Microsoft patched critical vulnerabilities in the Windows kernel that could be remotely exploited by an attacker to gain control of a computer. In all three bulletins patching eight Windows flaws were released Tuesday as part of Microsoft's monthly patching cycle.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Microsoft's MS09-006 bulletin is rated critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The kernel contains three vulnerabilities, a remote code execution vulnerability, rated critical, and two elevation of privilege vulnerabilities, rated important. Validation errors in the kernel graphics rendering component could be exploited to install programs; view, change, or delete data; or create new accounts with full user rights.
Jan. - Microsoft updates critical SMB server flaws: The latest Microsoft security update addresses two critical remote code execution vulnerabilities and a denial-of-service flaw in the Server Message Block.
Dec. - Microsoft issues emergency patch to fix IE flaw
Dec. - Microsoft fixes critical flaws in Office, IE
An end user can fall victim to an attack by opening a malicious email attachment or browsing to a malicious website that contains a malicious .WMF or .EMF picture file. But Microsoft gives the flaw a "3" on its exploitability index, indicating that exploit code is unlikely in the wild, said Andrew Storms, director of security operations at security and compliance auditing vendor nCircle Network Security Inc..
"Microsoft is saying that it's a pretty darn critical and nasty bug in Windows and easy to get users to go to a malicious website, but the exploit index says its more than likely not going to happen because it's very difficult to exploit this piece of code," Storms said. "It's still important to get it patched."
The MS09-007 bulletin is rated important and addresses a vulnerability in authentication handling of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The vulnerability is within Microsoft Windows Secure Channel, which processes SSL and TLS digital signatures. The update corrects the way Secure Channel parses key exchange data during the TLS handshake. A similar vulnerability was updated by Microsoft in 2007.
Windows Domain Name Server (DNS) and Windows Internet Name Service (WINS) server was also updated in the MS09-008 bulletin. The update blocks four spoofing vulnerabilities that could be used by an attacker to cause DNS cache poisoning and redirect network traffic intended for systems on the Internet to the attacker's own systems. It's the third time in two years that the naming servers have been updated. In 2008, a group ofDNS vendors released coordinated updates to block a critical flaw discovered by security researcher Dan Kaminsky, director of penetration testing at IOActive Inc.
Remaining unpatched is an unspecified remote code-execution vulnerability in Microsoft Excel. Antivirus vendors Symantec Corp., McAfee Inc. and others detected a Trojan in the wild attempting to exploit the flaw. Microsoft acknowledged the zero-day flaw and said it was preparing a fix. Attacks have been extremely limited and targeted.