Microsoft's Patch Plugs 'Spoofing' Exploit

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

One of the "critical" patches that Microsoft released on Tuesday -- one of its biggest patch drops ever – addresses an issue that's been festering for more than six months.

The security flaw popped onto Microsoft's (NASDAQ: MSFT) radar in early February, when the company's security team issued a Security Advisory, warning systems administrators and PC help desk personnel about it.

The company released 14 patches in the most recent, August Patch Tuesday event -- eight of them rated as critical -- which fix a total of 34 security flaws -- a near record for Microsoft.

Microsoft said it's addressed a hole found in a portion of Windows code called the Secure Channel security package that handles Transport Layer Security/Secure Sockets Layer (TLS/SSL) security.

Successful exploitation of the hole would allow a malicious hacker to carry out a "spoofing" attack known as a "man-in-the-middle" exploit. An attacker could insert him or herself into the security handshake process between a user's Windows client and the software on the server that handles authentication.

In short, the attacker could successfully pretend to be a legitimate user by intercepting identification traffic between the client and server, thus masquerading as the user to the server and vice versa.

A savvy hacker could create an attack program that is designed to take advantage of the hole and host it on a website for an unsuspecting user to stumble upon. Microsoft published a workaround for the problem at the time.

However, on Tuesday, the company's security team released a patch that specifically blocks that avenue of attack, as well as patching a second problem that leverages another hole in the Secure Channel component.

The vulnerabilities are rated critical for Windows XP Service Pack 3 (SP3), as well as XP Professional x64 SP2, along with Windows Server 2003 SP2, x64 edition SP2, and SP2 for Itanium systems. The rest of Microsoft's supported versions of Windows are designated as "important" -- a step down from the top of Microsoft's severity rating scale, which is critical.

In the Security Bulletin that accompanies the patch, Microsoft stated that, despite how long it took its security mavens to fix the problems, it knows of no attacks that have occurred in the meantime.

Zero-day flaw

Also, Microsoft officials Thursday addressed the zero-day flaw in the kernel of every supported version of Windows that was revealed last week by a security researcher who goes by the screen name "Akron."

In a post to the Microsoft Security Response Center (MSRC) blog, Jerry Bryant, group manager for response communications, announced that the company will not be releasing a Security Advisory for the latest zero-day.

"This is a local elevation of privilege vulnerability [which only] allows attackers to gain system-level privileges after they have already obtained an account on the target system," Bryant said. In other words, for someone to take advantage of the kernel vulnerability, that person already needs to be a recognized user on the system.

"The vulnerability cannot be exploited remotely, or by anonymous users," Bryant added.

Therefore, Microsoft will eventually patch the hole, but it's not a priority. "We will continue monitoring the threat landscape and alert customers if anything changes," he said.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.