Microsoft addresses critical SMBv2 flaw, fixes record number of flaws

By Robert Westervelt, News Editor 13 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued 13 security bulletins Tuesday -- eight of them rated critical -- addressing zero-day flaws in Microsoft Server Message Block (SMB). Microsoft's regular update cycle fixed a record 34 vulnerabilities in Windows, Internet Explorer and Microsoft Office.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Security experts warned that users should work to get the SMB and IIS patches implemented immediately because attackers have already had access to the exploit code. In September exploit code surfaced on several websites targeting vulnerabilities in both the SMB and IIS; Microsoft issued an advisory recommending users deploy a workaround while its engineers produced and tested a fix.

Josh Phillips, a virus researcher at Kaspersky Lab called the SMB vulnerabilities the most alarming of the bulletins released Tuesday. In a statement, Phillips said the flaws were introduced as part of a Microsoft patch issued in 2007.

"What should be even more concerning for Microsoft, however, is the fact that the vulnerability affects Windows Vista and Windows 7 machines and not Windows XP, a peculiarity we would like not to be repeated," Phillips said.

In addition, the bulletins issued by Microsoft contained the first ever security update for the release-to-manufacturing version of Windows 7, addressing ActiveX control issues as a result of components built using a flawed version of Microsoft Active Template Library.

Microsoft advisories: Microsoft issues SMB vulnerability advisory, patch pending: With attack code widely available, companies could take steps to mitigate the threat. Windows 7 and Vista users are at risk. Microsoft issues IIS FTP advisory, exploit code circulates: Exploit code is circulating for the FTP zero-day flaw in Microsoft IIS Web server.  Microsoft Bulletins: Sept. - Microsoft repairs Windows media, TCP/IP vulnerabilities: Microsoft released five critical updates fixing a serious flaw in the Windows Media Format Runtime engine and TCP/IP processing errors that could crash Web and mail servers.  Aug. - Microsoft fixes Office Web Components vulnerability, kill-bit bypass: Microsoft repaired critical vulnerabilities in Microsoft Office Web Components affecting Office Word, Excel and PowerPoint viewer as well as its ISA and BizTalk servers.

Eight critical bulletins
MS09-050 addresses three vulnerabilities in Microsoft SMBv2. The SMB is used in Windows to pass messages between networked devices such as printers and file sharing devices. The bulletin is rated critical for SMBv2 on Windows Vista and Windows Server 2008. Microsoft said the update repairs two remote code vulnerabilities that could be exploited if an attacker sends a specially crafted SMB packet to a computer running the Server service. A successful exploit allows an attacker take complete control of a victim's machine. A denial of service flaw was also addressed in the update. If successfully exploited, it could cause a computer to stop responding, Microsoft said.

Ben Greenbaum, a senior research manager at Symantec Security Response, said that publicly available exploit code has not been reliable, allowing Microsoft to release the update as part of its regular patch cycle.

MS09-051 fixes two vulnerabilities in Windows Media Runtime, which could allow an attacker to set up a drive-by attack by passing a malicious media file through streaming content, Microsoft said. A heap corruption vulnerability and a voice sample flaw causes problems in the way Windows Media Runtime parses certain compressed audio files. The bulletin is rated critical for Microsoft DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager running on Microsoft Windows 2000; Windows XP; Windows Server 2003, Windows Vista and Windows Server 2008.

MS09-052 addresses a remote code execution vulnerability in Windows Media Player. The heap overflow vulnerability exists in Windows Media Player 6.4 and can be exploited if an attacker passes a malicious ASF file to gain the same user rights as the local user.

MS09-054 addresses four vulnerabilities in Internet Explorer, which could be exploited by an attacker to take full control of a victim's machine. The vulnerabilities affect IE 5.01 and IE 6-8. The bulletin addresses two memory corruption errors a data stream handler corruption vulnerability and an HTML component handling flaw. Microsoft said an attacker could exploit the flaws by getting a user to visit a malicious website.

Microsoft released another update addressing ActiveX kill-bits. MS09-055 addresses an issue created with a flawed version of the Microsoft Active Template Library (ATL) included with Visual Studio. The ATL update is rated critical for users of Windows 2000 and XP, moderate for Windows Server 2003 and important for Windows Vista and Windows 7.

The software giant released a fix to Microsoft Office Outlook 2002, 2003 and 2007 and Office Visio Viewer addressing several ActiveX control vulnerabilities related to the ATL issue. MS09-060 addresses errors to components within the Office applications built using a flawed version of the ATL. If exploited, it could allow an attacker to perform remote code execution on an affected system, Microsoft said. The vulnerabilities affect Microsoft Office 2007 and Windows XP as well as Microsoft Office Visio.

MS09-061 addresses three vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight, which could allow remote code execution. Microsoft warned that the "vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario." The update is rated critical for the Microsoft .NET Framework on Microsoft Windows 2000, XP, Vista, and Windows 7; Microsoft Silverlight 2 on Mac; and Microsoft Silverlight 2 on all releases of Microsoft Windows.

MS09-062 addresses several Microsoft GDI image handling errors. An attacker can exploit the flaws if the victim opens a malicious image file or browses to a website containing a malicious image file, Microsoft said. The flaws affect Microsoft SQL Server 2005, Microsoft Windows, Microsoft Office, Internet Explorer 6 and .NET framework for Windows 2000.

Five important bulletins
MS09-053 addresses two vulnerabilities inthe FTP Service in Microsoft IIS 5.0, 5.1, and 7.0. A remote code execution and denial of service vulnerability could cause the Web server to crash.

MS09-056 addresses two vulnerabilities that leave Microsoft Windows susceptible to a spoofing attack. In order to exploit the flaw, an attacker must gain access to the certificate used by the end user for authentication, Microsoft said. The update is rated important for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7. "We are aware that a rogue certificate was distributed in a public forum but we are not aware of any attempts to use this to attack users," Microsoft's Jerry Bryant wrote in a blog posting on the Microsoft Security Response Center blog.

SearchSecurity radio:

MS09-057 addresses an ActiveX control indexing vulnerability. Microsoft said the ActiveX control does not properly handle specifically crafted Web content. The flaw could allow an attacker to use a malicious URL granting access to the victim's system. The flaw affects Windows 2000, XP and Windows Server 2003

Several Windows kernel errors are addressed in MS09-058. Microsoft said an attacker must be logged onto the system to exploit the errors enabling an elevation of privileges. The update rated Important for Windows 2000, XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

MS09-059 addresses a Microsoft Windows Local Security Authority Subsystem Service (LSASS) flaw that could be exploited by an attacker to create a denial of service condition. The flaw is rated important for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7.

Bulletin re-release
Microsoft rereleased an update it issued last year addressing several flaws in Microsoft XML Core Services. MS08-069 was re-released to add detection for Windows 7 and Windows Server 2008 R2. XML Core services are used in a variety of programs in Microsoft Office and Microsoft Windows.

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability IIS configuration error leads to increased threat, Microsoft says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary