Microsoft Patches Stuxnet Vulnerability in Massive Security Update

Microsoft fixes 49 security vulnerabilities in a monster Patch Tuesday update, including a privilege escalation bug exploited by Stuxnet.

Microsoft released 16 security bulletins today as part of a massive Patch Tuesday update.

The record-breaking update includes fixes for 49 security vulnerabilities affecting Windows, Internet Explorer, Microsoft Office and the .NET Framework. Mixed in with the fixes is a patch for one of the zero-day vulnerabilities used by the Stuxnet worm. According to Symantec's Joshua Talbot, Stuxnet-which targets industrial control systems-exploited a privilege escalation vulnerability in the Windows kernel-mode drivers.

"Stuxnet uses the Win32 Keyboard Layout Vulnerability to gain administrator privileges on infected computer systems," explained Talbot, security intelligence manager for Symantec Security Response. "This functionality ensures that none of the threat's malicious actions get blocked on targeted systems due to lack of permission."

The patch means there is still one zero-day used by the malware that remains open. However, the most urgent patches released today are unrelated to Stuxnet, some said.

"The Internet Explorer bulletin along with the Embedded OpenType bug fixes should make it to the top of the 'fix it' list for everyone because they can both be used for dangerous drive-by attacks," said Andrew Storms, director of security operations at nCircle. "Don't wait, get these patches installed as quickly as possible."

The Embedded OpenType Font Engine vulnerability is due to the way the technology parses certain tables in specially crafted embedded fonts. If exploited, an attacker could use it to hijack a system, Microsoft warned. The IE update, which like the Embedded OpenType Font Engine bulletin is rated "critical," does not impact the IE 9 beta, the company added.

"It is a critical update for Internet Explorer 6, 7 and 8 and has an exploitability index of [1], indicating that Microsoft believes the vulnerability is relatively easy to exploit," blogged Wolfgang Kandek, CTO of Qualys.

Among the other critical security bulletins is one covering a remote code execution issue in the .NET Framework. The bug in the .NET Framework could enable remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs).

"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft explained in the advisory. "The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario."

Rounding out the critical bulletins is a patch for a vulnerability in Media Player Sharing Service, which could be exploited if an attacker sent a malicious RTSP packet to an affected system. Mitigating this however is the fact that Internet access to home media is disabled by default, Microsoft noted. In this default configuration, the vulnerability can be exploited only by an attacker within the same subnet.

Of the remaining bulletins, two are rated "moderate." The other 10-including the bulletin addressing the vulnerability exploited by Stuxnet-are rated "important."

"Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all," Talbot said. "Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines."