The Security Pub

Random Thoughts About Security

Category Archives: Patch Tuesday

September Microsoft Patch Tuesday Summary

patchedvistaThis is a fairly light month, Microsoft is releasing five bulletins that will cover eight vulnerabilities.  Below is a list of the “Critical” issues being addressed this month.

MS09-045 – Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961) This security update resolves a privately reported vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS-09-49 – Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710) This security update resolves a privately reported vulnerability in Wireless LAN AutoConfig Service. The vulnerability could allow remote code execution if a client or server with a wireless network interface enabled receives specially crafted wireless frames. Systems without a wireless card enabled are not at risk from this vulnerability.

MS09-47 - Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812) This security update resolves two privately reported vulnerabilities in Windows Media Format. Either vulnerability could allow remote code execution if a user opened a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-48 - Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723) This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

MS09-046 - Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844) This security update resolves a privately reported vulnerability in the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


August Microsoft Patch Tuesday Summary

Here is a quick summary of this month’s Microsoft Security updates…

Patch Tuesday

9 advisories, with 19 vulnerabilities covered. Heres the breakdown:

MS09-036: Rated Important. Potential Denial of Service in ASP.NET in Microsoft Vista and 2008, covering 1 vulnerability: CVE-2009-1536. Important to note that this vulnerability only affects systems where IIS 7.0 is installed and ASP.NET uses integrated mode.  IIS 7 using application pools in classic mode are not vulnerable.  Other versions of Windows are not affected.

MS09-037: Rated Critical. Potential Remote Code Execution in ATL Components, Outlook Express, Media Player, ActiveX Controls, and anything else Microsoft built with these templates.  Every supported version of Windows affected except Windows 7 and 64 bit versions of Server 2008 R2, covering 5 vulnerabilities: CVE-2008-0015 (ActiveX), CVE-2008-0020 (memcopy), CVE-2009-0901 (uninitialized object), CVE-2009-2493 (COM initialization), and CVE-2009-2494 (object type mismatch). Yup – this is the big one, with Microsoft feeling their customers’ pain as they try their best to track down every piece of software written on top of the original mess.  I don’t envy them and I’m sure this isn’t over.

MS09-038: Rated Critical.  Potential Remote Code Execution in Windows Media File Processing in every version of Windows except Windows 7 and 64 bit versions of Server 2008 R2, covering 2 vulnerabilities: CVE-2009-1545 (malformed AVI header), and CVE-2009-1546 (AVI integer overflow).  Malformed AVI makes for an interesting departure from the standard malicious media and speaks volumes about how much rich media has become the new normal in life online.

MS09-039: Rated Critical.  Potential Remote Code Execution in WINS, affecting Windows 2000 Server and 2003 only and covering 2 vulnerabilities: CVE-2009-1923 (heap overflow), and CVE-2009-1924 (integer overflow).  This would be a bigger deal if it wasn’t WINS – that’s like getting nervous about a new Telnet vulnerability … but more on that in a minute.  It’s 2009 – if you installed WINS on purpose this is a great reason to rethink that strategy.  If resolving NetBIOS names across a WAN link is important to you, then it’s time to patch.

MS09-040: Rated Important.  Potential Elevation of Privilege in Message Queuing affecting Vista pre-SP, Server 2003, 2000, and XP prior to SP3.  1 vulnerability: CVE-2009-1922 – MSMQ Null Pointer Vulnerability, with unvalidated input before passing data to the buffer.  On any other Patch Tuesday, this one would be extremely interesting.  With ATL & Web Components on one end and WINS & Telnet on the other, this one is suffering from middle child syndrome in this month’s post.

MS09-041: Rated Important (Elevation of Privilege) for XP and 2003; Moderate (Denial of Service) for Vista and 2008.  1 vulnerability: CVE-2009-1544 … Workstation Service memory corruption. Valid logon credentials are required to exploit this one.

MS09-042: My favorite update this month is for *TELNET*.  Awesome.  Rated Important for 2000, XP, and 2003; Moderate for Vista and 2008.  1 vulnerability: CVE-2009-1930 (credential reflection).  What a perfect excuse to disable Telnet.  As Jabra said a few minutes ago: “Patch your telnet if you’re still running it.”  You shouldn’t be.

MS09-043: Rated Critical.  Remote Code Execution in Office Web Components in Office XP and 2003, Office 2000/XP/2003 Web Components, ISA 2004 and 2006, BizTalk 2002, Office Small Business Accounting 2006, and oh yeah – Visual Studio .NET 2003.  This is the other biggie with 4 vulnerabilities: CVE-2009-0562 (memory allocation), CVE-2009-2496 (heap corruption), CVE-2009-1136 (HTML script), and CVE-2009-1534 (buffer overflow).  After much noise and a front row seat in metasploit last month, this update was much anticipated and expected.  (You should patch this one).

MS09-044: Rated Critical for affected versions except for 6.0 (more on that shortly).  Remote Code Execution in Remote Desktop (RDP 5.0, 5.1, 5.2, 6.0, and 6.1) as well as the Remote Desktop Client for Mac.  All Windows Operating Systems affected except for Windows 7 and Windows Server 2008 R2.  2 vulnerabilities: CVE-2009-1133 (heap overflow), and CVE-2009-1929 (ActiveX heap overflow).  This one would typically be pretty scary, but again just too much this month that is garnering more attention on first glance with credentials required.  Interesting thing here is that the vulnerability on systems running RDP 5.0 through 5.2 and 6.1 are rated Critical; 6.0 is rated Important.  The justification for this rating is that 6.0 is not affected by the ActiveX vulnerability and CVE-2009-1133 cannot be exploited by a malicious website invoking the RDP ActiveX control.  This is a great example of how important remediation-based reporting can be.  On a day like today with so much information to sift through, there is clearly value in cutting through the mess of different (and sometimes confusing) vulnerability ratings and providing sound remediation advice instead of a simple list of vulnerabilities.

There’s a very good chance that a couple of this month’s sleepers will get some more press after the big hitters settle down.  In addition to the obvious 037 and 043 priorities, best advice is to start with remediation for vulnerabilities that are network accessible with no authentication or user interaction required along with those that already have active exploits (in the wild and/or in metasploit).