Microsoft fixes 49 security vulnerabilities in a monster Patch Tuesday update, including a privilege escalation bug exploited by Stuxnet.
Microsoft released 16 security bulletins today as part of a massive Patch
The record-breaking update includes fixes for 49
affecting Windows, Internet Explorer, Microsoft
Office and the .NET Framework. Mixed in with
the fixes is a patch for one of the zero-day vulnerabilities
the Stuxnet worm. According to Symantec's Joshua Talbot, Stuxnet-which
targets industrial control systems-exploited a privilege escalation
vulnerability in the Windows kernel-mode drivers.
"Stuxnet uses the Win32 Keyboard Layout Vulnerability to gain
administrator privileges on infected computer systems," explained Talbot,
security intelligence manager for Symantec Security Response. "This
functionality ensures that none of the threat's malicious actions get blocked
on targeted systems due to lack of permission."
The patch means there is still one zero-day used by the malware that remains
open. However, the most urgent patches released today are unrelated to
Stuxnet, some said.
"The Internet Explorer bulletin along with the Embedded
OpenType bug fixes
should make it to the top of the 'fix it' list for
everyone because they can both be used for dangerous drive-by attacks,"
said Andrew Storms, director of security operations at nCircle. "Don't
wait, get these patches installed as quickly as possible."
The Embedded OpenType Font Engine vulnerability is due to the way the
technology parses certain tables in specially crafted embedded fonts. If
exploited, an attacker could use it to hijack a system, Microsoft
warned. The IE update, which like the Embedded OpenType Font
Engine bulletin is rated "critical," does not impact the IE 9
beta, the company added.
"It is a critical update for Internet Explorer 6, 7 and 8 and has an
exploitability index of , indicating that Microsoft believes the
vulnerability is relatively easy to exploit," blogged Wolfgang Kandek, CTO
Among the other critical security bulletins is one covering a remote code
execution issue in the .NET Framework. The
bug in the .NET Framework could enable
remote code execution on a client system if a user views a specially crafted
Web page using a Web browser that can run XAML Browser Applications (XBAPs).
"Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative user
rights," Microsoft explained in the advisory. "The vulnerability
could also allow remote code execution on a server system running IIS, if that
server allows processing ASP.NET pages and
an attacker succeeds in uploading a specially crafted ASP.NET
page to that server and then executes the page, as could be the case in a Web
Rounding out the critical bulletins is a patch for a vulnerability in Media
Player Sharing Service, which could be exploited if an attacker sent a
malicious RTSP packet to an affected system. Mitigating this however is the
fact that Internet access to home media is disabled by default, Microsoft
noted. In this default configuration, the vulnerability can be exploited only
by an attacker within the same subnet.
Of the remaining bulletins, two are rated "moderate." The other 10-including
the bulletin addressing the vulnerability exploited by Stuxnet-are rated "important."
"Microsoft has broken several of its own Patch Tuesday records this
year, but this month far surpasses them all," Talbot said. "Perhaps
most notable this month is the number of vulnerabilities that facilitate remote
code execution. By our count, 35 of the issues fall into this category. These
are bugs that could allow an attacker to run any command they wish on