Two new zero-day exploits dent Microsoft's Patch Tuesday

Microsoft's Patch Day delivered eight updates, but has been overshadowed by newly discovered zero day holes, which are apparently not closed by the new updates.

As promised by Microsoft, this Patch Tuesday updates include security patches for the GDI Windows system component, the media components, the Windows search feature, Internet Explorer, Word, Excel, Visual Basic 6.0, and the SharePoint and Search Servers. The Windows Malicious Software Removal Tool also received an update.

But earlier on in the day, SEC Consult security expert Bernhard Mueller reported a memory problem in Microsoft SQL Server 2000 he could exploit in his lab to inject and execute code in a system.

This was joined, later in the day, by an exploit connected to Internet Explorer 7's handling of XML which is being circulated on Chinese forums. According to the US PCWorld website, security expert Wayne Huang of Armorize Technologies reports that this hole is already being exploited. On a heise Security Windows XP test system, already updated to include the December patches, the zero-day exploit launched a program called ko[1].exe which immediately contacted a Chinese server and began to install rootkit components. The problem is, therefore, extremely critical and acutely threatens the users of Internet Explorer 7. As a temporary workaround, users can disable Active Scripting as described heise's Browsercheck.

Although the patches provided this December don't solve these two new problems they should still be installed as soon as possible. The six "critical" updates fix flaws, which at worst, allow attackers to inject and execute arbitrary code. Among them is a patch collection for the GDI (Graphics Device Interface) Windows graphics library for all versions of Windows (MS08-071). An integer overflow and a heap overflow can be triggered when processing image files in WMF format, allowing attackers to gain complete administrative control of a vulnerable system, even if the user's own privileges are restricted. Users don't even need to open a specially crafted image file – programs like Internet Explorer do this automatically when displaying a web page.

The security holes in the Windows search feature of Vista and Server 2008 (MS08-75) can be exploited when a user clicks on a specially crafted search URL or opens a special search file. These vulnerabilities also allow attackers to gain administrative control, irrespective of the user's own privileges. Versions 5.01, 6 and 7 of Internet Explorer once again received a cumulative security update (MS08-073). It closes a total of four holes, which can potentially be exploited to infect systems with malicious software when users surf the net. The same applies to the programming flaw in one of the Active-X components of Visual Basic 6.0 (MS08-070).

Microsoft also fixed eight programming flaws in Word (MS08-072) and three in Excel (MS08-074). The related security holes can be exploited when users open suitable Office documents. While the vulnerabilities have only been given a "high" rating for the Office versions above 2000, Microsoft considers the problem "critical" in Word 2007. Office 2000, 2002 and 2003, however, no longer contain the Word programming flaws once Service Pack 3 has been installed.

Although the vulnerabilities in the Windows Media Player 6.4 components, in Windows Media Format Runtime and in the Windows Media Services (MS08-076) also allow attackers to remotely execute malicious code, they have only been given a "high" security rating. Microsoft gave the same priority to the update for SharePoint Server 2007 and Search Server 2008 (MS08-077). Without the patches, attackers can gain unauthorised access to several administrative features which can be exploited for crippling the service, or retrieving protected information.

With a total of 13 holes for which it is "likely" that "Consistent Exploit Code" code will appear (according to Microsoft's Exploitability Index 1) and two still open zero-day holes, one of which is already being actively exploited, we're not expecting a quiet end of the year.

See also:

• Microsoft SQL Server 2000 sp_replwritetovarbin limited memory overwrite vulnerability from Bernhard Mueller, SEC Consult
• In the wild IE7 0day, first analysis of the IE7 exploit by Thierry Zoller

• Microsoft Security Bulletin Summary for December 2008
• MS08-070 - Critical Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
• MS08-071 – Critical Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
• MS08-072 - Critical Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)
• MS08-073 - Critical Cumulative Security Update for Internet Explorer (958215)
• MS08-074 - Critical Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)
• MS08-075 – Critical Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)
• MS08-076 – Important Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)
• MS08-077 - Important Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)

(djwm)