Microsoft’s September Bulletin contains four critical and five important updates, affecting Windows, Microsoft Office and Microsoft Internet Information Server (IIS). The most intriguing update is MS10-061, a fix for a printer spooler vulnerability in Windows XP.
In cooperation with Kaspersky and Symantec, Microsoft analyzed samples of the Stuxnet malware and found that in addition of using the 0-day LNK vulnerability, addressed in August by MS10-046, it is using a second unknown vulnerability in the Windows print spooler to spread itself to other machines in the network.
They further found two new unknown local vulnerabilities that the malware uses to gain the required admin privileges, if necessary. The use of two 0-day vulnerabilities shows a dedicated effort to make the malware succeed – and remember this was the malware that had the password for the SIEMENS SCADA software embedded. MS10-061 fixes this second 0-day and is the most important patch of the month; it should be applied immediately.
MS10-063 is a critical vulnerability in the OpenType libraries and allows an attacker to take control of a machine if the user looks at malicious web page or e-mail. The vulnerability does not require any further user interaction and so is a candidate for use in drive-by-download attacks, where malware is downloaded with the user’s consent or knowledge. While it is ranked as harder to exploit, I believe that attackers will focus on the vulnerability given the potential payback of more targets.
MS10-062 fixes a critical vulnerability in the Windows MPEG-4 codec, which allows an attacker that manages to entice a user to play a specially crafted video file to take control of the victim’s machine – it is ranked as easy to exploit and will certainly become part of the popular malicious exploit kits. The last critical vulnerability, MS10-064 addresses a problem in Microsoft Outlook 2002, however the more popular Outlook 2003 and 2007 are not affected in their default configuration.
MS10-068 is a vulnerability in Active Directory. It is ranked only as important because the attacker needs to be authenticated, however this should not be much of a obstacle to a more sophisticated attacker that can use a client side vulnerability, such as the current Adobe Reader or Flash 0-days to get control of a workstation and then attack the AD server. I recommend anyone with an AD infrastructure to apply this update as soon as possible.
MS10-065 is a fix for multiple vulnerabilities in IIS: one of them depends on the FastCGI module and can be used to gain remote code execution on the server. FastCGI is not configured by default, but it is needed when certain software packages are running under IIS, PHP for example. The majority of installed IIS servers will not be affected, but a check at Shodan shows that there are more than 30,000 servers that advertise running PHP under IIS, this update should be high on your list if you run this configuration.
Windows 7 users and Windows Server 2008 R2 implementations are not affected by three of the four critical vulnerabilities and have a downgraded severity of “Important” for the codec vulnerability.