Microsoft serves up 10 patches, including IIS and IE fixes
Microsoft on Tuesday delivered 10 patches, including fixes for a server-side bug that was being actively exploited and a much publicized client-side issue that was discovered earlier this year at a hacker conference.In total, the update covered at least 20 vulnerabilities.
Experts largely agreed that MS09-020, which addressed two vulnerabilities in Microsoft Internet Information Services (IIS), was one of the most pressing fixes. Though Microsoft rated the patch only "important" in severity -- because a successful exploit can only cause privilege escalation, not code execution -- the company had acknowledged that one of the flaws was being used in limited attacks.
The other major bulletin -- MS09-019 -- drew a "critical" rating and provided a cumulative update for seven flaws in Internet Explorer. One of the bugs impacts Internet Explorer 8 and was found by the hacker "Nils" during a contest in March at the CanSecWest hacker conference in Vancouver, British Columbia. Details of the discovery had been kept under wraps by Microsoft and the contest sponsor, Tipping Point.
"I know a lot of people were interested in having more details about the vulnerability that he used," said Steve Manzuik, senior manager of security research at Juniper Networks.
As a result, he predicted that now that a fix has been issued, a working exploit likely will be developed soon.
"Unfortunately, that has become the reality," Manzuik said. "We have 'Patch Tuesday' and then we have 'Exploit Thursday.'"
Other patches from Tuesday included one for two vulnerabilities in Active Directory and another for three holes in Windows Print Spooler, all of which could result in remote code execution. On the client side, the update also filled holes in Word, Excel and Works.
One patch noticeably absent from Tuesday's update was a fix for a DirectShow vulnerability that could enable a remote hacker to execute arbitrary code if users open a specially crafted QuickTime file. Microsoft has said that it was aware of active attacks using exploit code for the vulnerability. Windows 2000 (SP4), Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not.
"Our security teams are working hard on this issue, but the update has to meet the right quality bar before we can release it," Jerry Bryant, senior security program manager, wrote Tuesday on the Microsoft Security Response Center blog.
Manzuik said he didn't think any of the vulnerabilities required an immediate patch, which may serve organizations well considering the size of this month's release.
"The more patches, the more testing you need to do," he said.
