Patch Tuesday: Windows 3, Excel 0
The critical update in Microsoft Security Bulletin MS09-006 eliminates three vulnerabilities in the Windows kernel that attackers could exploit with crafted EMF or WMF image files. The interesting thing here is that at least two of the problems can occur in all supported versions of Windows. The critical vulnerability could allow remote code execution, but Microsoft only gives it a low Exploitability Index of 3 because it considers it unlikely that functioning exploit code for it will actually be seen.
A vulnerability in Microsoft's SSL (Secure Sockets Layer) library likewise affects all Windows versions. The checks on possession of the secret private key during authentication of X.509 certificates, are inadequate. On a service using Transport Layer Security (TLS), that could let an attacker pose as a certificate holder, using just the public part of the key pair (MS09-007).
In MS09-008, Microsoft describes four vulnerabilities in the DNS and WINS servers that allow address spoofing. These server operating systems evidently don't do a proper check on DNS responses, so an attacker can spoof responses and poison the DNS cache. The description of the vulnerability resembles the problems with DNS servers from many makers that caused an uproar in 2008. Internet traffic may also be redirected to proxies controlled by an attacker via Web Proxy Auto-Discovery (WPAD), because the Windows WINS and DNS servers don't correctly check who is permitted to register WPAD entries on the DNS server.
Microsoft confirmed the existence of security vulnerability in Excel two weeks ago, but still hasn't said when a patch might be expected. Traditionally, Microsoft doesn't classify vulnerabilities in Office programs as critical if users have to open Office files themselves, but only gives them high priority if they allow the injection of malicious software. Perhaps this lower priority doesn't apply just to external, but also to internal processes.
Although the urgency of the three Microsoft updates issued should not be underestimated, the Adobe update for the PDF Reader promised for today, Wednesday 11 March, should be given a higher priority. This vulnerability, which could affect any desktop system with Adobe Reader installed, is already being exploited.
- Microsoft Security Bulletin Summary for March 2009
- Adobe patches critical hole in Flash Player, but PDF hole remains open, a report from The H Security.
- Critical vulnerability in Excel - Updated, a report from The H Security.