Microsoft patches 9 bugs, leaves one open for hackers

Two zero-days and critical font bug quashed; no fix for Monday's ActiveX vulnerability

Microsoft today delivered six security updates that patch nine vulnerabilities, fixing two bugs already being used by hackers but leaving one still open to exploit.

Of the six bulletins, three patched some part of Windows, while the remainder plugged holes in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's virtualization software. Six of the nine bugs were ranked critical, Microsoft's highest ranking in its four-step score, while three were tagged as "important," the next-lowest label.

"We got what we expected," said Andrew Storms, director of security operations at nCircle Network Security. "We got the 'kill bit' we were looking for in the ActiveX control and the DirectShow fix," he said, referring to two recent vulnerabilities that attackers have been exploiting for weeks.

In May, Microsoft acknowledged that hackers had begun exploiting a bug in DirectShow, one of the components in Windows' DirectX graphics platform. Last week, it owned up to another bug, this one in a video streaming ActiveX control used by Internet Explorer (IE) -- and admitted it had known about, but not fixed, the flaw for the past 18 months.

Microsoft patched the already-public DirectShow flaw with MS09-028, and for good measure tucked in fixes for two more vulnerabilities also reported by researchers.

The "kill-bit" update in MS09-032 didn't actually patch the underlying ActiveX problem. Instead, Microsoft simply disabled the control, effectively shutting off any possible attack by modifying the Windows registry using the update. Microsoft offered the same protective measure via an automated tool last week, but that required users to manually browse to a support document, then download, install and run the tool.

Researchers unanimously voted those two updates as the ones to deploy immediately. "Microsoft did well to get out the two zero-days," said Eric Schultze, chief technical officer at Shavlik Technologies, "especially the ActiveX. It was a little much to ask them to get out the Office ActiveX fix, though."

Schultze was talking about a bug in an ActiveX control used by Office Web Components to display Excel spreadsheets in IE. Microsoft warned users of the vulnerability only yesterday. By today, Web attacks had rapidly increased. On Monday, however, Microsoft said that it wouldn't wrap up a fix in time for today's release.

Like the DirectShow ActiveX flaw that was patched today, Microsoft has released a "Fix It" tool that users can download and run themselves to kill the control. But, according to Schultze, Microsoft's not planning to push a kill-bit update to users for this second flaw. "Setting the kill bits actually impedes functionality," Schultze said. "Microsoft told me today that they're working on a file-level fix."

Other researchers speculated that Microsoft might depart from its usual once-per-month patch schedule to get such a fix out before Aug. 11, the next regularly-scheduled update. "Obviously, that would be much better," agreed Wolfgang Kandek, chief technology officer at security company Qualys.

The third critical update, MS09-029, also caught the eyes of Schultze and Kandek. Two vulnerabilities in Embedded OpenType (EOT) Engine leave all versions of Windows, including Vista and Server 2008, open to attack.

"It looks pretty easy to exploit," said Kandek. "If you view some text on a Web site in that font, you're compromised. And if the attack comes in an e-mail, there's no need to open an attachment, you can be compromised just by viewing the e-mail."

Schultze agreed. Calling the font vulnerabilities "nasty," he said that they could quickly be used up by hackers. "If there's exploit code available, which there isn't yet, these would be pretty easy to exploit," Schultze said.

Microsoft also delivered patches today for bugs in Publisher 2007, ISA 2006 and the client and server editions of its virtualization software. The ISA bug, described in MS09-031 intrigued both Kandek and Schultze, but not for the same reasons.

"You can gain full control of the server if you know the administrator password," said Kandek. "And in some situations, that password may be 'administrator' or 'admin' or even 'root'."

Shops with weak usernames may be at risk of information theft, added Amol Sarwate, the manager of Qualys' vulnerability research lab. "[Attackers] could install small malware and maybe sniff the Web traffic [through the server], access other systems on the same network or even redirect users to another Web site," Sarwate speculated.

Schultze dismissed those worries. "It looks like all the planets have to [be] aligned just right," he said, referring to the narrow scenario Microsoft spelled out. "I'd call that a real edge case."

The remaining two updates patched Publisher 2007 ( MS09-030) and Virtual PC and Virtual Server ( MS09-033). Neither drew much attention from Schultze, Kandek or Sarwate.

Storms, however, put a finger on the Publisher patch. "MS09-029 and MS09-030 are bucking the trend," said Storms, talking about the Publisher and OpenType bulletins. "Typically, Microsoft's newer software is more secure, but that's not the case here.

"The fact that we got them both in the same month is probably just a coincidence," Storms continued. "But it doesn't surprise me that researchers are looking at the newer software, because it's the newer software that's being deployed."

Schultze and Kandek noted that the OpenType vulnerabilities' appearance in all versions of Windows, up to and including the unfinished Windows 7, likely means Microsoft had overlooked the flaw for years. "It tells me that that particular component has received less attention," Kandek said, "and that Microsoft didn't change anything in the code from when it was first used in [Windows] 2000.

And the virtualization software bugs? Nothing much to worry about, said Schultze, since there's no chance that an attacker could escape the "guest" operating system to wreak havoc on the "host."

"But I think it's a sign of things to come," argued Kandek. "Virtualization adds to the attack surface rather than subtract."

July's updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the CSO newsletter!

Error: Please check your email address.

Tags security patchMicrosoftactivexbugs

More about etworkExcelMicrosoftnCirclenCircle Network SecurityQualysShavlikShavlik Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts