By Jason Miller
Microsoft has released 13 new security bulletins in the October 2009 version of Patch Tuesday. Eight bulletins have a severity rating of Critical. The remaining five security bulletins have a severity rating of Important. For the first time, Windows 7 and Windows 2008 R2 are affected by security bulletins. The sheer volume of bulletins and subsequent patches this month will likely give administrator fits.
Two previously active Microsoft Security Advisories have been closed out:
Security Advisory 975497: Vulnerabilities in SMB Could Allow Remote Code Execution
Security Advisory 975191: Vulnerabilities in the FTP Service in Internet Information
These security advisories have been addressed with the new security bulletins MS09-050 and MS09-053. MS09-050 resolves three software vulnerabilities and is rated Critical. A user can send malicious networking packets to a target system that can lead to remote code execution on the target system. This code was already publicly available, so the likelihood of a new major outbreak is unlikely. MS09-053 resolves two software vulnerabilities in the FTP service. These vulnerabilities could result in remote code execution on the target machine. The vulnerabilities covered by these bulletins were both publicly known.
The User Experience
Two bulletins affect the “User Experience” this month. MS09-054 is Microsoft’s cumulative security update for the Internet Explorer browser. This bulletin addresses four vulnerabilities, one that is publicly known, and is rated Critical. Users can be affected if they visit a specially crafted web page. This can lead to remote code execution. MS09-062 affects GDI+. The bulletin addresses an issue where specially crafted images can be embedded in web pages. If a user visits a specially crafted web page, a vulnerability can be exploited that can lead to remote code execution. In addition, opening specially crafted Microsoft Office documents can result in remote code execution as well. These will probably be the most targeted as both attack vectors have a large user base and require simple navigation to a malicious web site. In both cases, users must be enticed to visit a malicious web site or open a malicious Office document.
The Media Experience
The next two bulletins affect media playing on target systems. MS09-051 affects the Windows Media Runtime component. If a user opens a malicious streaming media file (ASF), an attacker could gain complete control of the system through remote code execution. An attacker would need to entice a user to visit a website or opening a file to exploit this vulnerability. This bulletin is rated as Critical and addresses two software vulnerabilities. One of these vulnerabilities is publicly known. MS09-052 is very similar to the previous security bulletin. This bulletin affects Windows Media Player, addresses one software vulnerability, and is rated Critical. The vulnerability has the same attack vectors as MS09-051 with one more addition. With Windows Media Player, a user would simply need to navigate to a directory containing a malicious file through explorer. Simply browsing to the folder, and not opening the file, will trigger the exploit.
ATL Part Two
A few months back, Microsoft released an out-of-band that addressed software vulnerabilities with ATL components. This month, Microsoft is back with a few more patches that address ATL issues. First, MS09-055 is a bulletin that will place Active-X killbits on a machine. This will prevent malicious Active-X controls from opening. This bulletin fixes one software vulnerability and will block 15 malicious Active-X controls from running. There were reports of exploits in the wild taking advantage of this vulnerability. MS09-060 addresses three vulnerabilities in ATL Active-X controls in Microsoft Office. Users can be affected if they are enticed into navigating to a malicious website that can lead to remote code execution. This bulletin is rated as Critical.
MS09-061 addresses three vulnerabilities affecting .NET and Silverlight 2 and is rated Critical. If a user visits a malicious website, an attacker can gain Remote Code execution.
MS09-057 addresses one vulnerability in the Windows Indexing Service and is rated Important. Like other vulnerabilities, it requires a user to navigate to a malicious website. But, the user needs to have a vulnerable binary on the target system for the exploit to work. This could lead to remote code execution on the target system. Based on the difficulty of the attack scenario, an exploitation outbreak on the vulnerability is lower than the other User Experience vulnerabilities.
MS09-058 addresses three vulnerabilities in the Windows Kernel. This bulletin is rated as Important. An attacker would need to have access to a target system before being able to exploit this vulnerability. If successful, the attacker could cause a Denial of Service or elevate their privileges on the system. In order to exploit this vulnerability, an attacker would need to combine this exploit with additional exploits to gain access to the target system. MS09-056 addresses two vulnerabilities in CryptoAPI and is rated Important. This vulnerability can lead to a spoofing attack. If an attack is successful, an attacker can impersonate another user by displaying a digital certificate that appears to be legitimate.
MS09-059 addresses one vulnerability in Local Security Authority Subsystem (LSASS) and is rated Important. This vulnerability can lead to a Denial of Service attack. If an attack is successful, the target system could automatically restart itself causing a Denial of Service.
As this is October, Adobe has also released their quarterly security bulletins for Adobe Acrobat and Reader. Adobe will be releasing Adobe Reader and Acrobat for versions 9.1.3, 8.1.6 and 7.1.3.
Microsoft has re-released a new major revision to MS08-069. This bulletin now includes patches affecting Windows 7 and Windows 2008 R2.
Jason Miller is data and security team leader at Shavlik Technologies.