Final patch Tuesday of 2009 from Microsoft sees Internet Explorer zero-day vulnerability covered

News by Dan Raywood

Microsoft's release of a fix for an Internet Explorer vulnerability on the latest Patch Tuesday has been welcomed.

Microsoft's release of a fix for an Internet Explorer vulnerability on the latest Patch Tuesday has been welcomed.

Wolfgang Kandek, CTO of Qualys, welcomed the six bulletins, which brings the total releases for 2009 to 74. He claimed that with bulletin MS09-072, which fixes the critical zero-day Internet Explorer vulnerability that was publicly disclosed three weeks ago, it appears that they had been working on the issue already.

Kandek said: “This patch is rated for immediate deployment as attackers are actively working on making the POC into a reliable exploit. The advisory further contains an additional four vulnerabilities, with three affecting Internet Explorer 8, including Windows 7.” He also pointed out that this was the only bulletin this month that affected both Windows 7 and Windows 2008 R2.

Tyler Reguly, senior security engineer at nCircle, agreed with Kandek, claiming that this fix ‘should be number one on everyone's hit list today'. He said: “Patching IE is always crucial but given the public exploit, this should be patched as quickly as possible.

“Beyond IE, this list is really a mash-up of random fixes. There's a lot of letters with LSASS, ADFS and IAS and a smattering of client side vulnerabilities in Wordpad and Exploit but in the grand scheme of things, there's nothing extremely dangerous once you get past IE. Given some of the configurations that are affected, it's definitely worth taking the time to test these patches in your lab before deploying them, IE is, of course, the exception to that recommendation.”

Matthew Walker, regional director UK & Ireland at Lumension, also agreed, saying that it was the ‘most critical patch with potentially the greatest impact'. He said: “This patch has been given Microsoft's highest exploitability rating, indicating that consistent exploit code is likely.

“Publicly disclosed details of this vulnerability are circulating and will undoubtedly be targeted to deliver web-borne malware to unsuspecting internet users. As a priority, IT departments should quickly assess and immediately patch all end-user machines throughout their organisation.”

Finally, Jason Miller, security and data team manager at Shavlik Technologies, said: “MS09-072 is the first security bulletin administrators should address on their network. With this bulletin, the advisory expires if administrators patch the vulnerable versions of Internet Explorer. The vulnerability specifically deals with malicious Active-X controls that were built with a vulnerable ATL. The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft. All five vulnerabilities will target any user that browses to a malicious web site with an unpatched Internet Explorer. In this scenario, this can lead to remote code execution on the target system.”

Looking at the other bulletins, Walker said: “The last critical Bulletin, MS09-071, affects Windows Server 2008 and requires a restart. Although Microsoft's exploitability scale for this bulletin is less severe, as Windows Server 2008 is most commonly deployed in support of mission critical applications, this update has the potential to be severely disruptive to business operations.”

Miller commented: “MS09-071 affects Microsoft Internet Authentication Server (IAS) on servers and clients except for Windows 7 and Windows 2008 R2. IAS is a technology from Microsoft that allows such business services as Wireless and VPN connections. This security bulletin addresses two vulnerabilities.

“One of these vulnerabilities is publicly known, but the vulnerability is not being actively exploited at this time.  An attacker can send a malicious packet to a vulnerable server that can result in remote code execution. Interesting enough, client systems do not have the vulnerable files on the system as they are not part of the base operating system, but Microsoft is providing a patch for Windows Client system. However, third party products can be installed on client systems that can be vulnerable.”

Kandek recommended installing the patches addressed in bulletins MS09-073 and MS09-074 ‘as quickly as possible‘ as they address vulnerabilities in file formats for Word/Wordpad converters and MS-Project.

He said: “Both allow remote code execution when users open specifically crafted files that can be received through email or downloaded from a website. Install the patches as quickly as possible and review whether extended testing is necessary in your environment.”

Miller said: “MS09-073 affects WordPad on Windows XP and 2003 as well as Office Text Converters for Office XP and 2003.  This security bulletin fixes one software vulnerability, which is not publicly known at this time.  A user with a vulnerable operating system or Microsoft Office program will need to be enticed into opening a malicious Word 97 document. Upon opening, the document will be converted to a new version of a Word document.  A successful exploit can lead to remote code execution.

“MS09-074 affects Microsoft Project. The one security vulnerability this bulletin addresses is not publicly known at this time. In an attack scenario, a user would need to be enticed into opening a malicious Project document.  This can lead to remote code execution.”

Finally Ben Greenbaum, senior research manager at Symantec Security Response, said: “Proof-of-concept exploit code was released for the object memory corruption vulnerability late last month, but it wasn't reliable. It's been a race since between Microsoft and attackers to either get a patch out or improve the exploit's reliability. As it turns out, Symantec has yet to see neither the exploit's consistency increased significantly nor any successful attacks using it in the wild.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews