To get security news and tips delivered to your inbox, click here to
The Microsoft Security Response Center (MSRC) works tirelessly to bring these bulletins to you each month, and as you know, we are always striving for quality, speed and predictability in our releases. Furthermore, the information we provide in the bulletins is very comprehensive, so I encourage you to not only read a condensed version of the bulletins below, but to also read the bulletins for in-depth details.
We recommend installing the updates that are applicable to your environment. The prescriptive guidance that I provide will help you protect yourself on a faster scale from a threat landscape that is constantly changing.
With this in mind, I want to let you know that we have released three security bulletins, one rated critical and two important.
This bulletin addresses four spoofing vulnerabilities in Windows that are rated important. Products affected are Microsoft Windows 2000 Server, Windows Server 2003 and Windows Server 2008. Products not affected are Windows 2000 Professional, Windows XP and Windows Vista. Two of the vulnerabilities addressed are public and affect Web Proxy Autodiscovery Protocol (WPAD) registration vulnerabilities in WINS and DNS. The remaining two vulnerabilities were privately reported to us.
About Inside MSRC:
As part of a special partnership with SearchSecurity.com, Bill Sisk, the response communication
manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process
that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of
the software giant's security updates.
Inside MSRC: Microsoft foldout explains IE, Exchange patches
Inside the MSRC: Microsoft describes Server Message Block update
Inside MSRC: Microsoft issues guidance on critical flaws
In regards to the WPAD vulnerabilities, neither the WINS server nor the DNS server correctly validates who can register WPAD entries on the server. An attacker could spoof the legitimate Web proxy and redirect Internet traffic to the attackers IP address. Even so, if WPAD is already registered on the DNS server and/or the WINS server, it will not be possible for an attacker to register WPAD and redirect Internet traffic.
The remaining two vulnerabilities result in DNS cache poisoning. A successful attack against the DNS cache could allow the attacker to redirect Internet traffic.
In regards to deployment, the modifications required to address the vulnerabilities in each affected operating system are located in separate components. Therefore, this bulletin contains two updates, identified by KB number. Customers need to install security update package 961063 for each DNS server and 961064 for each WINS server in their environment.
This bulletin is rated critical and addresses three privately reported vulnerabilities: one remote code execution vulnerability and two elevation of privilege vulnerabilities in the Windows kernel. Additionally, all supported versions of Windows are affected. The remote execution vulnerability would require a user to open a specially crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) image format file. The elevation of privilege vulnerabilities would require a user already be logged on locally to a system. If this is the case, an attacker could then run a specially crafted application that could exploit the vulnerability.
As mitigation for the remote code execution vulnerability, metafile processing can be disabled via a registry change.
This bulletin addresses a privately reported spoofing vulnerability in Secure Channel (SChannel) and is rated important. Additionally, all supported versions of Windows are affected. Before going further, I want to clarify that the SChannel vulnerability is limited to scenarios in which SChannel and client authentication use a x.509 digital certificate.
SChannel implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. A client certificate is used to authenticate clients, such as a Web browser on a Web server. When a Web browser client attempts to access a secured Web server, it sends its certificate to the server, allowing the server to verify the client's identity. SChannel secures the authentication communications between client and server.
The vulnerability lies in the fact that the SChannel authentication component does not apply sufficient validation of particular attributes of the TLS handshake. As a result, an attacker could spoof the identity of a legitimate user by obtaining access to the public component of the certificate used by the end user for authentication. However, you don't need to worry about this vulnerability if the client certificate is managed through Active Directory certificate mapping.
Malicious Software Removal Tool
The monthly installment of the technology to remove malicious software from users' systems is available today as well. This month's update removes Win32/Koobface. Customers can download the tool and find additional details on the Microsoft Malware Protection Center blog.
In closing, please take a moment and register for our monthly security bulletin webcast, which will be held on Wednesday, March 11, at 11 a.m. PDT. Mike Reavey, director of the MSRC, and Adrian Stone, the MSRC's lead security program manager, will review information about each bulletin to further aid in your planning and deployment. Immediately following the review session they will answer your questions with information from our assembled panel of experts. If you are not able to view the live webcast, it will also be available on demand.
In addition, please take a moment and mark your calendars for the April 2009 monthly bulletin release scheduled for April 14, and the advance notification scheduled for April 9. Look for the April edition of this column on release day to help you plan and deploy the most recent security bulletins.