Microsoft patch day includes patches for Windows 7
Microsoft has released three critical and three important updates on its December Patch Tuesday. The most important of them is undoubtedly the cumulative update for Internet Explorer, which is designed to close a security hole that has been known for several weeks.
In addition, security bulletin MS09-072 reports four further critical vulnerabilities in Internet Explorer that were privately reported to Microsoft. In the security team's opinion, reliable working exploits will soon be circulated for all of these vulnerabilities. Three of the holes affect Internet Explorer 8 under Windows 7 to a degree that could allow malicious websites to infect a computer. Embarrassingly, the vendor had to fix another hole related to the Active Template Library flaw.
Bulletin MS09-71 reports that two holes were found in Microsoft's Internet Authentication Service (IAS). The problem doesn't only affect servers, as the client-side code for establishing connections that are authenticated via MS-CHAP2 also appears to be affected. However, Microsoft points out that Windows itself doesn't use this code on clients – or at least it doesn't use it in a way that makes the hole exploitable. Apparently only third-party software exposes the hole.
MS09-074 is the third critical bulletin and describes a hole in Microsoft Office Project that can be exploited via specially crafted project files. A web page can apparently be set up in such a way that simply visiting it is enough to make the vulnerable Office application open the file.
This doesn't seem to be the case in the specially crafted Word 97 documents that exploit a security hole in the text converter of Wordpad and Office. As a result, the hole described in MS09-73 was not given the highest threat rating, although potentially it also allows attackers to gain full control of a Windows PC.
The two Active Directory Federation Services (ADFS) holes discussed in MS09-70 only affect (web) servers. Finally, MS09-69 describes a flaw that potentially allows attackers to cripple the LSASS service of a Windows server system via IPSec.
- Microsoft Security Bulletin Summary for December 2009, security advisory from Microsoft.