3 min read

Microsoft Issues Three Patches For Eight Vulnerabilities

A "critical" update resolves a vulnerability in the Windows kernel that could allow remote code execution if a user views a maliciously crafted EMF or WMF image file.
Microsoft on Tuesday released three Security Bulletins addressing eight separate vulnerabilities.

One bulletin is rated "critical" and two are rated "important."

MS09-006 ("critical") resolves a vulnerability in the Windows kernel. The flaw could allow remote code execution if a user views a maliciously crafted EMF or WMF image file.

MS09-007 ("important") addresses a vulnerability in the Secure Channel (SChannel) security package in Windows. If exploited, it could allow spoofing, provided the attacker gains access to an end-user authentication certificate.

MS09-008 ("important") fixes vulnerabilities in the Windows DNS server and Windows WINS server. If exploited, these vulnerabilities could allow network traffic hijacking.

As expected, Microsoft did not patch the Excel vulnerability disclosed last month.

John Moyer, CEO of BeyondTrust, said in an e-mail that organizations should be particularly vigilant about malware attempting to exploit the Excel vulnerability given that Excel is used more frequently during tax season.

Alfred Huger, VP of development at Symantec Security Response, warned in an e-mail that the Windows kernel vulnerability could allow an attacker to take over a victim's computer using an HTML e-mail or an e-mail attachment containing a .WMF or .EMF image file. He added that being on the lookout for these lesser-known file types may not help since it's possible to disguise .WMF and .EMF files as more common image formats like .JPG.

Eric Schultze, CTO of Shavlik Technologies, said in an e-mail that MS09-006 follows a long line of image vulnerabilities. "The flaw actually resides in the Windows kernel -- but is only exploited when managing the malformed pictures," he said. "All that the attacker needs to do is encourage a victim to view a specially formatted image and the attacker can run code on the victim's system. The evil code will execute with system privileges -- even if the user wasn't logged on as an administrator."

"MS09-006 is going to be a huge undertaking," said Paul Henry, security forensic analyst at Lumension, in an e-mail. "The broad platform impact of the bulletin suggests that core services of the Windows operating system are to be modified, rather than isolated application components. When working on the core infrastructure, it opens up other applications to potential risk, making a simple patch deployment impossible. To make sure this is secure, IT departments will have to reboot all Windows machines in the entire enterprise."

Is your vulnerability management program ready for 2009? You can't protect everything, so the key is to focus to reduce exposure. Download the report here.