Microsoft has released six security updates that addressed 15 individual vulnerabilities on its monthly Patch Tuesday.
The patches included three that were rated as critical and three that were rated as important. Commentators across the industry have generally claimed that patch MS09-065, which fixes a bug in the Windows kernel, is this month's most serious issue.
Andrew Storms, director of security operations at nCircle, said: “The vulnerability allows for remote code execution, and the attack code can be embedded inside MS Office files or be hosted on websites. Simply browsing an infected website will compromise unsuspecting users - not great for all the holiday shoppers looking to get a jump on their shopping.
Jason Miller, security and data team manager at Shavlik Technologies, also claimed that MS09-065 is the first bulletin administrators should address.
Miller said: “This vulnerability affects the way the Windows Kernel parses embedded open type font, these are typical on websites. The internet is one of the most popular attack vectors, so this should be patched as soon as possible on your workstations.”
Also in agreement was Wolfgang Kandek, CTO at Qualys, who said: “MS09-065 was rated as critical due to the embedded open type font vulnerability in which an attacker can execute arbitrary commands on the victim's computer. A proof of concept that causes the application to crash is publicly disclosed. All Windows operating systems except Windows 7 and Windows 2008 R2 are affected.
“We can expect working exploits soon and this is the most critical vulnerability to address - for users that cannot patch the vulnerability immediately, Microsoft has provided also some workarounds in a detailed blog post including instructions on how to use GPOs to roll them out in an automated way.”
Commenting, Ben Greenbaum, senior research manager at Symantec security response, said: “The embedded open type font kernel vulnerability is the most serious in our opinion. Not only is proof-of-concept exploit code publicly available, but all that's required of a user to become infected by it is simply viewing a compromised web page. Symantec isn't seeing any active exploits of this in the wild yet, but we think attackers will be paying a lot of attention to it in the future.”
“Originally it was thought exploiting this vulnerability would only result in a denial-of-service type attack. But we now know it can result in an attacker running malicious code on a user's machine. Because it is at the kernel level, it doesn't matter what system privileges the logged-in user has at the time of exploit, the entire system is at risk. This all makes it a potentially more lucrative vulnerability for attackers to exploit.”
Tyler Reguly, senior security engineer at nCircle, claimed that the bulletin he found the most interesting was MS09-063. This resolves a vulnerability in the web services on the devices application programming interface on the Windows operating system. Listed as critical, it impacts Microsoft Vista and Windows 2008 platforms and requires a restart.
“The web services on the devices application programming interface attack interests me greatly as it is a remote code execution on a listening service. I'm rather excited to dig deeper into this one and find out how it works,” said Reguly.
Miller said: “MS09-063 affects Windows Vista and 2008 only. The vulnerability affects a service that is on by default on those systems: web services on the devices application programming interface, this allows users to easily find devices such as printers and cameras on their network. An attacker can send a specially crafted network packet to a target system and if successful, the attacker can take complete control of the system. It is interesting that a new service that helps with the 'user experience' can cause so much harm. This vulnerability is also not publicly known at this time.”
Miller also claimed that MS09-064 ‘is an interesting vulnerability' as if it had been released six years ago it would be rated extremely critical.
“This bulletin addresses a vulnerability that only affects Windows 2000, specifically the license logging server. This service is on by default on Windows 2000 systems. An attacker can send a specially crafted packet to the target system that can result in remote code execution on the target system. As Windows 2000 is an aging technology, this may not affect too many organizations. It is important to note any computer running Windows 2000 today is typically a server. This could make this bulletin extremely critical as it could be a primary device on your network,” said Miller.
In conclusion, Kandek said: “The newer OS versions Windows 7 and Windows 2008 R2 were not affected by any of the bulletins released today, a good indication of the progress that Microsoft has made in securing the base operating system. “
Andrew Clarke, senior vice president of Lumension, commented: “Microsoft has delivered a lighter patch Tuesday this month, issuing three critical patches and three important patches. Windows 7 users can put their feet up this morning as none of the patches affect the new platform, dubbed by Microsoft as the most secure system that they have shipped.
“However, the majority of businesses are still in the planning stages of migrating to Windows 7, leaving most IT departments with their hands full. Four of the six new patches are replacements for previously released patches.”