Each bulletin has one or more patches to fix critical security issues, some of which are already being exploited. Three bulletins discuss attacks that can be used to take over computers without any user interaction. The remaining bulletins warn about client-side vulnerabilities, which can be attacked when a user visits an evil website or opens a malformed document.
Remote attacks (or server-side attacks) can be performed against desktops, laptops or servers running services such as the file and printing services or Web services. An attacker can send malicious packets to the TCP ports running these services. Once the packets are received, they are usually coded to take actions such as adding user accounts, installing backdoors or shutting down the system entirely.
Since file, printing and Web services are intended to be available to remote users, the TCP ports are also open to exploits. Attackers can launch exploit code at any time, and unlike the client-side attacks discussed below, users don't need to be on their systems for an attack to be successful. Server-side attacks are commonly turned into worms because they don't require any user interaction to spread.
- MS09-050 should be immediately installed on your Vista and Windows Server 2008 systems. This patch fixes a problem that attackers can use to send packets to these machines and either cause them to stop working or execute code. No authentication is required -- the attacker needs only to send packets to TCP Ports 139 or 445. Since these file- and printer-sharing ports are typically blocked at a corporate firewall, attacks are more likely to originate from internal users. Exploit code for this vulnerability is circulating on the Internet, so attacks could be imminent. A reboot should be performed after installing this patch.
- MS09-053 patches a flaw in the FTP service in Internet Information Services (IIS) 5, 6 and 7. This vulnerability can allow attackers to take any actions they want against IIS 5 machines running the FTP service, including executing code, adding user accounts, deleting files and modifying websites. For IIS 6 and 7 machines, the attacker could cause the FTP service to stop functioning but would not be able to take any other actions on those systems. Exploit code for this issue has been posted on the Internet, and attacks have been identified at customer sites.
- MS09-059 is a patch to prevent attackers from remotely rebooting computers. This flaw is present only if the previously suggested -- but not required -- Patch KB968389 has been installed. If this patch is present and the attacker can send NTLM (NT LAN Manager) authentication packets for file and printer sharing, IIS, FTP, Telnet, etc., the attacker can cause your computer to restart.
Client-side attacks are most often initiated when a user visits a malicious website or opens a malformed document such as an Excel worksheet or an email. The attack can't happen unless the user takes one of these actions or executes specific attack code on his own computer.
Of the nine bulletins discussed below, seven relate to viewing content on malicious websites, one is specific to running exploit code on your own computer, and one can be used to entice users to provide sensitive information to a bogus website.
- MS09-051 fixes a flaw in the handling of Windows Media content. Visiting an evil website can trigger this attack without any further user interaction. The attacker can take actions on the computer with the same level of permission as the currently logged-on user. All operating systems are affected by this vulnerability except Windows 7 and Windows Server 2008 R2. This vulnerability is more complicated to remedy because up to three different patches must be installed on each Windows 2000, Windows XP and Windows Server 2003 system to protect them.
- MS09-052 is a similar vulnerability to MS09-051 but is specific to Windows Media Player on Windows 2000, XP and Server 2003 systems. That means up to four patches must be installed on these systems to protect them from malicious media attacks.
- MS09-054 is a patch for all versions of Internet Explorer. This patch corrects a flaw that would allow malicious websites to take actions on visiting computers, including accessing or deleting data to which the logged-on user has access. Simply viewing a bad website can cause these actions to occur. This patch is cumulative and fixes all prior known Internet Explorer security issues.
- MS09-057 is a similar exploit scenario to MS09-054: Visit an evil website and the attacker can perform actions on your system with the same level of permissions as the currently logged-on user. In this instance, the flaw resides in the Indexing service on Windows 2000, XP and Server 2003 systems.
- MS09-055 is a cumulative update that blocks all known malicious ActiveX controls from executing. This patch builds upon the previously released MS09-035 patch and adds support to block attacks against Office Web Components, the Visio Viewer control, Windows Live Mail control and the MSN Photo Upload tool. MS09-060 is a similar patch that protects against attacks aimed at Microsoft Office products.
- MS09-056 fixes a problem with certificate handling by clients and servers. In a very complicated scenario, it an attacker could setup a secure lookalike website and direct your user's computers to that website. Although it appears that the user is connected to a legitimate website because the Secure Sockets Layer padlock icon is present, they may actually be connecting to a rogue website set up to collect personal information.
- MS09-058 fixes a privilege-elevation vulnerability. This flaw would enable someone with user-level permissions on his computer to execute a piece of code that would effectively make him an administrator on his local computer. Privilege-elevation attacks usually require that the attacker be sitting in front of the computer that he wishes to target or be connected via Remote Desktop or Terminal Services.
- MS09-062 provides protection when viewing images on evil websites. When viewed, these malicious graphics can execute code on a system and take any action that the currently logged-on user can perform. There are multiple patches required to fix this vulnerability based on the type of applications installed on your system (such as Office or SQL Server).
I recommend installing the patches for MS09-050 and 09-053 immediately, since exploit code has been released for these vulnerabilities, and the potential effect of exploitation is serious. Install the IE patch (MS09-054), media-related patches (MS09-051 and MS09-052), Indexing patch (MS09-057), ActiveX patches (MS09-055 and MS09-060), and image-rendering patch (MS09-062) to all end-user systems as soon as possible, followed by MS09-056 and MS09-058 soon thereafter.
It's a lot of patches, but also a lot of security issues to address.
|ABOUT THE AUTHOR:|
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.