Microsoft on Tuesday released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical.
Wolfgang Kandek, CTO of Qualys, said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer.
Microsoft proxy server ISA 2006 has a vulnerability rated as important that allows remote unauthenticated users to access the server. However, paired with a knowledge of the administrator's username, attackers can take full control of the server. Because administrator usernames are often easy to guess, Kandek said, this vulnerability deserves special attention if IT organizations are using ISA with the Radius configuration.
Likewise, MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite rated as important, but can be used to take full control of a system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as critical as well, Kandek said.
"Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as important because local access to the guest OS is required," Kandek said. "This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user access to privileged kernel mode."
True ActiveX Fix Coming
Andrew Storms, director of security operations for nCircle, isn't surprised that Microsoft released updates that address two of three critical zero-day exploits this month. He also anticipates a more complete patch for ActiveX later, since Tuesday's update only issues killbits on ActiveX controls in Internet Explorer.
Essentially, Microsoft opted to disable functionality with the MS09_0032 security bulletin, but hasn't fixed the underlying vulnerability. That means if an attacker can manage to convince a user to revert the killbits, then the machine is once again vulnerable.
"Generally, newer Microsoft products have been more secure than older products. Either they are not affected by vulnerabilities or have lower severity ratings. However, this month we have two bulletins that buck the trend," Storms said. "MS09-029 lists the vulnerability as critical for all operating systems -- even the newer Vista and Server 2008. In the same vein, MS09-030 affects only the newest version of Microsoft Office Publisher. While having these two bugs in new Microsoft products fixed in the same month may only be a coincidence, it is something to watch in coming months." (continued...)