Microsoft released six patches Nov. 10 to cover 15 security vulnerabilities.
Three of the bulletins address critical Windows security issues. Those bulletins cover a variety of issues affecting the WSDAPI (Web Services on Devices Application Programming Interface), vulnerabilities in the Windows kernel and a privately reported vulnerability in Windows 2000.
“The Embedded OpenType (EOT) font kernel vulnerability is the most serious in our opinion,” said Ben Greenbaum, senior research manager at Symantec Security Response. “Not only is proof-of-concept exploit code publicly available, but all that’s required of a user to become infected by it is simply viewing a compromised Web page. Symantec isn’t seeing any active exploits of this in the wild yet, but we think attackers will be paying a lot of attention to it in the future.”
The EOT parsing vulnerability is covered in the MS09-065 bulletin, which also addresses two other Windows kernel bugs. If exploited, an attacker could leverage the EOT vulnerability to run arbitrary code, Microsoft warned.
“In an e-mail attack scenario, an attacker could exploit the vulnerability by sending an e-mail message with an attached Microsoft Word or PowerPoint file containing a specially crafted EOT font embedded in the document and convincing the user to open or preview the file,” the advisory read.
Another critical Windows bulletin is MS09-063, which addresses a vulnerability caused by the WSDAPI not correctly validating specific headers of a received Web Services Device message. On all affected platforms-editions of Windows Vista and Windows Server 2008-the API is available by default. An attacker who exploited this vulnerability could take control of a vulnerable system by sending a specially crafted message to the WSD TCP ports 5357 or 5358.
The final critical bulletin, MS09-64, fixes a vulnerability affecting Windows 2000 computers running the License Logging Server, and can be exploited to enable a remote attacker to execute code.
The remaining three bulletins are rated important. Two of these bulletins affect Microsoft Office, and are classified as remote code execution vulnerabilities. The final bulletin resolves a security issue in Active Directory that can be exploited to trigger a denial-of-service condition.