Tuesday, September 8, 2009

Patch Tuesday: Microsoft Plugs Windows Worm Holes & TCP Flaws

Via Threatpost.com -

Microsoft today released a peck of patches to cover at least seven documented worm holes in the Windows operating system.

The most serious of the vulnerabilities addresses could lead to remote code execution complete system takeover attacks. The September batch of patches does not address the FTP in IIS vulnerability that is currently being exploited in the wild.

Here are the raw details on 7 flaws in this month's critical bulletins:

  • MS09-045: A remote code execution vulnerability exists in the way that the JScript scripting engine processes scripts in Web pages. The vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running a specially crafted script. When the JScript scripting engine attempts to load the decoded script into memory in order to run it, a memory corruption can occur that may either cause Internet Explorer to stop responding, or lead to code execution. This flaw affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
  • MS09-046: A remote code execution vulnerability exists in the DHTML Editing Component ActiveX Control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When the Microsoft DHTML Editing Component ActiveX Control is instantiated in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code. This update is rated "critical" for all supported editions of Microsoft Windows 2000 and Windows XP and Moderate for all supported editions of Windows Server 2003.
  • MS09-047: This bulletin includes fixes for two different vulnerabilities in Windows Media Format. Either vulnerability could allow remote code execution if a user opened a specially crafted media file. A malicious hacker could use booby-trapped MP3 of ASF files to launch code execution attacks. The update is rated critical for Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Microsoft Media Foundation, Windows Media Services 9.1, and Windows Media Services 2008.
  • MS09-049: Covers a serious vulnerability in the Windows Wireless LAN AutoConfig Service. The vulnerability could allow remote code execution if a client or server with a wireless network interface enabled receives specially crafted wireless frames. Systems without a wireless card enabled are not at risk from this vulnerability. The vulnerability is caused by lack of validation of part of a specific malformed frame transmitted by a remote wireless transmitter. This could lead to a heap overflow situation that may result in arbitrary code execution.
  • MS09-048: This update patches three different vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Microsoft suggests that businesses use firewall best practices and standard default firewall configurations to help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Separately, Cisco also released its own patch for one of the TCP/IP bugs covered by Microsoft here.


The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress which tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth. Louis and Lee notified vendors about the problems in 2008, but the process of fixing the vulnerability was a long one, given the huge number of vendors and products affected.

No comments:

Post a Comment