Microsoft fixed two serious vulnerabilities affecting the way Windows handles ASF and MP3 media files and repaired several TCP/IP processing errors that could enable an attacker to overload Web and mail servers.
The software giant released five critical updates as part of its regular Patch Tuesday round of updates. All of the updates are remotely exploitable.
MS09-047 repairs a serious vulnerability in the way Windows handles media files. The update addresses two critical vulnerabilities in Windows Media Format that could be exploited by an attacker by tricking users to play a malicious ASF or MP3 file.
The parsing vulnerability and memory corruption flaw is in the Windows Media Format Runtime engine. The update is rated critical for Windows Media Format Runtime 9.0, 9.5, 11, Microsoft Media Foundation, Windows Media Services 9.1, and Windows Media Services 2008.
Microsoft security updates:
August - Microsoft fixes Office Web Components vulnerability, kill-bit bypass: Microsoft repaired critical vulnerabilities in Microsoft Office Web Components affecting Office Word, Excel and PowerPoint viewer as well as its ISA and BizTalk servers.
July - Microsoft issues emergency Active Template Library updates: Security updates address flaws the Active Template Library affecting Internet Explorer and Visual Studio. An IE fix also blocks a method that allows attackers to bypass kill-bits.
July - Microsoft repairs critical DirectShow, Video ActiveX vulnerabilities: The software giant issued six updates this week as part of its Patch Tuesday updates. Three bulletins were rated critical.
June - Microsoft patches WebDAV security vulnerability in bevy of updates: Zero-day flaws in Microsoft Internet Information Services (IIS) Web server and Internet Explorer were among 31 vulnerabilities repaired Tuesday.
MS09-048 addresses three vulnerabilities in TCP/IP processing that could be remotely attacked by sending TCP/IP packets over the network to a computer with a listening service. While most client machines are not affected, many Web servers and mail servers on Windows Vista and Windows Server 2008 may have an open port that is vulnerable to the attack. Microsoft said it would not release a patch for Windows 2000.
The flaws first surfaced in 2008, when researchers from Swedish vulnerability assessment firm Outpost24 presented the issues at the T2 Conference in Helsinki. Robert E. Lee, chief security officer and Jack Louis, a senior security researcher at Outpost24 warned that the issues were fundamental and could be exploited to cause denials of service and resource consumption on virtually any remote machine that has a TCP service listening for remote connections. The researchers said the attacks can be carried out with very little bandwidth, such as that available on a cable modem
Jason Miller, security and data team manager, at Shavlik Technologies called the TCP/IP update the most critical to be addressed this month. Miller said an attacker can send out bad packets to overcome TCP/IP listening service and overload a server with bad packets.
"You can mitigate this by turning on a firewall, but if you are going after the server side, this is what an attacker would go after," Miller said. "An attacker can overcome a system, freeze it up and execute code remotely … it could lead to network wide outages."
Cisco Systems Inc. also released an update Tuesday, addressing the TCP vulnerabilities in Cisco IOS Software.
Several other holes in client-side components were addressed by Microsoft Tuesday.
MS09-045 addresses a flaw in the JScript Scripting Engine that could put Internet Explorer users at risk if they visit a malicious website. The site could invoke a malicious script that exploits the error enabling an attacker to execute code remotely and take complete control of a system. Microsoft said the update is rated critical for JScript 5.1 on Microsoft Windows 2000 Service Pack 4 and Critical for JScript 5.6, JScript 5.7 and JScript 5.8 on all supported releases of the Windows operating systems except Windows 7 and Windows Server 2008 R2.
Richie Lai, director of vulnerability research at Qualys noted that Windows 7 appears to be relatively immune to the latest vulnerabilities. In addition to the improvements added to Windows Vista and Internet Explorer 8, Windows 7 is essentially a new code base, but experts say once it is widely released, they anticipate it will be targeted by attackers.
"It may be a case where protections have been put in that don't allow these exploits to happen," Lai said.
Microsoft also addressed a hole in the Wireless LAN AutoConfig Service that could be used by an attacker to take complete control of a computer. MS09-049 addresses a flaw could be exploited by an attacker at an airport, coffee shop or conference, where people may use laptops and other devices to connect to the Internet. Microsoft said the AutoConfig service does not properly validate wireless frames prior to processing them.
An attacker would need a transmitter to set up a wireless access point and auto-connect to laptops within the attacker's immediate area. The flaw is rated critical on Windows Vista and Important on Windows Server 2008.
Microsoft also addressed a flaw in the DHTML Editing Component ActiveX control that could be exploited by an attacker in drive-by attacks. MS09-046 repairs the flaw, which could enable an attacker to take complete control of a system if the user has administrative rights. Microsoft said the update is not related to the vulnerabilities in Microsoft Active Template Library (ATL) addressed last month.