Microsoft patches serious Windows kernel flaws |
 |
By Robert Westervelt, News Editor
10 Nov 2009 | SearchSecurity.com |
|
|
Microsoft repaired several serious Windows kernel flaws that could be exploited by an attacker to gain complete control of a system. Kernel flaws are among the most serious, experts warn, because they are in a deep layer of Windows architecture and if successfully exploited, could give an attacker complete control a system.
|
| SearchSecurity.com: |
| To get security news and tips delivered to your inbox, click here to sign up for our free newsletter. |
|
|
|
|
Despite the seriousness of the kernel vulnerabilities, November represented a light month for Microsoft administrators following a record breaking 34 vulnerabilities patched by the software giant in October. Microsoft issued six bulletins Tuesday, three of them rated critical, repairing 15 vulnerabilities, including a Web services flaw and flaws in its License Logging Server, Active Directory, and Office products.
"The patches for these vulnerabilities are not difficult to apply, so you could say it's a relatively light month," said Amol Sarwate, manager of the vulnerability research lab at Redwood Shores, Calif.-based Qualys Inc. "On the other hand, half of the bulletins have listening ports open and whenever you have listening ports open there could be network-based exploits, so it's something you have to keep an eye on."
One of the most critical Windows kernel flaws, addressed in bulletin MS08-065, was an error in the way Windows handles OpenType (EOT) font. It's relatively easy to exploit, and proof-of-concept code is readily available. An attacker could set up a malicious website to exploit the vulnerability, targeting users of Internet Explorer using embedded OpenType font, said Jason Avery, manager of Austin, Texas-based TippingPoint's Digital Vaccine group.
"If you compromise the kernel you get complete control over everything, so a hacker can really do some damage," Avery said.
The bulletin also addresses two other kernel-level vulnerabilities, which affect the way Windows handles system-level calls and validates data passed from the user to the Windows graphical device interface. The vulnerabilities are rated critical for users of Windows 2000 and Windows XP, and rated important for Vista users and those running Windows Server 2008.
Microsoft also addressed a remote code execution vulnerability in its License Logging Server. Bulletin MS09-064 only applies to users of Windows 2000. Enterprises use the License Logging Server to validate Microsoft licenses and ensure that machines carry appropriate Windows software licenses. The vulnerability discovered by TippingPoint researchers is a classic buffer overflow attack, Avery said. The vulnerability was discovered in May and wasn't likely a high priority since it only affects Windows 2000 users. Still, many security vendors continue to detect legacy systems running Windows 2000 and the License Logging Server is enabled by default making it a possible threat.
"The vulnerability exposes an RPC interface where you would communicate over RPC protocol, pass malformed data to open up a shell and conduct remote code execution on a server," Avery said.
The last critical bulletin, MS09-063, addresses a Web services vulnerability on Windows Device API. The API in question is used to validate Windows Mobile devices and Microsoft Zune media players so they can be viewed on a network. It can only be exploited by users of the local network. As a best practice, most enterprises have disabled the Windows Device API.
In addition, Microsoft repaired several Microsoft Office vulnerabilities that affect both Windows and Mac users. Microsoft Excel vulnerabilities are addressed in bulletin MS09-067 and a Microsoft Word flaw is fixed in Bulletin MS09-068. Both bulletins are rated Important and affect Microsoft Office Excel and Word 2002, 2003, 2007, Microsoft Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; and all versions of Excel and Word Viewer and Microsoft Office Compatibility Pack. The remote code execution vulnerabilities could be exploited by an attacker to install programs and take complete control of a computer.
Microsoft also addressed a denial-of-service vulnerability in Active Directory service. Bulletin MS09-066 is rated important and affects users of Windows 2000 Server, Windows XP, Windows Server 2003, and Windows Server 2008.
|
|
|
|
