Microsoft Patches Critical Drive-by Flaw

A serious flaw that allows for drive-by-download attacks picks up a patch in today's regular monthly patch batch from Redmond, as do critial flaws in Microsoft Office. Network attack vectors of most concern for business networks get shored up as well.

The most important patch, MS09-065, closes a hole that could allow an attacker to take control of a vulnerable system if you view a specially crafted Embedded OpenType font. The patch is rated critical for Windows 2000, XP and Server 2003, and important for Vista and Server 2008.

According to nCircle, an enterprise security auditing company, an attack could be triggered by viewing either a malicious Web site or opening a poisoned Office document. And Symantec says that proof-of-concept code is already publicly available, so this is the patch to get.

The other two critical patches this month shore up network-based risks of most concern to businesses. The first involves the Web Services on Devices Application Programming Interface (WSDAPI) and is rated critical for Vista and Server 2008. Per Microsoft, a specially crafted packet sent across the network could trigger the flaw, but the attacker would have to be on the same local subnet. See MS09-063 for more details.

The final critical patch is rated critical for Windows 2000 systems running the License Logging Server. A vulnerable system could be compromised by a "specially crafted network message," but unlike the WSDAPI flaw, an attack against this hole wouldn't have to be launched from the same local subnet. MS09-064 has more info.

Office picks up a couple of patches as well, which are only rated important by Microsoft but could still allow for remote code execution, ie. taking over a vulnerable computer, if you open a malicious Word or Excel file. Per Microsoft, both these flaws are rated important rather than critical because "Microsoft Office Excel [or Word] 2002 and later versions have a built-in feature that prompts a user to Open, Save, or Cancel before opening a document. This mitigating factor reduces the vulnerability from Critical to Important because the vulnerability requires more than a single user action to complete the exploit."

The Excel patch, MS09-067, is for Office XP, 2003 and 2007, along with Office 2004 and 2008 for Mac. The Open XML File Format Converter for Mac also needs the fix, as does the Office Excel Viewer 2003 and the Office Excel Viewer Service Office Compatibility Pack for Word, Excel and PowerPoint 2007 File Formats.

Pick up the Word patch, MS09-068, for Office XP and Office 2003, as well as Office 2004 and 2008 for Mac, the Open XML File Format Converter for Mac, the Office Word Viewer 2003 and the Office Word Viewer.

The last important-rated patch closes a denial-of-service security hole in the Active Directory directory service, the Active Directory Application Mode (ADAM), and the Active Directory Lightweight Directory Service (AD LDS). MS090-066 is for Windows 2000, XP, Server 2003 and Server 2008, and per Microsoft is only required for domain controllers and systems configured to run ADAM or AD LDS.

Finally, Microsoft updated two previous patches, MS09-045 and MS09-051. The MS09-045 update adds detection for JScript 5.7 on Windows 2000, according to Microsoft, while the MS09-051 update fixes a detection issue involving the Audio Compression Manager on Windows 2000.

As always, fire up Microsoft Update to pick up any or all of these fixes.

Subscribe to the Security Watch Newsletter

Comments