Microsoft Patch Tuesday Fixes Two Zero-Day Vulnerabilities
Update to Internet Explorer addresses threat to older versions.
Microsoft today issued six patches in its final Patch Tuesday release for 2009, fixing a total of a dozen security holes -- six of them rated as "critical," the highest level on Microsoft's threat severity scale.
The company last Thursday gave IT administrators a heads-up when it gave advance notice of the bugs it planned to address in today's installment of its monthly batch of fixes.
At the time, and as typical in the run-up to Patch Tuesday, Microsoft (NASDAQ: MSFT) disclosed only few details of the vulnerabilities it expected to target.
However, it did single out one fix in particular, which security analysts today urge admins to apply swiftly: a so-called cumulative update to Internet Explorer.
That's largely because the fix blocks a zero-day hole in the browser that Microsoft acknowledged last month. The vulnerability primarily affects IE6 and IE7.
"Proof-of-concept exploit code was released for the [IE] object memory corruption vulnerability late last month, but it wasn't reliable," Ben Greenbaum, senior research manager at security researcher Symantec Security Response, said in an e-mail. "It's been a race since between Microsoft and attackers to either get a patch out or improve the exploit's reliability."
Tyler Reguly, senior security engineer for security firm nCircle, agrees.
"Number one on everyone's hit list today should be ... the IE patch, as this includes a patch for the current IE zero-day vulnerability. Patching IE is always crucial but given the public exploit, this should be patched as quickly as possible," Reguly said.
The cumulative IE patch also addresses four other critical-rated bugs--none of which none have resulted in attacks in the wild, Microsoft said. Microsoft Project in the crosshairs
Other new bug fixes in the today's Patch Tuesday release includes a fix for a Microsoft Office Project vulnerability. The security hole affects Project 2000 Service Release 1 through Project 2003 Service Pack 3 (SP3).
However, the bug is rated as critical only for Project 2000. While that version of Project is nearly ten years old and not used as much as more recent releases, security professionals say that fixing its memory corruption bug is still important.
"Since the large majority of people use later versions of Microsoft Project, any attack surface associated with this update should be fairly narrow. Nonetheless, IT teams should ensure that they have identified all instances of Project 2000 that may still exist in their organization," Don Leatham, senior director of solutions and strategy at security firm Lumension, said in an e-mail. Windows Server 2008 SP2 zero-day and new Security Advisories
The third critical patch addresses two holes in Internet authentication technologies located in Windows Server 2008 SP2, one of which Microsoft said is also a zero-day exploit. Again, however, there have been no known attacks in the wild, it said.
Besides bug patches, Microsoft today also took the somewhat unusual step of issuing three Security Advisories along with its Patch Tuesday offerings. Typically, Security Advisories are meant to alert customers to potential security risks that have not yet been classified by Microsoft as bugs that merit patches.
One advisory provides workarounds for security problems with the Indeo codec on Windows 2000, Windows XP, and Windows Server 2003. A second advisory has to do with handling of credentials using Integrated Windows Authentication (IWA), while the third adds a security feature called Extended Protection for Authentication on IWA.
A complete list of December's Patch Tuesday fixes is available online.
Stuart Johnston is a contributing writer to InternetNews.com, based in Bellevue, Wash.