Patch Tuesday Cometh

So we’re half way through the year already and we have another patch Tuesday. This month we are blessed by a total of Ten Security Bulletins from the Stork from Redmond. So in order of seriousness we have the following goodies:

MS09-018 - Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055), this bulletin covers two issues with Windows Active Directory on various versions of Windows Server platform except Windows 2008. The two vulnerabilities reported in the Microsoft security bulletin affect the Lightweight Directory Access Protocol (LDAP) component of Active Directory. 

• Active Directory Invalid Free Vulnerability (CVE-2009-1138)
  This first bug is a failure to free memory properly, allowing an attacker to execute code remotely. This issue is ranked as Critical by Microsoft for Active Directory in Windows 2000 SP4. For all other affected versions of Windows, it has been rated as Important as it would only cause Denial of Service. 
• Active Directory Memory Leak Vulnerability (CVE-2009-1139)
  This second issue involves a memory leak when handling LDAP requests. By submitting a specially crafted LDAP request, an attacker can exhaust system memory, hampering other services and potentially causing Active Directory to crash. This issue has been rated as Important as it only causes Denial of Service.

Both vulnerabilities will only affect Active Directory Servers that are handling LDAP requests. 

MS09-019 - Cumulative Security Update for Internet Explorer (969897), it would be patch Tuesday without some form of update for Internet Explorer and here we go, this bulletin addresses address eight issues affecting Internet Explorer, one of which was disclosed previously.

Highlights of this little gem include 6 issues that could be used for remote code execution and two for Information disclosure. As usual all versions of Internet Explorer are affected, including the brand new Internet Explorer 8.

MS09-027 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514), here we have a bulletin that covers two code-execution vulnerabilities within Microsoft Word. Both issues require user interaction. The issue covers all versions of Word in all supported versions of Office. One of the two issues is rated Critical therefore this patch is a must for Office users.

MS09-021 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462), so this bulletin covers a grand total of seven issues within all versions of Microsoft Excel, the issues in general are caused by poor handling of file information that could result in corruption (of pointers, record Pointers, object records, array indexing, and fields) as well as a stack-based string copy corruption and integer overflows. 

An attacker could exploit these vulnerabilities by crafting an Excel document and sending it to a victim. When triggered each issue could could execute arbitrary code in the context of the victim that has opened the malicious Excel document.

MS09-024 - Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632), security bulletin and updates to address a vulnerability affecting Microsoft Works document converter. The following software is reported to vulnerable to this issue:

• Office 2000 Service Pack 3 
• Office XP Service Pack 3 
• Office 2003 Service Pack 3 
• Office 2007 System Service Pack 1 
• Works 8.5 
• Works 9.0

The issue is especially serious for Office 2000 Service Pack 3 because it doesn't have functionality enabled by default that prompts before a malicious document is opened. The vulnerability is caused when a memory corruption issue is triggered by a specially crafted Works file ('.wps') as it is opened. When triggered the attacker could execute arbitrary code in the context of the victim that has opened the malicious document.

MS09-022 - Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501), in this bulletin Microsoft discuss three vulnerabilities within the Windows Print Spooler, one of the issues is rated 'Critical' and can be exploited remotely. The other two issues can be exploited locally to elevate privileges and to disclose sensitive information. 

• Microsoft Windows Print Spooler Buffer Overflow Vulnerability
  This is the most severe of the three vulnerabilities addressed by this bulletin. It is a remotely exploitable flaw affecting Windows 2000. It is exploitable through interaction with the Print Spooler RPC interface. Unlike many RPC-related flaws, however, this issue requires that the victim connect to the RPC service on the attacker's computer. This behaviour prevents this issue from being usable in worm-like scenarios and, although rated 'Critical' by Microsoft, it does help lower the risk profile of the issue. The issue stems from a buffer overflow that occurs when a victim client reads the ShareName on a malicious Print Server. An attacker could exploit this overflow to corrupt sensitive process memory and potentially execute arbitrary code.  
• Microsoft Windows Print Spooler Read File Information Disclosure Vulnerability
  This flaw occurs within the local context of the system and cannot be exploited by a remote attacker, authenticated or not. The issue arises because of the way that the Print Spooler service handles 'separator' pages, an attacker may be able to obtain the contents of arbitrary files on the local filesystem. Separator pages are banner pages used to show who submitted a printer job. By supplying a custom separator page, the attacker can cause the page to disclose the contents of files.
• Microsoft Windows Print Spooler Load Library Privilege Escalation Vulnerability
  The Windows Print Spooler service fails to verify the location where it should store libraries that it is prompted to load. This allows a user to prompt the service to load a library from a remotely accessible location, such as an attacker's server. To exploit this issue, the attacker must be authenticated to the Print Spooler service or must be a local user on the system.

MS09-020 - Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483), this bulletin covers the previously released and discussed vulnerability within IIS and WebDAV that can allow the bypass of Access Controls.

MS09-026 - Vulnerability in RPC Could Allow Elevation of Privilege (970238), this bulletin discusses a vulnerability within the RPC Marshalling Engine's internal state fails to update properly, which can cause a pointer to be read from an incorrect location. Successful exploitation of this vulnerability may lead to arbitrary code execution. This issue is rated as Important, the main mitigating factor is the fact that Windows doesn't ship with RPC server or clients that are subject to the exploitation of this vulnerability. In the default configuration, it is not possible to exploit this issue.

MS09-025 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537), this bulletin covers four issues within the Windows Kernel, these all have been rated as Important by Microsoft, the issues include:

• Windows Kernel Desktop Vulnerability - CVE-2009-1123
  The vulnerability stems from poor validation of changes applied to certain kernel objects. Successful exploits could lead to arbitrary code execution in kernel mode.
• Windows Kernel Pointer Validation Vulnerability - CVE-2009-1124
  The vulnerability stems from poor validation of certain pointers passed from user to kernel mode. Successful exploits could lead to arbitrary code execution with kernel-mode privileges.
• Windows Driver Class Registration Vulnerability - CVE-2009-1125
  The vulnerability stems from poor validation of an argument passed to a kernel system call. Successful exploits could lead to arbitrary code execution in kernel mode.
• Windows Desktop Parameter Edit Vulnerability - CVE-2009-1126
  The vulnerability stems from poor validation of input passed to kernel mode from user mode when editing a certain desktop parameter. Successful exploits could lead to arbitrary code execution in kernel mode.

MS09-023 - Vulnerability in Windows Search Could Allow Information Disclosure (963093), this bulletin is to address an information-disclosure vulnerability. Data disclosed by exploiting this flaw could potentially allow an attacker to further elevate their privileges using additional local attacks.

However by default, the Windows Search component is not installed on the affected systems (Windows XP and Windows 2003), it is an optional component must be downloaded onto the system for installation.  Exploitation is occurs when an attacker distributes a malicious HTML file to a user and they place it somewhere on their system. If the victim subsequently carries out a Windows Search and the result of the search is the HTML file distributed by the attacker, then the contents of the file will be run.

As usual for Patch Tuesday and we cannot say it enough, get every patch installed as soon as possible. However, the one interesting issue that has been missed out this month so far is the DirectShow issue we covered here, the latest word on this one is it is becoming more widely exploited too. So if we see an explosion on this one we could get an out of band patch this month?