerAuxErrBar heap overflow vulnerability, three other patches correct a memory corruption vulnerability, a SSE invalid length use after free vulnerability and a stack overflow flaw.
Finally, two vulnerabilities were fixed in IIS that could lead to data leakage via a malicious FTP command sent to the Microsoft Web server. The update corrects an incorrect handling of the way IIS manages log file permissions as well.
While IT admins may have their first set of Windows 8 and RT patches, they’re already behind the game. Proof-of-concept malware targeting Windows Phone, which runs on Windows RT, is expected to be demonstrated by a 16-year-old on Nov. 24 at the MalCon event in India.
Shantanu Gawde is a member of India’s National Security Database program, sponsored by the government. According to the conference site, the Windows Phone Malware prototype enables an attacker to steal contacts, upload pictures and steal users’ data. The National Security Database program is an accreditation earned by security experts for the protection of the country’s critical infrastructure.
No details were shared on whether the code exploits a vulnerability, or whether a user would have to unwittingly install it as a malicious application.
A year ago, Gawde developed malware that uses Microsoft Kinect, a motion sensor controller used on the Xbox 360 platform. The malware steals pictures using the device and uploads them to an online account.