News

September Patch Aims at Windows Web Components

Microsoft on Tuesday rolled out its September security patch, which is notable for containing five "critical" security bulletins.

Expect a couple of themes with this patch. First, all of the fixes address remote code execution (RCE) risks. Second, every bulletin deals with Web components, from server connections to corrupt files distributed through e-mail.

The first critical patch is said to plug a hole in the Microsoft JScript Scripting Engine used in every supported Windows OS. The exploit can be triggered via a specially crafted corrupt file or even by clicking on an infected Web page with "malformed script," according to Microsoft. A hacker exploiting this vulnerability could set user administrative rights and could "view, change or delete" data.

The second patch touches an RCE vulnerability only in Vista and Windows Server 2008. It pertains to a single privately disclosed bug in the Wireless Local Area Network (LAN) AutoConfig Service. Client workstations and server systems without enabled wireless cards are immune to this bug, but it's a potential problem for networks with Wi-Fi access.

Potential malicious Windows Media Format files, such as corrupt audio or video files, are a consistent vector for client side attacks. These files are the focus of critical item No. 3. The patch is designed to fix vulnerabilities in Windows Media Format Runtime versions 9.0, 9.5 and 11 in every supported Windows OS.

TCP/IP Bug: A Focus for Security Pros
Fix No. 4 deals with a Transmission Control Protocol/Internet Protocol (TCP/IP) bug. The patch doesn't apply to Windows XP, but it does apply to all other OSes.

"In addition, it has maximum criticality only on Vista and Windows Server 2008, the newest generation of the OS family," said Wolfgang Kandek, chief technology officer at Qualys.

The fix deals with a rare server-side function and resolves several "privately" reported vulnerabilities, according to Microsoft. It addresses vulnerabilities in both Windows and Cisco Systems products. Microsoft says there are holes that could allow RCE exploits if malicious TCP/IP packets are sent over the network.

As a fail-safe, Microsoft recommends "firewall best practices," which include cutting hackers off at the pass by limiting exposed connection ports.

"Microsoft hasn't seen a serious bug in its TCP/IP stack in a long time, so it's pretty likely this is the exploit most people will focus on," said Andrew Storms, director of security at nCircle. "This update follows on the heels of a new zero-day 'blue screen of death' vulnerability and the combination of these two serious vulnerabilities will shake a lot of people's confidence in the integrity of Microsoft's networking stack."

The fifth and final patch in the slate describes a vulnerability in the DHTML Editing Component ActiveX control. This control found in Internet Explorer 5 and later IE versions. If a hacker gains control of this function, he could dump code that will execute when a user clicks on a corrupt Web page. The patch is rated critical on Windows 2000 and XP. It's doesn't apply to Vista and Windows Server 2008.

FTP Bug Still at Large
Fix No. 4 should be installed first, said Jason Miller, security and data team manager at Shavlik Technologies, joining a chorus of observers.

He also pointed out what wasn't in this month's slate, namely a fix for a File Transfer Protocol (FTP) service bug, which was disclosed in a security advisory last Thursday. The proof of concept for this bug is less than two weeks old, but the bug has become notable. Microsoft has now updated its advisory to reflect that the vulnerability is being used in "limited attacks."

"Administrators should look at addressing this vulnerability through workarounds provided by Microsoft until a security patch becomes available," Miller said.

Microsoft's Senior Security Program Manager Jerry Bryant said in an e-mailed statement that a patch will be released "once [such an update] has reached an appropriate level of quality for broad distribution."

All of the five patches that were released on Tuesday may require restarts.

Meanwhile, for IT pros who may want to do more housekeeping after implementing the critical fixes, there is the monthly knowledgebase article detailing nonsecurity updates via Microsoft Update, Windows Update and Windows Server Update Services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Most   Popular

Subscribe on YouTube