Microsoft repaired critical Office Web Components vulnerabilities being actively exploited in the wild since they were first acknowledged by the software giant last month.
Microsoft also released an additional critical update to repair ActiveX vulnerabilities in its Active Template Library. The errors enable an attacker to bypass kill-bits, a feature commonly deployed by Microsoft to block attackers from exploiting complex interoperability vulnerabilities without addressing the underlying flaw.
In all, Microsoft issued nine security updates Tuesday, including six rated critical, affecting Windows and Office Web Components.
MS09-043 addresses four vulnerabilities in Microsoft Office Web Components that could be exploited by an attacker to take full control of a victim's machine. Microsoft Web Components allow users to view spreadsheets, charts and databases on the Web.
The vulnerabilities, a memory allocation bug, heap corruption and HTML script errors and a buffer overflow flaw can be exploited remotely. Last month Microsoft issued an advisory warning of active exploitation of the Web Components vulnerabilities. The vulnerabilities are in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser.
Related news on interoperability flaws, ATL, kill-bit bypass:
Microsoft issues emergency Active Template Library updates: Security updates address flaws the Active Template Library affecting Internet Explorer and Visual Studio. An IE fix also blocks a method that allows attackers to bypass kill-bits.
Microsoft also revisited ongoing issues it is having with its Active Template Library (ATL). MS09-037 addresses five errors that could be exploited in drive-by attacks. It allows remote code execution if a user loads a malicious component or control hosted on a website. MS09-037 is a continuation of the two emergency, out-of-band updates issued July 28, addressing flaws in the Active Template Library that affect Internet Explorer and Visual Studio. Ryan Smith, Mark Dowd and David Dewey recently demonstrated successful attacks that bypass the kill-bit mechanism that Microsoft frequently deploys to shut down buggy ActiveX controls.
In an interview with SearchSecurity.com, Dewey of IBM Internet Security Systems, credited by Microsoft for reporting the ATL Uninitialized Object vulnerability, warned developers to consider the update closely. The series of interoperability weaknesses can be found in Web browser controls and plug-ins developed over the last 15 years by multiple vendors using a flawed version of Microsoft Visual Studio. Adobe Systems Inc. and Cisco Systems Inc. each issued advisories related to the ATL issues and other third-party vendors will likely follow.
The researchers found ways to bypass dozens of kill-bits deployed by Microsoft during the last five years, exploiting over 100 ActiveX errors. Dewey said the number of MIcrosoft ActiveX errors could be closer to 1,000.The methods enable the ActiveX controls to run in Internet Explorer despite being blocked via the kill-bit method. Dewey said he expects there to be ongoing ATL updates as Microsoft and other vendors attempt to correct the errors.
"The fix itself is not particularly difficult. In many cases its just a matter of applying the fix to Visual Studio and recompiling the control itself," Dewey said. "Where we're finding that most people are having difficulty is first in locating all of the controls that may exist in their environment."
As many as 10,000 controls are affected by the flaws across the Internet, Dewey said. Large software distributors are affected most by the errors. Trying to enumerate all the different ActiveX controls that they may have developed is a daunting task, he said.
"The next hardest part is creating a new distribution mechanism to update and make sure those patches are pushed out," Dewey said.
Microsoft issues security advisory:
Microsoft released a new feature, Extended Protection for Authentication: The new feature addresses credential forwarding. It enhance the way Windows authentication works so that credentials are not easily forwarded when Integrated Windows Authentication (IWA) is enabled.
Microsoft also addressed two critical vulnerabilities in its remote desktop software. MS09-044 fixes vulnerabilities in Microsoft Remote Desktop Connection that could be exploited remotely by an attacker by tricking a user of Terminal Services to connect to a malicious RDP server or visit a malicious website. Microsoft said the software contains heap and ActiveX heap overflow vulnerabilities.
Two critical vulnerabilities were addressed in Windows Internet Name Service (WINS). MS09-039 addresses heap overflow and integer overflow vulnerabilities in WINS that could be remotely exploited by an attacker. Microsoft said the update is addressed automatically for customers who have WINS installed. WINS is not installed by default on any affected operating system version.
MS09-038 addresses two critical vulnerabilities in Windows Media file processing. An AVI header vulnerability and AVI integer overflow error can be remotely exploited by an attacker by forcing a user to open a malicious AVI file. A successful attack could enable an attacker to take complete control of an affected system, Microsoft said. The update is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
Microsoft also issued four important bulletins. MS09-036 addresses a denial-of-service vulnerability in ASP.NET, the Microsoft framework in Windows. MS09-040 addresses a vulnerability in the Windows Message Queuing Service (MSMQ). < MS09-041 fixes a a href=http://www.microsoft.com/technet/security/bulletin/ms09-041.mspx>memory corruption vulnerability in the Windows Workstation Service. MS09-042 repairs a flaw in the Microsoft Telnet service.
In a statement, Ben Greenbaum, senior research manager at Symantec Security Response, said ActiveX controls was the primary target of this month's Microsoft updates.
"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said. "The potential danger is that many of these vulnerabilities can be exploited by simply getting a user to visit a webpage that contains malicious content."
Dig Deeper on Microsoft Windows security
Microsoft has issued six security bulletins for December, bringing the total for 2009 to 74, compared with 77 in 2008, 69 in 2007 and 78 in 2006.