The majority of bulletin releases these days relate to client-side vulnerabilities – visit an evil website, open an evil document, or read an evil email and you’ll get hacked.  These vulnerabilities are of greatest concern on the desktop where end users are filling time between Mafia Wars power-ups and Facebook updates by visiting websites that may be hosting content of questionable repute.  This month, there are five bulletins addressing these types of issues.

The remaining four bulletins address server-side vulnerabilities.  These are the ones that keep network administrators up at night.  The attacker simply needs network access to the system in question and they can run code of their choice on the server.  This month, there is one flaw that lets anyone with network access own a WINS server, two flaws that let authenticated users own any system, and one flaw that let’s unauthenticated users create a denial of service against some IIS7 web servers.

I always encourage patching the server-side issues as soon as possible.  Maybe best to form two teams and patch server-side and client-side issues simultaneously.

The Bulletins

Now, on to the bulletins.  Starting with the more interesting ones…

MS09-036 is a bulletin that will impact folks running websites on IIS7.  Attackers can send some packets to your web server and cause it to stop functioning (Denial of Service).  Microsoft has already had some reports that this attack has been spotted on the Internet.  IIS7 websites are safe if they are running in ‘Classic’ mode.  IIS7 sites running in ‘Integrated’ (non-classic) mode are vulnerable.  I’m not exactly sure what the default mode is when setting up an IIS7 website.  The patch for this IIS issue is really a patch .Net Framework versions 2 and 3.  If you’re running IIS7 (classic or otherwise), I’d recommend patching this one soon, unless you want your .asp and .aspx pages to stop functioning.

MS09-037 is a really ugly collection of ActiveX controls that have been patched for the ATL vulnerabilities described in the out of band bulletin MS09-035 from earlier this month.  Microsoft identified 5 ActiveX controls that were using a vulnerable version of the ATL templates.  These ActiveX controls could be executed when visiting evil websites - causing them to execute evil code on your system.  Although Microsoft references a Video Control fix in this bulletin, this is NOT the same ActiveX control that was kill-bitted in MS09-032.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Free Guide: Web Application Security - How to Minimize Prevalent Risk of Attacks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

MS09-042 is a Telnet bulletin that is really a throwback to the credential reflection vulnerabilities discussed in MS08-068 (and originally identified back in 201).  This is a variant on the http attack vector discussed in MS08-068.  In this instance, the attacker encourages a user to click on a hyperlink where the link is an evil Telnet server.  The evil Telnet server obtains a form of your Windows username and password - they can replay this set of credentials back against your box to login to your system as you - without every knowing your password!  This attack has been publicly known for a long time - so best to patch all of your desktops for this issue before the bad guys start standing up evil Telnet servers. (you may be safe from this attack if you’re on a corporate network that’s blocking inbound NetBIOS ports 139 and 445 - as those are the ports the attacker will most likely try and use to login to your system with the captured credentials).  See http://ericsblog.shavlik.com/2008/11/11/reflections-on-the-november-2008-microsoft-patch-release/ for more information on credential reflection attacks.

MS09-039 is a Critical issue for network administrators managing WINS servers on their Microsoft networks (and every MS network has at least one of these).  This is an unauthenticated server-side attack - the bad guy simply points and shoots some packets at the WINS server and they can execute code of their choice on that server.  This attack is most likely to come from inside your network as the necessary ports to execute the attack are usually blocked at the Internet firewall.  Patch this right away on your WINS servers.

Speaking of the internal network, MS09-041 can be enjoyed internally.  This is a privilege escalation attack against Microsoft systems.  Attackers who have user-level access to machines in the organization (their own machine, file servers, domain controllers, etc) can point some evil packets to their target of choice and execute code.  This vulnerability results from a flaw in the ‘Workstation’ service which is on every machine (and can’t really be disabled without impacting operations on the network).  Patch this one while patching your WINS servers - keep idle internal miscreants from owning your machines.

A less prevalent attack surface in MS09-040 - similar to 09-041 above - but limited to those systems who have installed the MSMQ services (not installed by default).  Attacker can point and shoot packets at the MSMQ service and execute code of their choice.  Like with 09-041, the attacker needs to have valid credentials to the system they’d like to own.

MS09-044 is the last super interesting bulletin this month.  Vulnerabilities in the Remote Desktop Protocol (RDP - formerly known as Terminal Services) can allow attackers to execute code on your desktop should you visit their evil website or visit their evil TermServer.  Two flaws exist, one in the TermServices ActiveX control (which can be launched by visiting an evil website), and one in the RDP console application.  Using the RDP console and visiting an evil TermServer can let the attacker run code on your box.  It’s not a vulnerability in Terminal Services - your remote servers that you access via RDP are safe.  It’s a vulnerability in the client you use to access terminal services.  Patch this one before you go browsing around to evil websites (or trying to break into unknown Terminal Servers).

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Free Whitepaper: Building a Web Application Security Program
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The last few issues include a bulletin for Office Web Components (09-043) that were being actively exploited since June (visit the evil website and get hacked), and a bulletin for Windows Media Player (MS09-038) where visiting an evil website hosting malformed AVI files could execute code on your system.

Related posts:

1. Patch Tuesday: Five Critical Severity Ratings
2. Shavlik Technologies on November Patch Tuesday Releases
3. Patch Tuesday: Three Critical Security Bulletins

Six security bulletins released today - three critical and three important. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.

Today’s release is important because patches were released for two recent zero-day attacks - a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet.

While Microsoft has announced workarounds and/or provided FixIt tools for each of these issues, today’s patches will be welcomed by network administrators who have been tasked with re-mediating these issues. Shavlik recommends that network administrators download and install the patches for these two bulletins as soon as possible (MS09-032 and MS09-028)

Two of Microsoft’s other releases this month apply to products that you don’t see patched very often - ISA Server 2006 and Virtual PC. Although these two products are associated with security functions, neither flaw is as bad as it seems and Microsoft has rated the severity for each of these as Important.

Of the two remaining bulletins, one applies to Publisher (Important) and one applies to the Operating System (Critical). Neither of these issues were publicly known prior to release, though Shavlik recommends reviewing and installing each of these patches as appropriate on your networks. The Operating System patch (MS09-029) is particularly nasty and can execute when a user views an evil web page, email, or Office document.

Shavlik recommends installing MS09-028, 29, and 32 patches first (DirectShow, OS Font patch, and Video Control). These are the three Critical patches - which goes to show that Microsoft got the Severity ratings spot-on this month.

Details for MS09-032 and MS09-028:

MS09-032 is the bulletin for the QuickTime file parsing vulnerability. Clicking on an evil hyperlink or even hovering your mouse over a malformed QuickTime file could allow the attacker to execute code on your system. The attacker’s code would have the same level of permission to your computer as the person who is logged on to the computer. If you’re logged on as admin, the exploit could add or remove users and administrators from your machine, delete files, reformat your hard drive, or embed Trojans or worms that could be used in future attacks.

It’s important to note for this issue that the presence or absence of Adobe QuickTime is not relevant to whether or not your computer is vulnerable to this issue. The flaw resides in the Microsoft components that parse QuickTime files - so don’t believe that you’re safe just because you don’t have QuickTime installed. Also, the recent QuickTime patch from Adobe (7.6.2) is not related to this issue.

MS09-032 is rated as Critical for all Operating Systems.

MS09-028 is the bulletin for the recently announced Microsoft DirectShow vulnerability. Viewing a malformed media file from a Windows XP or Windows Server 2003 system can enable the attacker to execute code on your system. Similar to MS09-032, the evil code will run in the context of the currently logged on user and can take any action on that system that the logged on user can take.

Microsoft released a FixIt tool that sets the browser killbits for this vulnerable section of code. The MS09-032 patch is a cumulative killbit patch that includes the killbits from the FixIt tool as well as all previously released ActiveX killbits. Users who installed the ActiveX cumulative patch from June 2009 and also ran the FixIt tool for the DirectShow have already implemented the complete set of killbits represented by the MS09-028 patch. If you ran the FixIt tool or otherwise implemented the Microsoft suggested workaround you are safe – there’s no need to revert changes that you made.

While the public exploit only impacts XP and 2003 systems, Microsoft recommends installing this patch on all Operating Systems as it includes killbits for all previously known bad ActiveX controls.

Details for the remaining four

MS09-029 applies to all Operating Systems and could be a particularly nasty issue if left unpatched. The flaw resides in the way that Microsoft parses embedded fonts on web pages, emails, and Office documents. (in this case, embedded opentype fonts. EOT fonts ensure that everyone viewing the text sees it formatted the same way.) Viewing an evil web page, email, or Office documents could allow the attacker to execute code on your system. Workarounds are available, but it requires two separate changes to be made - one to protect from web content and the other to protect from evil emails and documents.

MS09-030 is a vulnerability in Microsoft Publisher documents. Viewing a malformed document could allow the attacker to run code on your system. This seems like the hundredth vulnerability in Publisher this year, and the millionth ‘open an evil document and get hacked’ vulnerability in the past two years.

MS09-031 discusses an issue with ISA Server 2006. If the ISA Server is specifically configured to use Radius one-time-passwords AND to use Kerberos for authentication AND to fallback to basic http authentication when asked, the attacker may be able to access servers protected by the firewall if they know the user name of those target systems. It sounds scary, but it’s probably a very small number of systems in the world that are configured exactly this way. An edge case at best. If you have an ISA Server 2006 and you’re concerned that you might meet all three criteria above, it’s best to patch your system.

MS09-033 relates to Guest Operating Systems that are hosted on Microsoft Virtual PC or Virtual Server. These virtualized systems are subject to a privilege escalation attack. (Non-virtualized systems are not vulnerable.) Users who can execute code on the virtual systems can run an exploit and become administrator on the virtual images. At no time can this flaw lead to compromise of the underlying Virtual PC or Virtual Server. In other words, it’s not the much-hyped but yet-to-be-seen exploit that crosses the virtualization barrier.

Related posts:

1. Patch Tuesday: Five Critical Severity Ratings
2. Patch Tuesday: Watch Those Evil Web Sites
3. Shavlik’s statement on December 2009 Patch Tuesday releases