Patch Tuesday brings with it a host of security issues with Vista, issues with virtualization and a fun time for system administrators who deal with clients using some wildly popular Microsoft applications: Internet Explorer and Excel.
On Aug. 14, Microsoft released nine security patches for 14 vulnerabilities, with six of the updates rated critical, in its biggest patch release since February.
“With nine security bulletins, today is the second-busiest Patch Tuesday this year,” said Dave Marcus, security research and communications manager at McAfee Avert Labs, in a statement. “Many of the vulnerabilities addressed by Microsofts fixes could be exploited if a Windows user simply visits a malicious Web site. Microsofts patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits.”
One thing that Microsoft failed to get out: an update that would address an ATI driver vulnerability that affects the Vista kernel. Microsoft told eWEEK that its now working with Advanced Micro Devices on a fix for that issue.
All nine of the security bulletins pertain to what Eric Schultze, chief security architect at Shavlik Technologies, calls client-side vulnerabilities. That means a user has to take action in order to get attacked. In most cases that involves visiting a malicious site, reading a malicious e-mail or opening a malicious file.
The good news: Server administrators running big server farms, with no users executing script that can install code onto their systems, have it easy. Their servers are safe, Schultze said, given that theres no vulnerability that can result in a Code Red or Nimba worm situation.
Still, todays patch load is enough reason to disconnect your PC from the wall for a few weeks, he said, given that if you visit a malicious site, there are six ways you can get attacked.
Starting at the top is MS07-042, a vulnerability in Microsoft XML Core Services that could allow remote code execution. This vulnerability, which can be exploited through attacks on Microsoft XML Core Services, involves a user viewing a maliciously crafted Web page using IE (Internet Explorer).
That one, rated critical, goes hand in hand with MS07-043, Microsofts security bulleting regarding a vulnerability in OLE Automation that could also get your system hijacked. Users are vulnerable if they view malicious sites that contain attacks on OLE (Object Linking and Embedding). Both MS07-042 and -043 were found by the same researchers: An anonymous researcher working with the VeriSign iDefense VCP and an anonymous researcher working with the Zero Day Initiative.
A third critical vulnerability is detailed in MS07-044, which addresses an Excel problem that could allow remote code execution if a user opens a malicious Excel file. Nothing new there—Excel security vulnerabilities are popping up regularly nowadays, Schultze noted.
The MS07-045 security bulletin scoops up three critical vulnerabilities in IE that could get your system hijacked if you view a malicious site with the browser, given that a maliciously crafted page can trigger ActiveX controls on vulnerable systems. The flaws pertain to just about all versions of IE, including on Vista.
Ms07-046 is another critical bulletin, involving a vulnerability in GDI that could allow for remote code execution. This one involves visiting a malicious site that contains an evil graphic. As soon as you view the graphic through a banner ad or on a site, the malicious graphic attacks your system. Microsoft has patched GDI multiple times already, Schultze noted.
Amol Sarwate, manager of the Vulnerabilities Lab at Qualys, said -046 would likely be his top-priority patch to apply, followed by the IE and Excel patches, given the applications prevalence and the consequences of remote code execution.
MS07-050 addresses a critical vulnerability in VML (Vector Markup Language) that also allow for remote code execution.
MS07-047 deals with two important vulnerabilities in Windows Media Player—particularly, in the skins that make Media Play look pretty—that could lead to remote code execution.
One important security bulletin, MS07-048, is notable in that the two vulnerabilities addressed arent in old code—theyre in Vistas Windows Gadgets, a new application that lets you run gadgets on the side of your screen that do things like display clocks or the weather or sports information.
Microsoft Tackles Vista, Virtualization
If a gadget creator is evil, Schultze said, he or she can execute other code in that box on the side of your screen, given that the vulnerabilities allow anonymous remote attackers to run code with the privileges of a logged-on user.
“If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system,” Microsoft said in its bulletin. No other operating systems besides Vista are vulnerable to this one.
To read about Vistas top three support issues, click here.
Finally theres MS07-049, a flaw thats only rated important but which researchers find very interesting. This vulnerability concerns the ability to elevate privileges in Virtual PC and Virtual Server that could allow a guest operating system user to run code on the host or another guest operating system.
“While it is not the most severe vulnerability covered by Microsoft this month, IBM ISS considers MS07-049, the virtual machine vulnerability in Microsoft Virtual PC and Microsoft Virtual Server, to be the most interesting,” said X-Force Researcher Tom Cross in a statement. “Enterprises are increasingly embracing virtualization to simplify IT management and cut infrastructure costs. As this trend continues, were going to see attackers use vulnerabilities like MS07-049 to leverage control over one virtual host to infect others on the same server. This is a new kind of attack methodology that requires unique protection.”
To exploit this virtualization vulnerability, a guest operating system does need administrative permissions to the guest operating system, Microsoft noted.
Still, its notable, given that this flaw allows a guest to cross a chasm thats supposed to be uncrossable, breaking out of one machine and into another because theyre running on the same piece of hardware, Schultze noted.
“Thats a big one if youre relying on virtualization,” he said. Microsofts Virtual PC and Virtual Server technology may be less widely deployed than that of VMware, but it is still used on plenty of production servers to host Web sites or other applications, he said.
To sum it all up: As Paul Zimski, senior director of market and product strategy for PatchLink put it, this months Patch Tuesday “has headache written all over it.”
The details of the patches indicate a broad spectrum of exposure, Zimski said in a statement. “The potential attack vectors exposed by these vulnerabilities include direct OS targeting (including Vista x32 and x64), fully-patched Internet Explorer 6 and 7, XML core services, Windows Media Player and Office. This is a target-rich environment for hackers. Organizations need to remediate these vulnerabilities as quickly as possible to avoid falling victim to quick turnaround exploits.
“All six critical patches require system reboots. Along with two of the important patches, the critical patches all address vulnerabilities which, if exploited, could introduce remote code execution and allow hackers to completely take over a machine. This creates a nightmare scenario, and is not far off from complete administrator access—the favorite attack vector.”
Indeed, some of the patches labeled “important” should actually be treated as critical, Zimski said.
“For instance, #6 addresses remote code execution through Windows Media Player. This is only given a rating of important because it requires some form of user interaction, but many users browsing the Internet are viewing media. Even if an organization blocks certain Web sites or Active content, they typically dont block streaming media which could easily trick users into compromise if this vulnerability is exploited.”
To get Microsofts downloads, go to the bulletin summary page for August 2007.
Shavlik is having a Webinar for its customers to go over the patches on Aug. 15 at 11a.m. CDT.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.