Microsoft today delivered six security updates that patch nine vulnerabilities, fixing two bugs already being used by hackers but leaving one still open to exploit.
Of the six bulletins, three patched some part of Windows, while the remainder plugged holes in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's virtualization software. Six of the nine bugs were ranked critical, Microsoft's highest ranking in its four-step score, while three were tagged as "important," the next-lowest label.
"We got what we expected," said Andrew Storms, director of security operations at nCircle Network Security. "We got the 'kill bit' we were looking for in the ActiveX control and the DirectShow fix," he said, referring to two recent vulnerabilities that attackers have been exploiting for weeks.
In May, Microsoft acknowledged that hackers had begun exploiting a bug in DirectShow, one of the components in Windows' DirectX graphics platform. Last week, it owned up to another bug, this one in a video streaming ActiveX control used by Internet Explorer (IE) -- and admitted it had known about, but not fixed, the flaw for the past 18 months.
Microsoft patched the already-public DirectShow flaw with MS09-028, and for good measure tucked in fixes for two more vulnerabilities also reported by researchers.
The "kill-bit" update in MS09-032 didn't actually patch the underlying ActiveX problem. Instead, Microsoft simply disabled the control, effectively shutting off any possible attack by modifying the Windows registry using the update. Microsoft offered the same protective measure via an automated tool last week, but that required users to manually browse to a support document, then download, install and run the tool.
Researchers unanimously voted those two updates as the ones to deploy immediately. "Microsoft did well to get out the two zero-days," said Eric Schultze, chief technical officer at Shavlik Technologies, "especially the ActiveX. It was a little much to ask them to get out the Office ActiveX fix, though."
Schultze was talking about a bug in an ActiveX control used by Office Web Components to display Excel spreadsheets in IE. Microsoft warned users of the vulnerability only yesterday. By today, Web attacks had rapidly increased. On Monday, however, Microsoft said that it wouldn't wrap up a fix in time for today's release.
Like the DirectShow ActiveX flaw that was patched today, Microsoft has released a "Fix It" tool that users can download and run themselves to kill the control. But, according to Schultze, Microsoft's not planning to push a kill-bit update to users for this second flaw. "Setting the kill bits actually impedes functionality," Schultze said. "Microsoft told me today that they're working on a file-level fix."
Other researchers speculated that Microsoft might depart from its usual once-per-month patch schedule to get such a fix out before Aug. 11, the next regularly-scheduled update. "Obviously, that would be much better," agreed Wolfgang Kandek, chief technology officer at security company Qualys.
The third critical update, MS09-029, also caught the eyes of Schultze and Kandek. Two vulnerabilities in Embedded OpenType (EOT) Engine leave all versions of Windows, including Vista and Server 2008, open to attack.
"It looks pretty easy to exploit," said Kandek. "If you view some text on a Web site in that font, you're compromised. And if the attack comes in an e-mail, there's no need to open an attachment, you can be compromised just by viewing the e-mail."
Schultze agreed. Calling the font vulnerabilities "nasty," he said that they could quickly be used up by hackers. "If there's exploit code available, which there isn't yet, these would be pretty easy to exploit," Schultze said.
Microsoft also delivered patches today for bugs in Publisher 2007, ISA 2006 and the client and server editions of its virtualization software. The ISA bug, described in MS09-031 intrigued both Kandek and Schultze, but not for the same reasons.
"You can gain full control of the server if you know the administrator password," said Kandek. "And in some situations, that password may be 'administrator' or 'admin' or even 'root'."
Shops with weak usernames may be at risk of information theft, added Amol Sarwate, the manager of Qualys' vulnerability research lab. "[Attackers] could install small malware and maybe sniff the Web traffic [through the server], access other systems on the same network or even redirect users to another Web site," Sarwate speculated.
Schultze dismissed those worries. "It looks like all the planets have to [be] aligned just right," he said, referring to the narrow scenario Microsoft spelled out. "I'd call that a real edge case."
Storms, however, put a finger on the Publisher patch. "MS09-029 and MS09-030 are bucking the trend," said Storms, talking about the Publisher and OpenType bulletins. "Typically, Microsoft's newer software is more secure, but that's not the case here.
"The fact that we got them both in the same month is probably just a coincidence," Storms continued. "But it doesn't surprise me that researchers are looking at the newer software, because it's the newer software that's being deployed."
Schultze and Kandek noted that the OpenType vulnerabilities' appearance in all versions of Windows, up to and including the unfinished Windows 7, likely means Microsoft had overlooked the flaw for years. "It tells me that that particular component has received less attention," Kandek said, "and that Microsoft didn't change anything in the code from when it was first used in [Windows] 2000.
And the virtualization software bugs? Nothing much to worry about, said Schultze, since there's no chance that an attacker could escape the "guest" operating system to wreak havoc on the "host."
"But I think it's a sign of things to come," argued Kandek. "Virtualization adds to the attack surface rather than subtract."
July's updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
This story, "Microsoft Patches 9 Bugs, Leaves One Open for Hackers" was originally published by Computerworld.