Microsoft issued a slew of fixes Tuesday, repairing serious flaws affecting Internet Explorer, Windows Media Player and Microsoft Office Word. The software giant released 14 bulletins, eight critical, addressing 34 vulnerabilities as part of its monthly Patch Tuesday cycle. The 14 bulletins represented the most ever released simultaneously by Microsoft, a feat that most security patching experts are dismissing. Jason Miller, data and security team leader at St. Paul, Minn.-based patch management firm, Shavlik Technologies LLC, said he expects future Microsoft releases to include more bulletins.
"I would like to hope that the bucket will run dry, but with the amount of software that comes out and new features, it's never going to end," Miller said.
Of the eight critical bulletins, the media handling errors, flaws in Microsoft Office Word and a vulnerability affecting Microsoft Silverlight were given the highest priority by Microsoft.
Media handling flaws addressed
Jason Millersecurity team leader, Shavlik Technologies Inc.
Microsoft fixed a critical vulnerability in the way Microsoft DirectShow handles MPEG Layer-3 audio codecs. MS10-052 addresses a remote code execution vulnerability. An attacker can exploit the flaw by either getting a user to open a malicious media file or browse to streaming content from a website. If successful, the attacker can gain the same user rights as the logged-on user, Microsoft said. The flaw affects users of Windows XP and Windows Server 2003.
Microsoft also repaired a vulnerability in the Cinepak Codec video format. MS10-055 corrects the way in which Cinepak decompresses media files in Windows Media Player. The flaw can be exploited by an attacker if a user browses to malicious streaming content on a website. It can also be exploited using an application that streams media, Microsoft said. The flaw affects Windows XP, Windows Vista and Windows 7.
Two vulnerabilities in Microsoft's .NET Framework and Microsoft Silverlight, the Microsoft alternative to Adobe Systems' Flash and Air development environment, were addressed in MS 10-060. Attackers can exploit the vulnerabilities by getting a user to browse to a malicious website or run a malicious .Net application. It marks the first time that Silverlight has a potentially dangerous vulnerability, said Shavlik's Miller.
"Silverlight is gaining market share so paying attention to Silverlight is important, because this could almost be a true drive-by attack scenario," Miller said.
The flaws affect all support versions of Windows. Silverlight 4 and .Net Framework 4 are not affected by the vulnerability, Microsoft said.
Security advisory issued
Microsoft issued Security Advisory 2264072, warning users of a serious issue affecting Windows XP, Vista, Windows 7 and Windows Server 2003 and 2008. The vulnerability appears to be difficult to exploit, but is potentially serious. An attacker could use the Windows Service Isolation feature to gain elevation of privilege on a victim's machine. The feature is optional, Microsoft said.
A bulletin addressing four vulnerabilities in Microsoft Office Word was also given the highest priority by Microsoft. One of the flaws identified in MS10-056 could allow a remote code execution if a user opens a rich text formatted email message that contains malicious code. The vulnerabilities are rated important for Microsoft Word 2002 and 2003 and critical for Microsoft Word 2007 running on all versions of Windows. Users of Windows 7 and Vista have security mechanisms in place making an attack more difficult to carry out, Microsoft said.
"Microsoft probably rated this high because it allows for an email worm scenario to happen and that could turn into a serious scenario," said Richie Lai, director of vulnerability research at Redwood Shoes, Calif.-based Qualys Inc. Lai said that Office Outlook 2007 uses Word as its rendering engine, making the flaw even more serious.
Other Microsoft bulletins of note
Patching experts pointed to MS10-053, a bulletin that addresses six vulnerabilities in Internet Explorer, as another item that should be addressed fairly quickly. The bulletin repairs a number of memory corruption vulnerabilities that can be used by attackers to gain access to system files and take control of a victim's machine. The flaws are rated critical, can be exploited remotely by an attacker and affect all versions of Internet Explorer.
MS10-047, a bulletin that addresses several Microsoft Windows Kernel-level vulnerabilities could potentially be difficult to patch. The bulletin is rated important for Windows XP and Windows server 2003 and moderate for Windows 7. In the most likely scenario, an attacker would be able to pull off a denial-of-service attack, crashing a victim's machine. Administrators should thoroughly test the patch before deploying it to determine if it will break any systems, patching experts said.
MS10-054, a bulletin that addresses several vulnerabilities affecting the Server Message Block (SMB) server should be looked at closely, experts said. It is rated critical for users of Windows XP and important for all other versions of Microsoft Windows. SMB flaws raise alarm because they could potentially be wormable, said Shavlik's Miller.
Microsoft out-of-band patch
Microsoft issued an emergency patch July 30, repairing a zero-day vulnerability in the Windows Shell that attackers had been exploiting in the wild. Different kinds of exploits surfaced attempting to exploit the vulnerability, including malware that targeted Siemens SCADA system software.