Microsoft patches 9 bugs, leaves one open for hackers

Two zero-days and critical font bug quashed; no fix for Monday's ActiveX vulnerability

Microsoft today delivered six security updates that patch nine vulnerabilities, fixing two bugs already being used by hackers but leaving one still open to exploit.

Of the six bulletins, three patched some part of Windows, while the remainder plugged holes in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's virtualization software. Six of the nine bugs were ranked critical, Microsoft's highest ranking in its four-step score, while three were tagged as "important," the next-lowest label.

"We got what we expected," said Andrew Storms, director of security operations at nCircle Network Security. "We got the 'kill bit' we were looking for in the ActiveX control and the DirectShow fix," he said, referring to two recent vulnerabilities that attackers have been exploiting for weeks.

In May, Microsoft acknowledged that hackers had begun exploiting a bug in DirectShow, one of the components in Windows' DirectX graphics platform. Last week, it owned up to another bug, this one in a video streaming ActiveX control used by Internet Explorer (IE) -- and admitted it had known about, but not fixed, the flaw for the past 18 months.

Microsoft patched the already-public DirectShow flaw with MS09-028, and for good measure tucked in fixes for two more vulnerabilities also reported by researchers.

The "kill-bit" update in MS09-032 didn't actually patch the underlying ActiveX problem. Instead, Microsoft simply disabled the control, effectively shutting off any possible attack by modifying the Windows registry using the update. Microsoft offered the same protective measure via an automated tool last week, but that required users to manually browse to a support document, then download, install and run the tool.

Researchers unanimously voted those two updates as the ones to deploy immediately. "Microsoft did well to get out the two zero-days," said Eric Schultze, chief technical officer at Shavlik Technologies, "especially the ActiveX. It was a little much to ask them to get out the Office ActiveX fix, though."

Schultze was talking about a bug in an ActiveX control used by Office Web Components to display Excel spreadsheets in IE. Microsoft warned users of the vulnerability only yesterday. By today, Web attacks had rapidly increased. On Monday, however, Microsoft said that it wouldn't wrap up a fix in time for today's release.

Like the DirectShow ActiveX flaw that was patched today, Microsoft has released a "Fix It" tool that users can download and run themselves to kill the control. But, according to Schultze, Microsoft's not planning to push a kill-bit update to users for this second flaw. "Setting the kill bits actually impedes functionality," Schultze said. "Microsoft told me today that they're working on a file-level fix."

Other researchers speculated that Microsoft might depart from its usual once-per-month patch schedule to get such a fix out before Aug. 11, the next regularly-scheduled update. "Obviously, that would be much better," agreed Wolfgang Kandek, chief technology officer at security company Qualys.

The third critical update, MS09-029, also caught the eyes of Schultze and Kandek. Two vulnerabilities in Embedded OpenType (EOT) Engine leave all versions of Windows, including Vista and Server 2008, open to attack.

"It looks pretty easy to exploit," said Kandek. "If you view some text on a Web site in that font, you're compromised. And if the attack comes in an e-mail, there's no need to open an attachment, you can be compromised just by viewing the e-mail."

Schultze agreed. Calling the font vulnerabilities "nasty," he said that they could quickly be used up by hackers. "If there's exploit code available, which there isn't yet, these would be pretty easy to exploit," Schultze said.

Microsoft also delivered patches today for bugs in Publisher 2007, ISA 2006 and the client and server editions of its virtualization software. The ISA bug, described in MS09-031 intrigued both Kandek and Schultze, but not for the same reasons.

"You can gain full control of the server if you know the administrator password," said Kandek. "And in some situations, that password may be 'administrator' or 'admin' or even 'root'."

Shops with weak usernames may be at risk of information theft, added Amol Sarwate, the manager of Qualys' vulnerability research lab. "[Attackers] could install small malware and maybe sniff the Web traffic [through the server], access other systems on the same network or even redirect users to another Web site," Sarwate speculated.

Schultze dismissed those worries. "It looks like all the planets have to [be] aligned just right," he said, referring to the narrow scenario Microsoft spelled out. "I'd call that a real edge case."

The remaining two updates patched Publisher 2007 ( MS09-030) and Virtual PC and Virtual Server ( MS09-033). Neither drew much attention from Schultze, Kandek or Sarwate.

Storms, however, put a finger on the Publisher patch. "MS09-029 and MS09-030 are bucking the trend," said Storms, talking about the Publisher and OpenType bulletins. "Typically, Microsoft's newer software is more secure, but that's not the case here.

"The fact that we got them both in the same month is probably just a coincidence," Storms continued. "But it doesn't surprise me that researchers are looking at the newer software, because it's the newer software that's being deployed."

Schultze and Kandek noted that the OpenType vulnerabilities' appearance in all versions of Windows, up to and including the unfinished Windows 7, likely means Microsoft had overlooked the flaw for years. "It tells me that that particular component has received less attention," Kandek said, "and that Microsoft didn't change anything in the code from when it was first used in [Windows] 2000.

And the virtualization software bugs? Nothing much to worry about, said Schultze, since there's no chance that an attacker could escape the "guest" operating system to wreak havoc on the "host."

"But I think it's a sign of things to come," argued Kandek. "Virtualization adds to the attack surface rather than subtract."

July's updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags security patchMicrosoftactivexbugs

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?