Microsoft patches gaping Windows worm holes

Microsoft patches gaping Windows worm holes

Summary: Microsoft today released a peck of patches to cover at least seven documented worm holes in the Windows operating system. The most serious of the vulnerabilities addresses could lead to remote code execution complete system takeover attacks.

SHARE:

Microsoft today released a peck of patches to cover at least seven documented worm holes in the Windows operating system.

The most serious of the vulnerabilities addresses could lead to remote code execution and complete system takeover attacks.  The September batch of patches does not address the FTP in IIS vulnerability that is currently being exploited in the wild.

[ SEE: Microsoft FTP in IIS vulnerability now under attack ]

Here are the raw details on 7 flaws in this month's critical bulletins:

  • MS09-045: A remote code execution vulnerability exists in the way that the JScript scripting engine processes scripts in Web pages. The vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running a specially crafted script.  When the JScript scripting engine attempts to load the decoded script into memory in order to run it, a memory corruption can occur that may either cause Internet Explorer to stop responding, or lead to code execution. This flaw affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
  • MS09-046: A remote code execution vulnerability exists in the DHTML Editing Component ActiveX Control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When the Microsoft DHTML Editing Component ActiveX Control is instantiated in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code.  This update is rated "critical" for all supported editions of Microsoft Windows 2000 and Windows XP and Moderate for all supported editions of Windows Server 2003.
  • MS09-047:  This bulletin includes fixes for two different vulnerabilities in Windows Media Format. Either vulnerability could allow remote code execution if a user opened a specially crafted media file.  A malicious hacker could use booby-trapped MP3 of ASF files to launch code execution attacks. The update is rated critical for Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Microsoft Media Foundation, Windows Media Services 9.1, and Windows Media Services 2008.
  • MS09-049: Covers a serious vulnerability in the Windows Wireless LAN AutoConfig Service. The vulnerability could allow remote code execution if a client or server with a wireless network interface enabled receives specially crafted wireless frames. Systems without a wireless card enabled are not at risk from this vulnerability.  The vulnerability is caused by lack of validation of part of a specific malformed frame transmitted by a remote wireless transmitter. This could lead to a heap overflow situation that may result in arbitrary code execution.
  • MS09-048: This update patches three different vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service.  Microsoft suggests that businesses use firewall best practices and standard default firewall configurations to help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Separately, Cisco also released its own patch for one of the TCP/IP bugs covered by Microsoft here.

Topics: Microsoft, Networking, Operating Systems, Security, Software, Wi-Fi, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

183 comments
Log in or register to join the discussion
  • So basically all of them...

    ...affecting Vista or 7 require user intervention just like all other modern operating systems these days?

    OK.
    Sleeper Service
    • Two require no user interaction whatsoever.

      The first two listed require user interaction only in that the user must navigate to a Web page.

      The third one requires the user to open a malicious file. (This is actually two bugs)

      The fourth one only requires that you have a wireless card running. No user interaction required.

      And just like a blast from the past, the last one only requires that you be attached to the internet without a firewall. Again, no user interaction required.
      Letophoro
      • UAC - Not true for Vista/7

        You forgot about UAC which DEFINITELY requires user interaction.
        Heatlesssun
        • I didn't see anything in the bulletins that said UAC would mitigate.

          Although I did see that Windows 7 was not affected.
          Letophoro
          • If it does anything that requires elevation UAC will stop this

            Also, as IE runs in protected mode there's a lot that this type of attack can't do. That's way we have layers security. No one weak spot is supposed to bring down everything.
            Heatlesssun
          • UAC would intercede if the malicious code attempted to...

            ...alter system settings. It doesn't prevent code from executing but it does limit
            what it can do. Just like Linux. Just like OS X.

            Furthermore if you're using IE7/IE8 then Protected Mode would further limit
            what the code could do. Unlike Linux (since most people don't utilize the
            SELinux security offered). Unlike OS X.

            In the end, for those following best security practices (ie. the default for Vista),
            these are not of much concern.
            ye
          • Perfectly stated!

            NT
            Heatlesssun
          • In other words

            Firefox users with AdBlock/NoScript running, windows firewall and UAC on default (enabled), need not worry about any of these at all. Esp those of us runnin 7. Got it.

            "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
            gnesterenko
          • Nonsense

            You need to immediately download any protection software available from ZDNet advertisers.
            This is the only thing that can save both you and the World.
            And if you publish this under 2 authors wouldn't it be nice to also disclose industry connections on the co-author.
            Actually I think ZD wouldn't mind if we all dumped Windows and went to Linux.
            Fred619
          • No

            @gnesterenko: "Firefox users with AdBlock/NoScript
            running, windows firewall and UAC on default
            (enabled), need not worry about any of these at
            all. Esp those of us runnin 7. Got it."

            Sure, if you don't just clickthru UAC prompts
            without looking at them, and I know lots of people
            that do.
            scorchgeek
          • @scorchgeek: You can only do so much to protect people.

            [i]Sure, if you don't just clickthru UAC prompts without looking at them, and I know lots of people that do.[/i]

            Somtimes you just can't save people from themselves. Thoug A/V software attempts to do this.
            ye
          • UAC...

            is a joke. The avg user finds it more annoying than anything and if they don't know what they are installing (which most don't anyway) and click through it, it's useless.
            Dave32265
          • @Dave32265: The only people who seem to find it annoying are...

            ...ABMers. This is a stale argument that perhaps once was true but is no longer today.
            ye
          • @ye

            Maybe not true on Windows 7.. but then again,
            there are documented methods to completely bypass
            UAC on Windows 7, so it has no use as a security
            feature on it. Maybe at the last minute MS will
            set it back to how it was in Vista.. but then it
            will be annoying again, obviously.
            AzuMao
          • Linux/OSX Correction

            Actually, the IE protected mode is similar to Linux or OSX, because it allows the application to be run in a non-privileged mode. Ideally, you would never operate as Administrator on Windows, unless installing an application, but we all know that this is not likely to happen because applications are written expecting full system access, and won't work correctly if run by a limited user.

            UAC and protected mode help, but the real solution will be when all applications can be run as a limited user, and the OS actually encourages you to do so (the main account created during installation needs to be a limited user.) Fix that, version control the DLL's, and improve protection key usage outside of kernel space, and we might have something.
            grant@...
          • I don't believe you understand what Protected Mode is.

            [i]Actually, the IE protected mode is similar to Linux or OSX, because it allows the application to be run in a non-privileged mode.[/i]

            Protected Mode is more than running as non-privileged. It's running as non-standard too. IOW not only do you lack privileged rights but you lack standard rights too. Thus maleware cannot alter your user files (though it is permitted to read them). It's more secure than non-privileged.

            [i]Ideally, you would never operate as Administrator on Windows, unless installing an application, but we all know that this is not likely to happen because applications are written expecting full system access, and won't work correctly if run by a limited user.[/i]

            This used to be more common before Vista was released. Since Vista was released the number of programs requiring administrative access has decreased dramatically.
            ye
          • @ye

            Really? Can't modify user files? So how does IE update cookies? How
            does it write new cookies? How do you download files? How do you run
            WebEx? How does WGA work? How does Windows update work?
            frgough
          • @frgough:

            [i]Really? Can't modify user files?[/i]

            That is correct.

            [i]So how does IE update cookies? How
            does it write new cookies?[/i]

            It stores them in a special location for which the lower privileged access has write permissions.

            [i]How do you download files?[/i]

            It can write files that you explicitly allow. This permission is given via the Save dialog box.

            [i]How do you run WebEx? How does WGA work? How does Windows update work?[/i]

            As usual I suggest you read up on the technology in question because you seem to be woefully lacking in understanding.

            "In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent. Protected Mode requires the user to confirm any activity that tries to put something on your machine or start another program."

            http://www.microsoft.com/windows/windows-vista/features/ie7-protected-mode.aspx

            To help get you started:

            http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx
            ye
          • Given that the local system administrator account...

            ...(root on Linux) is disabled by default, one account needs to have "other account creation priviledges", so this --> "...the main account created during installation needs to be a limited user..." is not going to be implemented in Windows.

            On a side note, any secondary accounts that are created in Windows are "standard user" by default, so it's getting better, but it's not perfect. Microsoft could update the account creation code to require administrator group accounts to have passwords if a standard user account gets created.

            as for this part --> "...applications are written expecting full system access...", that's not entirely true. On setup almost all applications require full system access, but many (sadly not all) of the applications written in the Vista timeframe no longer require full system access, just current user access, and so that hold is closing slowly.

            Yes, Microsoft is mostly to blame for that because of the Windows 95 through Windows ME timeframe when there was no concept of "limited user", but once the world started transitioning away from that, most ISVs (again, not all) started getting smarter and creating software that could operate within the "standard user" limitation.

            We just need to make sure all ISVs create software the right way and get all users to stop using software written for Windows 95 on Windows XP and later. Yeah, get all computer users and corporations to come out of the stone age. I know, pipe dream at best.
            PollyProteus
          • Running in Limited user mode.

            I run my Windows XP SP3 system in limited user mode and find that much like Vista and Windows 7 it prompts me for administrator credentials when I attempt to install an application. For that matter one can create shortcuts on the desktop and right-click and run that only the particular app in admin mode for those stubborn ones that will not run in limited user space.

            I have been trying to encourage my sisters and my mother to do the same, but so far cannot seem to get them into running under the same security model.

            I suppose if they want to infect their computers with malware than it is on their heads. Of course I'll end cleaning the mess though. :(

            Now if I can get my mother to stop installing applications that also piggyback garbage like "My Web Search" or her POGO Cheats that she acquired from pogocheats.com than her computer would be much more secure.

            I have very few programs that do not work properly doing this. The main culprits that rebel against limited user usage are games. I suppose that they want admin access so that their horrid copy protection schemes will function correctly.
            Computer_User_1024