Unless you're running Windows 7 or Windows Server 2008 R2, you'll want to install all five of the critical September patches from Microsoft to your systems as soon as possible.
Issues addressed by three of the five critical patches released by Microsoft this month can be exploited "drive-by" style while browsing the Internet: Two can sneak up on your laptop or Internet connected machines without your knowledge.
Before leaving the office today, inventory your Internet-connected systems and plan to patch these systems over the next couple of days. Microsoft Security Bulletin MS09-048 patches a flaw in the TCP/IP stack that can allow attackers to launch a denial of service attack against your Web servers, SQL Servers, or any other machine with a listening TCP service. This is bad news for Microsoft's IIS server which accounts for 22% of all Web servers on the Internet.
While this attack may be more noticeable on Internet-facing systems, internal attackers may launch denial of service attacks against inside systems like the corporate domain controllers, file servers and database servers.
Windows 7 and Windows Server 2008 R2 systems are immune to this attack - all other operating systems are vulnerable. Unfortunately, Microsoft said it was unable to create a patch for Windows 2000 systems because of the extensive redesign of the OS that would be required to protect it. Microsoft predicts that denial of service attack code will be developed within the next 30 days.
Evil packets can find you at Starbucks
If you're planning to take your Vista laptop on your next business trip, or even to the coffee shop down the road, don't turn it on until you've applied patch MS09-049. Vista's wireless LAN autoconfig feature means rogue wireless routers can send evil packets to your laptop and execute code on your system. The code would run with your logged on privileges and can do anything to your system or data that you can do. This patch also applies to Windows Server 2008.
The remaining three patches address "drive-by" vulnerabilities where the attacker can execute code on your computer if you visit their malicious website. In each case, the evil code will execute with the same permission as the logged on user. If you're logged on with administrative privileges, this means the code can delete files on your computer, create new accounts or install backdoors for future use.
MS09-045 targets all operating systems except Windows 7 and Windows Server 2008 R2. The flaw resides in the JScript engine which ships with Internet Explorer. According to Microsoft, users with IE8 are at less risk than those running earlier browser versions, though they are still vulnerable. Microsoft expects reliable exploit code to be released for this issue within 30 days.
MS09-046 impacts Windows 2000, XP and Windows Server 2003. A vulnerable ActiveX control can be instantiated by an evil website where the control can be made to execute code of the attacker's choice. Users running on Windows Server 2003 are at less risk. Microsoft notes that this ActiveX control flaw is NOT related to the ATL security vulnerabilities identified in ActiveX controls last month.
MS09-047 is the last of the client-side vulnerabilities this month and impacts all operating systems except for Windows 7/Windows Server 2008 R2. This vulnerability affects Windows Media activities. Playing a malformed mp3 file or visiting an evil website with streaming media can allow the attacker to execute code on your system. Microsoft expects reliable exploit code to be released for this issue within 30 days.
|ABOUT THE AUTHOR:|
| Eric Schultze
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, he worked for Microsoft where he helped manage the security bulletin and patch release process. Eric likes to forget that he used to work as an internal auditor on Wall Street.