News

Microsoft Breaks Record With Massive June Patch

• By Jabulani Leffall
• 06/09/2009

It only took six months for Microsoft to break its own record for addressing the most vulnerabilities in a single patch.

Microsoft's June security bulletin rollout on Tuesday contains 10 patches -- six of them critical, three important and one moderate. This patch aims to fix more than 31 vulnerabilities. It edges out Microsoft's December 2008 patch, which came close with 28 bugs to fix.

Overall, the fixes include six for Windows operating systems. There's a large cumulative patch for Internet Explorer and three fixes for Microsoft Office. Remote code execution (RCE) exploits are the order of the day for all of the critical items. Other problems addressed in the patch include elevation of privilege and information disclosure considerations.

"I think Microsoft got it right this month by releasing patches for a number of well-publicized security flaws," said Eric Schultze, chief technology officer at Shavlik Technologies.

Critical Items
The first critical item patches two vulnerabilities mainly involving Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode. All told, this fix covers Windows 2000, Windows XP and Windows Server 2008 operating systems.

Critical patch No. 2 is an issue that is patched periodically, involving commands to the print spooler function in the Windows OS. According to the patch abstract, the bugs involved could kick off RCE exploits if an affected server receives a specially crafted remote procedure call (more on RPC later) request to the print spooler. All supported Windows versions are covered in this fix. In addition to applying the patch, Microsoft says that "firewall best practices and standard default firewall configurations can help protect networks from attacks."

The third critical bulletin is a cumulative patch for the Internet Explorer browser, covering IE 6, IE 7 and IE 8 across all OSes. The patch addresses seven vulnerabilities, making this one of the focal points of this month's rollout given the rise in browser-based exploits and hacks.

"[Of the seven total], the four Internet Explorer fixes that address HTML object memory corruption vulnerabilities -- the first ever patch for Internet Explorer 8 being among these -- are of particular interest," said Symantec Senior Research Manager Ben Greenbaum. "These weaknesses actually appear to be quite simple to exploit and we have observed malicious code being offered in malware toolkits that have taken advantage of very similar vulnerabilities."

The fourth critical item on the slate is designed to stave off two known vulnerabilities and covers a wide swath of Microsoft Word versions and components. Office 2000 Service Pack 3, Office XP SP3, and 2007 Microsoft Office System SP1 and SP2 are covered by this fix. Other applications covered include: Office 2004 and 2006 for Mac; Open XML File Format Converter for Mac; and Microsoft Office Word Viewer and Microsoft Office Compatibility Pack for Word, Excel and PowerPoint 2007 file formats.

The same can be said for the cumulative Excel patch, which is the fifth critical bulletin. The problems to be fixed appear widespread. Redmond would only say "several vulnerabilities" and didn't pin down a specific number of bugs to be fixed. The only difference, from an Office components perspective, between this patch and the Word patch is that the Excel hotfix will also cover Office Excel Viewer and Microsoft Office SharePoint Server 2007 SP1 and SP2.

The sixth and final critical item is a cumulative hotfix for Microsoft Works converters. Specifically it's designed to stave off bugs that may pop up in any Works files that are loaded, opened and created on a workstation. The patch touches Office 2000, Office 2002, Office 2003 and Office 2007. Microsoft Works 8.5 and 9.0 versions are also covered.

Important and Moderate Items
Many of the important items in the June slate are of note for two main reasons for enterprise administrators. For one, they have all been critical issues at some point in the past. Secondly, they all have elevation-of-privilege considerations, which would give a hacker write-edit-change access to an infected system.

The first important fix covers every Windows OS version, addressing remote procedure call (RPC) facilities. In October a critical RPC bulletin, known in some circles as the original "Conficker patch," was deployed to make sure server-side commands that allow subroutine code to execute were bug free. For this month's patch, the element to be fixed is the RPC marshalling engine, which is a way station for interprocess commands, data and information on a Windows network.

The second important fix affects every supported OS and is also an issue IT pros have often seen before with the Windows kernel. Redmond said that this security update resolves four bugs in the Windows kernel that could allow an attacker to execute arbitrary code and take complete control of an affected system.

The third important item is designed to patch Internet Information Services (IIS). Affected systems include Windows 2000, XP and Windows Server 2003. Microsoft issued an advisory just last week to address fresh exploits attacking IIS. The patch abstract explained at that time that "vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication." Left unpatched, hackers could bypass the access control list and authorization gate-keeping mechanisms and gain entry to IIS.

"Anyone running IIS that isn't using the available mitigation steps should jump on this one right away because there are exploits in the wild, and an exploited server can allow attackers to gain unauthorized access to protected resources on your Web site," said Andrew Storms, director of security at nCircle.

The lone moderate item for this massive June slate pertains to a bug in Windows search. It's possible that search terms or links will come back with malicious code. When the links are clicked, it can make mischief. This fix addresses systems using Windows XP and Windows 2003.

It will be full steam ahead for security pros this month. All fixes may, or do, require restarts.

It seems as if nothing was left out of this patch. However, security pros such as Schultze noted that Microsoft didn't release a patch for the DirectShow QuickTime parsing zero-day vulnerability in this month's slate.

Microsoft issued a security advisory recently, saying it is investigating a newly disclosed remote code execution bug in Microsoft DirectShow. In its advisory, the software giant said the vulnerability could be triggered if an unsuspecting user opens a specially crafted media file.

"We expect we'll see a patch for this next month," Schultze said. "In the meantime, Microsoft has published a one-click workaround for this issue."

In that vein, Redmond is urging administrators who want to solve the problem locally to check out the "Fix it myself" section of a knowledgebase article that accompanied the original advisory.

Finally, for anyone with any time remaining in their installation and testing schedules, Redmond is directing users to its monthly knowledgebase article, which lists what Windows users can expect via Windows Update, Microsoft Update and Windows Server Update Services.