Microsoft patched a WebDAV security vulnerability in Microsoft Internet Information Services (IIS) Web server as...
part of its monthly Patch Tuesday bulletin release. In all, the software giant issued 10 bulletins, six labeled critical in a mammoth release of security fixes addressing 31 vulnerabilities.
|To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Microsoft acknowledged the IIS Web server flaw last month after the U.S. Computer Emergency Response Team warned of publicly available exploit code and active exploitation of the vulnerability. MS09-020 patches a remote authentication bypass vulnerability in the IIS WebDAV extension, a collection of tools used to publish content to IIS Web servers. The WebDAV vulnerability, which was discovered by security researchers at Palo Alto Networks, is due to the lack of proper checks on the URL in a WebDAV request, leading to a bypass on IIS directories. Microsoft IIS versions 5.0-6.0 are affected. The update is rated important. If successfully exploited, it could give an attacker elevated privileges to gain access to sensitive data.
"The WebDAV function isn't used100% of the time, but it is used for doing Outlook Web access and there are some other legitimate uses, but it's not turned on by default," said Eric Schultze, chief technology officer of patching vendor Shavlik Technologies Inc. "Zero-day issues are typically of concern to IT managers, so when patches are released, sometimes administrators like to get the patches deployed as soon as possible."
Also repaired was a zero-day flaw in Internet Explorer 8 that was used by the German security researcher known as "Nils" in March to win the Pwn2own contest sponsored by TippingPoint at the CanSecWest conference. Nils won a Sony laptop and $5,000 cash by demonstrating he could gain complete control over a machine by exploiting the vulnerability. MS09-019 fixes 8 vulnerabilities in Internet Explorer and affect versions 5.01-8 on Windows 2000, 2003, XP and Vista. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Researchers at security vendor Core Security Technologies discovered one of the IE flaws in October 2008. A security zone bypass vulnerability allows a website to perform actions, such as executing code, despite being disabled by the security level of a given Security Zone.
"In this case this is a variation of a previous bug, but this is a very important one," said Ivan Arce, chief technology officer of Core Security. "This is important enough to require people to address it quickly."
Other Microsoft Bulletins:
MS09-018: Two vulnerabilities were repaired in implementations of Active Directory on Microsoft Windows 2000/2003. A remote code execution flaw results in an incorrect freeing of memory when processing a malicious LDAP or LDAPS request. An attacker who successfully exploits the vulnerability could take complete control of an affected system remotely. Also patched was Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. This flaw could be exploited by an attacker to conduct a denial-of-service attack.
MS09-021: Seven remote code execution vulnerabilities in Microsoft Excel could allow an attacker to gain complete control of an affected system. In order to exploit the flaws, Microsoft said a user must open a malicious Excel file that includes a malformed record object. The update is rated critical for all versions of Microsoft Office Excel 2000.
MS09-022: Three buffer overflow flaws in Microsoft Windows Print Spooler could allow remote code execution if an affected server received a specially crafted RPC request, Microsoft said. The update is rated critical for Microsoft Windows 2000; moderate for users of Windows XP and Windows Server 2003; and important for Windows Vista and Windows Server 2008.
MS09-023: Microsoft fixed a vulnerability in the way file previews are generated in Windows Search. The bulletin is rated important and could result in information disclosure if the search returns a special crafted file as the first result. The flaw affects Windows Search 4.0 on Windows XP and Windows Server 2003.
MS09-024: A critical buffer overflow vulnerability was repaired in Microsoft Works converters. The flaw could allow remote code execution if a user opens a malicious Works file. If exploited, an attacker could gain the same user rights as the local user, Microsoft said.
MS09-025: Repairs four flaws in the Windows kernel that could allow elevation of privilege. Three kernel pointer validation errors and a desktop kernel validation error could be exploited remotely or by anonymous users to run code in kernel mode. The vulnerabilities could not be exploited remotely or by anonymous users, Microsoft said. The update affects Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
MS09-026: Microsoft issued another update to the Windows remote procedure call (RPC) facility. According to the software maker, the RPC Marshalling Engine does not update its internal state appropriately. The bulletin is rated important and affects Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
MS09-027: Two buffer overflow vulnerabilities in Microsoft Word could allow remote code execution if a user opens a malicious Word file. The flaws could be exploited to take complete control of an affected system, Microsoft said. The update is rated critical for all versions Microsoft Office Word 2000.