ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft: Exploits likely for 'critical' Windows vulnerabilities

By | August 11, 2009, 1:01pm PDT

Summary: Microsoft today dropped a mega patch bundle with fixes for several “critical” vulnerabilities affecting the Windows platform and warned that “consistent, reliable exploit code” was likely to be released within 30 days. The Redmond, Wash. software maker released nine bulletins — five rated critical — to provide cover for a total of 19 documented security vulnerabilities.   [...]

Microsoft today dropped a mega patch bundle with fixes for several “critical” vulnerabilities affecting the Windows platform and warned that “consistent, reliable exploit code” was likely to be released within 30 days.

The Redmond, Wash. software maker released nine bulletins — five rated critical — to provide cover for a total of 19 documented security vulnerabilities.   Of the nine updates, eight affect Windows and one affects Office Web Components (OWC).

The raw data:

  • MS09-036 (Important): This update addresses one documented vulnerability in the Microsoft .NET Framework component of Microsoft Windows.  This could allow denial-of-service attacks.
  • MS09-037 (Critical): Five privately reported vulnerabilities in Microsoft Active Template Library (ATL).   Hackers could exploit these flaws to launch remote code execution.  Consistent, reliable exploit code likely within the month.
  • MS09-038 (Critical): Covers two privately reported vulnerabilities in Windows Media file processing, which could allow remote code execution.
  • MS09-039 (Critical):  This bulletin addresses two privately reported vulnerabilities in the Windows Internet Name Service (WINS).  These issues could lead toremote code execution attacks and exploit code is likely to be released soon.
  • MS09-040 (Important): This patches a privately reported vulnerability in the Windows Message Queuing Service (MSMQ), which could allow elevation of privilege. Reliable Exploit code likely.
  • MS09-041 (Important): Covers a privately reported vulnerability in the Windows Workstation Service, which could allow elevation of privilege.  Reliable exploit code likely for this flaw.
  • MS09-042 (Important): This update resolves a publicly disclosed vulnerability in the Microsoft Telnet service, which could allow an attacker to obtain credentials.
  • MS09-043 (Critical): This covers four privately reported vulnerabilities in Microsoft Office Web Components, which could allow remote code execution.
  • MS09-044 (Critical): This update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection, which could allow remote code execution.

This chart from Microsoft (click image for full size) shows where consistent, reliable exploit code is likely:

For more information, see this entry on the MSRC blog.  Over on Theatpost, Shavlik’s Eric Schultz digs deeper into the vulnerabilities and patches.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Windows Vulnerability, Vulnerability, Exploit Code, Microsoft Corp., Microsoft Windows, Security, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
53
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft: Exploits likely for 'critical' Windows vulnerabilities
lovedong 13th Sep
Thanks a million. replica hermes bags
View in thread
0 Votes
+ -
Who cares if exploit code will be released in the future
NonZealot Updated - 11th Aug 2009
As long as it is patched before the exploits are out, the exploits no longer count. Or something like that.

Cue the double standards...

PS I wonder which one of these was labeled "Bulletin 3" in the pre-patch announcement? According to some (I won't mention their names or my post will get deleted), MS announcing things like a patch for a vulnerability called "Bulletin 3" 3 days before the patch is released triggers all "bad guys" to start looking for new holes now that they know the "Bulletin 3" hole will be patched in 3 days. I would give you a link to the discussion but those who shall remain nameless had the whole thread deleted.
0 Votes
+ -
@NonZealot
planruse 11th Aug 2009
I completely agree, any exploits in any non-Microsoft software don't count if a patch was available before the exploit. I expect the person, who cannot be named, will soon come on to explain why they do count though.
0 Votes
+ -
If Conficker has tought us anything...
Qbt 11th Aug 2009
It is that it doesn't matter that MS releases a patch before an exploit becomes available. MS will still get all of the blame. As usual.

And the "smart" people that turn off automatic updates will not receive any blame. As usual.

I don't have the exact FUD formula in front of me right now, but that is how it works more or less when Microsoft is involved.
0 Votes
+ -
The enterprise has to turn off automatic updates...
jasonp@... 12th Aug 2009
otherwise they risk losing support of the software they paid millions for. It wouldn't matter if they were using a MS OS or Unix or anything else for that matter. Software must be regression tested before you roll out updates to thousands of users. System administrators would find themselves quickly in the unemployment line if they allowed an OS update to break their enterprise software and the factory was sent home for the day. Maybe you could find the exact FUD formula in that.
0 Votes
+ -
As has been proven time and again the risk of not patching...
ye 12th Aug 2009
...out weighs the risk of rolling out an untested patch. This is not to say that patches shouldn't be tested for server and mission critical systems. Nor should it be avoided if you're using a specific program that has proven sensitive to changes. But for the vast majority of cases patching carries very little risk.
0 Votes
+ -
References Please
MichP 12th Aug 2009
Proven by whom and how? How can you know the programs on your machine won't ever be "sensitive" to any and all future patches?

Our CRM/e-mail application relied on IE6. If we had just let IE7 through, well, not good. After our app was (carefully) upgraded, then we moved up to IE7.

It takes our external IT support shop 2 - 3 to push any patches through. We have never had any exploits get through during that delay (knock on wood). But they did let a patch through once that caused a problem, and that was after Microsoft had already identified it as a problem (so much for the "testing" we're paying them for, but that's another story).

If I see a patch that I'd rather not wait for, I'll go get it myself. But I'm willing to take the blame if it messes something up.
0 Votes
+ -
Companies have a good idea if a particular program is...
ye 12th Aug 2009
...sensitive to patching. It's the one that, in their experience, they routinely have issues with.

So I repeat: The risk of not patching appears to outweigh the risk of patching. Yes, occasionally a patch will cause a problem. This is not unique to Microsoft (so please stop implying it is). However I've been patching systems for quite a while now. And I've had a few problems doing so.

Again this is not to say one should blindly patch servers, mission critical systems, or those system with software that tends to be sensitive to patches. Proper testing is a must on these systems. But they're more the exception and not the norm.
0 Votes
+ -
@ye, I'm glad you not in our shop...
sykandtyed 12th Aug 2009
Over 5,000 seats, and I've lost track of how many servers, 1 errant patch could close us down. We test and test and then we patch less criticle departments first, run it 48 to 72 hours, Then we start patching company wide.

Depending on how many patches, it could go well beyond the next patch Tuesday.
0 Votes
+ -
Not really correct there
mechBgon 12th Aug 2009
I'd leave Automatic Updates enabled, but point my systems to my in-house update server(s) running WSUS (which is a freebie from Microsoft). The WSUS server downloads the updates and queues them for approval. Once I'm done with my testing, I give the updates the OK, and the systems will update themselves at the next opportunity.

Or maybe that's what you meant. But that's still the automatic update at work on the client end, just from a source you have control over.
0 Votes
+ -
You mean something like this?
frgough 11th Aug 2009
"I can't believe how many of these bugs allow for arbitrary
code execution! Viewing an image file shouldn't result in
arbitrary code execution.

Oh well, at least they were fixed within nano seconds of
the vulnerability popping into existence. There was
absolutely no time between the release of the vulnerable
code and the fix of the vulnerability for anyone to actually
take advantage of any of these, right?"

That would be you on August 5 in regards to this
announcement:

http://blogs.zdnet.com/security/?p=3933

So, instead of taking MS to task for having so many
exploits needing to be patched, you are just praying and
hoping some Mac user will come and say regarding
Windows what you said regarding Mac, so you can play
pot>kettle.
0 Votes
+ -
Image Tricks.
Otis Driftwood 16th Aug 2009
I posted a proof of concept script on alt.2600 stating that I could execute any program existing on a machine's drive I wished due to a long filename security flaw.
This included FDisk and Format, I could also sniff networks for data and wipe out any indications I'd been there.
That was in 1996.
The Exploit, which I notified Microsoft about(in 96)was even easier to run in Windows 2000 and was finally fixed in XP.
0 Votes
+ -
BTW
Otis Driftwood 16th Aug 2009
I'm retired now. I don't know why I still come here, but it's cute to watch the "true believers" of an OS point the stink finger at others.
I started building, selling, and servicing computers in what, 71, or 73...sometime back then. Then I got sent to Japan on the corporate dime of a customer.
Learned how to eat live squid, drink lot'sa Saki, and play with very agressive women who enjoyed examining gaijin "equipment" and seeing if it'd fit.
Computer been very, very good to me.
Maybe I'll visit JP again and see if I still get dragged home to play.
Probably too old...maybe retirement be very, very good to me!
0 Votes
+ -
RE: Microsoft: Exploits likely for 'critical' Windows vulnerabilities
lovedong 13th Sep
Thanks a million. replica hermes bags
0 Votes
+ -
Another yawner day for security patching if you're running unprivileged.
ye Updated - 11th Aug 2009
As is standard on Vista.
0 Votes
+ -
Might as well patch, no reboot needed on Win7
NonZealot 11th Aug 2009
Painless. happy
0 Votes
+ -
I've always advocated patching.
ye Updated - 11th Aug 2009
It's been on my list of things to do in order to keep a system malware free.
0 Votes
+ -
Patching Important
eiverson@... 11th Aug 2009
I agree, patching is important and should be done quickly, even when your PC is protected with something like AppGuard (disclosure: I work for the company that develops AppGuard). Nonetheless, 'stuff happens', so, its always a good idea to eliminate the target that the attackers are trying to hit.

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/unpatched-pc-software-targets-malware-attacks

On the other hand, good zero-day protection software can buy you a lot of time so you can implement patches when its convenient.
0 Votes
+ -
It appears that you're right, BUT...
honeymonster 11th Aug 2009
Yes, it certainly seems as though Vista/7 protected mode and even XP SP3's DEP will protect against exploitation of ATL derived vulnerabilities.

I know you were just being a smart***, but I cannot accept the risk that anyone grows complacent.

So to everyone else: Patch! Now!

There's always the risk of a blended attack where multiple vulnerabilities can be combined to break out of the sandbox.
0 Votes
+ -
LUA and Drive-by Attacks
eiverson@... 11th Aug 2009
There are still harms that can be done via limited user accounts:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/limited-user-account-does-not-protect-from-drive-by-download-attack
0 Votes
+ -
I agree. Which is why I never bought the...
ye Updated - 11th Aug 2009
..."it doesn't have root privileges" argument put forth by many. Especially the Apple fanbois. But since it's been put forth I have to adhere to the rules.
0 Votes
+ -
Not too bad
frgough 11th Aug 2009
that was a pretty good spin, but there's still a bit of backwalk in there.
You need to practice some more.
0 Votes
+ -
Was this intended to be an example of how to do it?
ye 11th Aug 2009
You need to practice some more.

Because it certainly was full of it.

0 Votes
+ -
Adticle conveniently omits a crucial fact
honeymonster Updated - 11th Aug 2009
LUA is to represent the practice of using a limited user account, a non-administrator account, but still with certain privileges.

Author conveniently omits the fact that the IE7/8/Chrome leverage Vista/7s built-in sandboxes. These sandboxes actually modify the process security token . This token starts of as a copy of the user token, but the sandbox strips the token (and thus the process) of *any* right to write anywhere on the disk and anywhere in the registry. Except for an obscure (and obfuscated) isolated cache.

In other words, a compromised process running under UAC "low" integrity cannot download files.

Then again, he has some products to tell you, so why would he tell you that the same security offered by his products comes builtin with Vista/7.
0 Votes
+ -
Now try a Software Restriction Policy.
mechBgon Updated - 11th Aug 2009
I agree that LUA alone isn't a full defense. In a worst-case scenario (no Protected Mode, etc), a successful exploit could encrypt my documents, delete stuff I have access to, etc. Business and Server editions of Windows, however, can use Software Restriction Policy to arbitrarily prevent execution of unauthorized files (including exploit payloads) by a low-rights account. No additional software to license, no updates or subscriptions required, and it can be configured via Group Policy so it's simple to implement.

And if that's not enough, it'll prevent AutoPlay attacks via infected USB drives, CDs and DVDs, and other AutoPlay vectors. I'd encourage the sysadmins and advanced security fans to check out SRP.

I did mess up a Win7 RC installation pretty badly using SRP, so if you're on a Win7 beta/RC box, make sure System Restore is enabled, in case you manage to duplicate my bug happy Recovery: boot from OS CD and restore.

(disclosure: Microsoft MVP, if that matters to anyone)

Oh, and basic SRP setup in a nutshell: mechbgon.com/srp and the page includes a link to Microsoft's full-meal-deal SRP page, if you want to explore all the capabilities.
0 Votes
+ -
And yet
frgough 11th Aug 2009
if someone had said:

Just another yawner OS X exploit that requires you to install the software
and supply admin credentials, you'd be all over them for dangerous naive
complacency.

Look's like NZ's double-standard crowd is out in force today. At least
Ryan has a reason for his double-standard, he sells security software.
0 Votes
+ -
Just applying your rules. (nt)
ye 11th Aug 2009
.
0 Votes
+ -
I don't know about that
Michael Kelly 12th Aug 2009
Maybe I'm reading it wrong, but MS09-044 looks to me like a mistyped URL in Vista's RDC could cause trouble for anybody, privileged or not.
0 Votes
+ -
Can you expand upon this?
ye 12th Aug 2009
Maybe I'm reading it wrong, but MS09-044 looks to me like a mistyped URL in Vista's RDC could cause trouble for anybody, privileged or not.

The two vulnerabilities list the following as mitigating factors:

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
0 Votes
+ -
Again, maybe I am reading into it incorrectly
Michael Kelly 12th Aug 2009
but the way I do read that, it sounds as if you have admin rights, you'd get control of the whole system, but if you have only user rights, you could still affect what the user has control of (meaning any data and any user registry files). That would still be bad news in my book.
0 Votes
+ -
You're reading it correctly.
ye 12th Aug 2009
but if you have only user rights, you could still affect what the user has control of (meaning any data and any user registry files). That would still be bad news in my book.

As is been the case with OS X. Yet the Mac fanbois have always maintained that unless you have Admin rights it doesn't count. So I'm just applying the same rules.

Personally I've always maintained the user data, and not the system, is the most important thing on a computer. That's why I am very pleased with IE's Protected Mode when used with Vista/Windows 7. It significantly limits the ability to make user level changes.
0 Votes
+ -
Don't really care what the Mac folk think
Michael Kelly 12th Aug 2009
I only care about the facts, and the facts say patch now.

And again I appreciate the fact that MS is going out of cycle to communicate and fix these vulnerabilities. I'd rather know what's going on and be prepared than rely on ignorance, even if it does mean a bit of extra work.
0 Votes
+ -
These are not out of cycle.
ye 12th Aug 2009
Yesterday was the second Tuesday of the month.
0 Votes
+ -
Oops...
Michael Kelly 12th Aug 2009
You're right. I thought last week was the normal week.
0 Votes
+ -
This has become hilarious...
storm14k 12th Aug 2009
MS can't even release simple patches and warn users without the fanboys getting on the defensive. LMAO.
0 Votes
+ -
How did you reach that spin?
ye 12th Aug 2009
I see no one being defensive other than the ABMers.
0 Votes
+ -
Nothing for the smart people to defend...
storm14k 12th Aug 2009
...so where did you see that?

Now your post was a clear fanboy defense. I think everyone knows by now here that you should patch. No need to call it a yawner. People need to know this info. Simple as that.
0 Votes
+ -
Where did I see what? (nt)
ye 12th Aug 2009
.

0 Votes
+ -
A casual look indicates that...
zkiwi 12th Aug 2009
NBMer's were the first here defending Microsoft and attacking other positions on the matter without them being there.

0 Votes
+ -
RE: Microsoft: Exploits likely for 'critical' Windows vulnerabilities
Loverock Davidson 11th Aug 2009
Huh??? How does 9 patches become a mega bundle? It is far fewer than what other operating systems and applications have. ZDNet is really going down the crapper with sensational writing like this.

The exploits aren't going to do any good so I have no idea why these hackers would release it. The patch is out, people will be well protected thanks to the quick work of the Microsoft Windows team. The automatic updates are kicking in and downloading the patch, enterprise customers are testing it and deploying it over the weekend. Only thing we can conclude from this is the exploit is DOA. Just wasting some bored hacker's time.
0 Votes
+ -
9 patches, but 19 vulnerabilities are patched
honeymonster 11th Aug 2009
That *is* a high number (perhaps not "mega") of vulnerabilities for Microsoft patches.

Unfortunately conficker showed us that there *still* is a significant number of people (in some parts of the world) who will not patch anyway. If they are infected they will become a problem for all of us (DDOS attacks, spambots etc). gawd I wish people would just PATCH.
0 Votes
+ -
I pass on Loverocks apology
Viva la crank dodo 12th Aug 2009
for a sensational accusation without understanding the article.
0 Votes
+ -
Don't you know about Windows Genuine Advantage?
Trolleur 12th Aug 2009
The reason people don't patch is frequently because they are using
illegally purchased copies of Microsoft Windows, for which WGA prevents
patching.

Of course you don't see this problem with Apple, as "Software Update"
isn't locked down by such draconian DRM software. Once again, Apple is
in the lead.
0 Votes
+ -
That is BS (Bad Statement)
Erroneous 12th Aug 2009
Anyone with a copy of Windows, legal or otherwise can patch with security updates. It is only the additional updates such as a newer version of Media Player that they can't get.
0 Votes
+ -
So predictable
frgough 11th Aug 2009
On August 5th Naraine wrote this:

"Apple today warned that opening or viewing image files
could lead to remote code execution attacks against Mac
OS X users."

He then decides to tell us that these are actually patched
exploits.

But when it's Windows, he writes:

"Microsoft today dropped a mega patch bundle with fixes
for several ?critical? vulnerabilities affecting the Windows
platform"

and then tells us how critical the flaws are.

So predictable.

0 Votes
+ -
nt
frgough Updated - 11th Aug 2009
nt
0 Votes
+ -
Telnet isn't installed by default, and it's not like Telnet is secure
georgeou 11th Aug 2009
"MS09-042 (Important): This update resolves a publicly
disclosed vulnerability in the Microsoft Telnet service,
which could allow an attacker to obtain credentials."

Telnet isn't installed by default (server or client
component), and it's not like Telnet is fundamentally
secure.

The Windows Media vulnerabilities and WINS vulnerability
looks nasty though.
0 Votes
+ -
Microsoft should be more like Apple
Trolleur Updated - 12th Aug 2009
I definitely think Microsoft should be more like Apple, and
make absolutely no comments as to the severity of
vulnerabilities. They need to get off this "patch Tuesday" trip
and start fixing security issues haphazardly, leaving no
indications as to the severity of fixed issues, and practice
the opaqueness we've come to love Apple for. Microsoft is
damaging its own reputation by releasing such information
to the public in its monthly security advisories.

When was the last time you saw Apple release any
"exploitability index" for vulns? It is precisely because they
don't that makes Macs more secure.
0 Votes
+ -
Of course exploits likely when zdnet provides hacker roadmap.
photomstr@... 13th Aug 2009
You guys come awful close to sabotage. I know you are all mac fanboyz but loose lips sink ships. (the internet being the ship) Your articles almost look like hacker road maps to facilitate Window's downfall. I thought the news and reporting was supposed to be the facts.
0 Votes
+ -
Can't wait to start applying Windows 7 patches
stenman@... 13th Aug 2009
With IBM operating systems one applied patches 1-2 times a year and very seldom did one have to patch a patch. With Windows patching is almost a daily routine, though running anti-spyware, trojan, rootkit blockers, etc. is a daily concern. Anyone who adds up the time and money spent in keeping Windows desktops operational has to consider alternatives including the Mac OS X machines. With the October release of Windows 7 when will it really be safe to apply this OS to hundreds or thousands of desktops in an enterprise? IT people did not like being obligated to use IBM mainframes and operating systems but have become even more captive with regard to Microsoft and have a lot less to show for it.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix