Patch Tuesday: Microsoft closes worm holes
As previously announced last week, Microsoft has released 9 security updates to close 11 security holes in its Windows, Office and Internet Information Services (IIS) products. Vulnerabilities rated critical by the company include holes in the Print Spooler Service, in the MPEG-4 codec, the Unicode script processor and in Outlook.
Microsoft's Security Response Center reports that the Spooler hole was found while analysing the Stuxnet worm first discovered in connection with the LNK hole. Apparently, Stuxnet had a few additional, less obvious, tricks up its sleeve. The worm searched networks for systems that run the Print Spooler service, which isn't enabled by default, and infected these systems through an undisclosed hole. And that's not all: It then exploited two further undisclosed vulnerabilities to elevate its privileges. Microsoft says that it plans to close these zero-day holes in a future update.
Equipped with a valid digital signature, the worm specifically targeted WinCC SCADA systems made by Siemens and even exploited hard-coded access credentials to obtain database access. No previous worm has put forward four zero-day exploits and valid digital signatures; the newly emerged details concerning its capabilities renew the question about the worm's creators and its intended purpose.
Further Microsoft updates fix vulnerabilities in the Internet Information Services, in the RPC client and in WordPad. Although the vulnerabilities allow arbitrary code to be injected and executed remotely, the vendor has only given them a "high" priority rating. However, the remote injection and execution of code in IIS is only possible via the FastCGI option, which is disabled by default. The flaw in the RPC client can only be exploited when combined with a specially crafted RPC server, and the WordPad hole requires interaction with the user, who must open a document.
The updates also fix DoS vulnerabilities in the "Local Security Authority" Subsystem and in the Client/Server Runtime Subsystem (CSRSS).
- Microsoft Security Bulletin Summary for September 2010, advisory from Microsoft.