Microsoft repaired several serious Windows kernel flaws that could be exploited by an attacker to gain complete control of a system. Kernel flaws are among the most serious, experts warn, because they are in a deep layer of Microsoft Windows architecture and if successfully exploited by an attacker it gives them open access to completely control a system.
Despite the seriousness of the kernel vulnerabilities, November represented a light month for Microsoft administrators following a record breaking 34 vulnerabilities patched by the software giant in October. Microsoft issued six bulletins Tuesday, three critical, repairing 15 vulnerabilities, including a Web services flaw, and flaws in its License Logging Server, Active Directory, and Office products.
"The patches for these vulnerabilities are not too difficult to apply so you could say it's a relatively light month," said Amol Sarwate, the manager of vulnerability research lab at Qualys Inc. "On the other hand, half of the bulletins have listening ports open and whenever you have listening ports open there could be network based exploits for it so it's something you have to keep an eye on."
The most critical Windows kernel flaws, addressed in Bulletin MS08-065 was an error in the way Windows handles OpenType (EOT) font. It's relatively easy to exploit and proof-of-concept code is readily available. An attacker could set up a malicious website to exploit the flaw targeting users of Internet Explorer using embedded OpenType font, said Jason Avery, manager of TippingPoint's Digital Vaccine group.
"If you compromise the kernel you get complete control over everything so a hacker can really do some damage," Avery said.
The bulletin also addresses two other kernel-level flaws that affect the way Windows handles system level calls and validates data passed from the user to the Windows graphical device interface. The vulnerabilities are critical for users Windows 2000 and Windows XP and Important for Vista users and those running Windows Server 2008.
Microsoft also addressed a remote code execution vulnerability in its License Logging Server. Bulletin MS09-064 only affects users of Windows 2000. Enterprises use the License Logging Server to validate Microsoft licenses and ensure that machines carry appropriate Windows software licenses. The vulnerability discovered by TippingPoint researchers is a classic buffer overflow attack, Avery said. The vulnerability was discovered in May and wasn't likely a high priority since it only affects Windows 2000 users. Still, many security vendors continue to detect legacy systems running Windows 2000 and the License Logging Server is enabled by default making it a possible threat.
"The vulnerability exposes an RPC interface where you would communicate over RPC protocol, pass malformed data to open up a shell and conduct remote code execution on a server," Avery said.
The last critical bulletin, MS09-063 affects a Web services vulnerability on Windows Device API. The API in question is used to validate Windows Mobile devices and Microsoft Zune media players so they can be viewed on a network. It can only be exploited by users of the local network. As a best practice, most enterprises have disabled the Windows Device API.
In addition, Microsoft repaired several Microsoft Office vulnerabilities that affect both Windows and Mac users. Microsoft Excel vulnerabilities are addressed in Bulletin MS09-067 and a Microsoft Word flaw is fixed in Bulletin MS09-068. Both bulletins are rated Important and affect Microsoft Office Excel and Word 2002, 2003, 2007, Microsoft Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; and all supported versions of Microsoft Office Excel and Word Viewer and Microsoft Office Compatibility Pack. The remote code execution vulnerabilities could be exploited by an attacker to install programs and take complete control of a computer.
Microsoft also addressed a denial-of-service vulnerability in Active Directory service. Bulletin MS09-066 is rated important and affects users of Windows 2000 Server, Windows XP, Windows Server 2003, and Windows Server 2008.