Patch/Configuration Management, Vulnerability Management

Microsoft patches for eight flaws; FTP server fix not ready

Microsoft on Tuesday delivered five patches to address eight Windows vulnerabilities as part of the software giant's monthly security update.

The release resolves a mismash of client- and server-side issues, but the five bulletins all have one thing in common: They are rated "critical," meaning the vulnerabilities could result in remote code execution.

Most experts agreed that bulletin MS09-048 could turn out to be the most severe, as it resolves three flaws in TCP/IP, a core networking component used to communicate over the internet. Attackers could successfully exploit the vulnerabilities by sending a flood of specially crafted TCP/IP packets from one PC to another to execute remote code or launch denial-of-service attacks.

Microsoft coordinated on the issue with Cisco, which released a complementary patch Tuesday to address TCP/IP vulnerabilities in its products.

MS09-049 addresses a single flaw in the Wireless LAN AutoConfig Service, which could be exploited if a user with a wireless network interface enabled receives maliciously crafted wireless frames, according to Microsoft. Systems without a wireless card enabled are not susceptible.

All four of the server-side vulnerabilities do not require any user interaction.

"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," said Dave Marcus, director of security research and communications at McAfee Avert Labs.

But Jerry Bryant, a senior security program manager for Microsoft, in a post Tuesday on the company's Security Response Center blog, said the company does not anticipate "reliable exploit code" being produced for those flaws.

Meanwhile, the three other bulletins pushed out Tuesday fix problems on the client side, in which users' machines could be infected by visiting a hacker-owned website or installing a malicious file.

Bulletin MS09-045 resolves a flaw in the JScript Scripting Engine, MS09-046 fixes one bug in the DHTML Editing Component ActiveX control and MS09-047 fills two holes in the Windows Media Format.

"MS09-045 is not a typical update from Microsoft and is particularly dangerous since it positions JavaScript as a weapon-of-choice by attackers," said Josh Abraham, security researcher at vulnerability management firm Rapid7. "This is to be expected, since most of the vulnerability scanners are unable to help with JavaScript, giving attackers an incentive to look for more JavaScript-based methods."

Microsoft rated MS09-045 and MS09-047 as the two patches that should be deployed first due to the fact that they fix "browse-and-own attack scenarios" and have a high exploit possibility, Bryant said. However, engineers determined that "reliable exploit code" would be difficult to produce for MS09-046.

In addition, Microsoft re-released bulletin MS09-037, originally shipped in August, to reflect an additional update for Windows XP Media Center 2005 and Vista systems. Despite the revision, Bryant said the company has not seen any new active attacks.

MS09-037 addressed five vulnerabilities in the Active Template Library (ATL), which, if exploited, could enable execution of remote code if a specially crafted ActiveX control is hosted on a malicious website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.