The Microsoft Five

It is that time of the month again, where bacon and beer is in order for your Windows System Admins. Microsoft have released five security bulletins this month covering a variety of products.

Microsoft have released five critically rated bulletins this month that cover various issues include two drive by Internet Explorer issues. On to the first of the bulletins for this month, MS09-045 this is the first of two drive-by vulnerabilities patched by Microsoft. Once again this is evidence of the importance of safe computing policies and practicing safe browsing. While the underlying vulnerability is in JScript, it is important to note that Internet Explorer is the primary attack surface and this issue affects all versions of Windows except Windows 7 and Windows Server 2008 R2. Using a specially crafted file or web site it is possible to gain control of a targeted system within the context of the user that opened or viewed the exploit payload. 

Next we have MS09-046, this is the second of the two drive by vulnerabilities patched by Microsoft this month. The issue is a privately reported vulnerability within the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by producing a specially crafted web page that would be viewed by the victim. The vulnerability allows remote code execution within the context of the logged in user. This vulnerability is rated as critical doe Windows 2000, Windows XP and Moderate for Windows 2003. Newer versions of Windows are not affected.

A Microsoft patch day wouldn’t be the same without a file parsing vulnerability, so not to disappoint, MS09-047 covers two vulnerabilities within Windows Media Format parsing that could allow remote code execution if a user opens a specially crafted media file. First of the two is a issue associated with the parsing of the header of ASF files, the second is related to how a MP3 media files handled during playback.

MS09-048 resolves three vulnerabilities within TCP/IP processing within Windows, this patch is interesting as it does not affect Windows XP in it’s default configuration and is only rated as Important for Windows 2000 and Windows 2003, but it is rated as Critical for Windows Vista and Windows Server 2008. the vulnerabilities could allow remote code execution if an attacker sends specially crafted TCP/IP packets for affected systems. The vulnerabilities include:

• TCP/IP Zero Window Size Vulnerability - CVE-2008-4609 
  A denial of service vulnerability due to the way Windows handles an excessive number of estabilied TCP connections. The effects of this issue can be amplified when processing specially crafted TCP packets with the receive window size set to zero.
• TCP/IP Timestamps Code Execution Vulnerability - CVE-2009-1925
  A remote code execution vulnerability in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This vulnerability can be exploited by an anonymous attacker by send specially crafted TCP/IP packets to a computer that has a service listening over the network. This would then result in the attacker being able to take control of the affected system.
• TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926
  This issue is a denial of service attack that results from the processing in Windows of specially crafted packets with a small or zero TCP receive window size. Windows be unable to close a connection properly if an application closes a TCP connection with pending data and an attacker has set a small or zero TCP receive window size.

The last of the patches for September is MS09-049, this resolves a vulnerability in Wireless LAN AutoConfig Service. This vulnerability like the last one can allow remote code execution on only Windows Vista and Windows Server 2008. The vulnerability is as a result of how the Wireless LAN AutoConfig Service (wlansvc) parses specific frames received on the wireless network, it will allow remote code execution if a system with a Wireless interface enabled receives a specially crafted wireless LAN frame.

As usual for this time of the month it is time to get your machines patched, strangely none of the vulnerabilities this month affect Windows 7 so it looks like these have been known for a while and the fixes included with the RTM build of Windows 7. Some of the issues this month look especially dangerous, so expect exploits to be produced quickly and one is ripe for exploitation anonymously as a worm payload.