Microsoft on Tuesday released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical.
Wolfgang Kandek, CTO of Qualys, said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer.
Microsoft proxy server ISA 2006 has a vulnerability rated as important that allows remote unauthenticated users to access the server. However, paired with a knowledge of the administrator's username, attackers can take full control of the server. Because administrator usernames are often easy to guess, Kandek said, this vulnerability deserves special attention if IT organizations are using ISA with the Radius configuration.
Likewise, MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite rated as important, but can be used to take full control of a system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as critical as well, Kandek said.
"Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as important because local access to the guest OS is required," Kandek said. "This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user access to privileged kernel mode."
True ActiveX Fix Coming
Andrew Storms, director of security operations for nCircle, isn't surprised that Microsoft released updates that address two of three critical zero-day exploits this month. He also anticipates a more complete patch for ActiveX later, since Tuesday's update only issues killbits on ActiveX controls in Internet Explorer.
Essentially, Microsoft opted to disable functionality with the MS09_0032 security bulletin, but hasn't fixed the underlying vulnerability. That means if an attacker can manage to convince a user to revert the killbits, then the machine is once again vulnerable.
"Generally, newer Microsoft products have been more secure than older products. Either they are not affected by vulnerabilities or have lower severity ratings. However, this month we have two bulletins that buck the trend," Storms said. "MS09-029 lists the vulnerability as critical for all operating systems -- even the newer Vista and Server 2008. In the same vein, MS09-030 affects only the newest version of Microsoft Office Publisher. While having these two bugs in new Microsoft products fixed in the same month may only be a coincidence, it is something to watch in coming months."
ISA Authentication Bypass Vulnerability
As a researcher, Tyler Reguly, a senior security engineer at nCircle, is most interested in the ISA authentication bypass vulnerability. The severity of bypassing authentication on a Web page is often underestimated, he said. Considering the private corporate Web sites that are available through the Internet, and the amount of personal information contained on them, he deems this vulnerability scary.
"I think they had it right with missile launches -- two people, two keys. We live in an age where multifactor authentication should be mandatory. Fingerprint scanners + RFID cards are common for entry to offices, but a Web site takes a known username -- or worse, an e-mail address -- and a password, and that's just wrong," Reguly said. "Relying on a second method of authentication would make this vulnerability much less severe. Essentially, the second factor would still keep the attacker out even after this vulnerability had been exploited."