Another Busy Patch Tuesday for Security Admins
Microsoft serves up a fresh batch of vulnerability fixes for September.
Any IT administrators expecting a light Patch Tuesday this month may instead have their work cut out for them, with Microsoft's latest installment of bug fixes incorporating nine patches for 11 separate security vulnerabilities on Tuesday, most affecting various versions of Windows.
As it warned in its advance notice for security administrators last week, four of the patches it ranks as "critical," the highest threat level in Microsoft's (NASDAQ: MSFT) four-tier severity rating scale. The rest are rated "important" -- a step down from critical.
A rating of important usually means that a PC can be compromised only after a user has performed some action, such as clicking to open an infected file. For critical threats, meanwhile, a PC can be compromised by an attack with little to no action required by the user.
At the top of the list for the latest Patch Tuesday fixes is a Windows security vulnerability in the OS's print spooler service, a program that controls the flow of data sent to printers. By sending a malicious print request to the spooler, an attacker could take over the user's system, according to a Microsoft's Security Bulletin.
The vulnerability is already in use by at least one threat, the so-called "Stuxnet" virus, which in early August also forced Microsoft to issue an out-of-band patch to fix a hole in how the Windows shell processes .LNK shortcut files.
Microsoft's Security Bulletin also confirmed that attacks using the vulnerability have already occurred in the wild. The flaw is only considered critical for Windows XP Service Pack 3 (SP3) and XP Professional x64 edition SP2. (Microsoft discontinued technical support for other XP SP2 editions in mid-July, so there are no patches for any other versions of the OS with SP2, such as 32-bit editions)
"Microsoft analyzed samples of the Stuxnet malware and found that in addition to using the zero-day .LNK vulnerability, addressed in August ... it is using a second, unknown vulnerability in the Windows print spooler to spread itself to other machines in the network," Wolfgang Kandek, CTO of security firm Qualys, said in an e-mail to InternetNews.com.
A second critical patch fixes a vulnerability in the MPEG-4 codec and affects supported versions of XP, as well as Windows Server 2003, Windows Vista, and Windows Server 2008, according to Microsoft. Users' systems can be compromised by sending a booby-trapped media file or doctored streaming content to the users' machines.
Additionally, this week's Patch Tuesday includes a critical patch for all versions of Windows except Windows 7, along with a patch rated important for versions of Microsoft Office 2003 through Office 2007 -- all designed to plug a hole in what's called the Uniscribe Script Processor.
"The vulnerability exists because Windows and Office incorrectly parse specific font types in such a way that could allow remote code execution," Microsoft said in its Security Bulletin regarding the flaw. The technology is used to provide support for complex rules for handling scripts, such as Arabic, Hebrew, Indian, and Thai, according to the company.
The release's fourth critical patch affects an exploit in Outlook 2002, 2003, and 2007 that works by sending the user a malicious email message that can take over the user's computer when opened or previewed.
However, the flaw only affects situations in which Outlook connects to Exchange Server in online mode. Outlook is not under threat if it connects to Exchange in cached mode, or if the user only uses POP or IMAP mail servers, according to Microsoft.
"All that is needed for the exploit to work is for the victim to open the contents of the email, and the attacker can gain full control of the victim's machine," Josh Abraham, security researcher at Rapid7, said in an e-mail to InternetNews.com. "Organizations should be performing user awareness training as a method to reduce the risk of this vulnerability."
Additionally, Microsoft released two Security Advisories -- notifications to security administrators of issues the company is investigating, but has yet to decide whether to address with a security patch.
The first advisory affects the Outlook Web Access webmail service, while the second advisory explains how Outlook Express and Windows Mail can opt-in to Extended Protection for Authentication, Jerry Bryant, group manager for response communications in Microsoft's Security Response Center (MSRC), said in a post to the MSRC blog.
The September Patch Tuesday Bulletins and their associated patches are available here.
Follow eSecurityPlanet on Twitter @eSecurityP.Updated, September 15: Update adds corrected URLs and patch information from Microsoft.
September 09, 2010
Security administrators are put on notice that they have another busy week of applying vulnerability patches to Microsoft products.