Patch Tuesday Bottomline – September 2010

Microsoft’s September Bulletin contains four critical and five important updates, affecting Windows, Microsoft Office and Microsoft Internet Information Server (IIS). The most intriguing update is MS10-061, a fix for a printer spooler vulnerability in Windows XP.

In cooperation with Kaspersky and Symantec, Microsoft analyzed samples of the Stuxnet malware and found that in addition of using the 0-day LNK vulnerability, addressed in August by MS10-046, it is using a second unknown vulnerability in the Windows print spooler to spread itself to other machines in the network.

They further found two new unknown local vulnerabilities that the malware uses to gain the required admin privileges, if necessary. The use of two 0-day vulnerabilities shows a dedicated effort to make the malware succeed – and remember this was the malware that had the password for the SIEMENS SCADA software embedded. MS10-061 fixes this second 0-day and is the most important patch of the month; it should be applied immediately.

MS10-063 is a critical vulnerability in the OpenType libraries and allows an attacker to take control of a machine if the user looks at malicious web page or e-mail. The vulnerability does not require any further user interaction and so is a candidate for use in drive-by-download attacks, where malware is downloaded with the user’s consent or knowledge. While it is ranked as harder to exploit, I believe that attackers will focus on the vulnerability given the potential payback of more targets.

MS10-062 fixes a critical vulnerability in the Windows MPEG-4 codec, which allows an attacker that manages to entice a user to play a specially crafted video file to take control of the victim’s machine – it is ranked as easy to exploit and will certainly become part of the popular malicious exploit kits. The last critical vulnerability, MS10-064 addresses a problem in Microsoft Outlook 2002, however the more popular Outlook 2003 and 2007 are not affected in their default configuration.

MS10-068 is a vulnerability in Active Directory. It is ranked only as important because the attacker needs to be authenticated, however this should not be much of a obstacle to a more sophisticated attacker that can use a client side vulnerability, such as the current Adobe Reader or Flash 0-days to get control of a workstation and then attack the AD server. I recommend anyone with an AD infrastructure to apply this update as soon as possible.

MS10-065 is a fix for multiple vulnerabilities in IIS: one of them depends on the FastCGI module and can be used to gain remote code execution on the server. FastCGI is not configured by default, but it is needed when certain software packages are running under IIS, PHP for example. The majority of installed IIS servers will not be affected, but a check at Shodan shows that there are more than 30,000 servers that advertise running PHP under IIS, this update should be high on your list if you run this configuration.

Windows 7 users and Windows Server 2008 R2 implementations are not affected by three of the four critical vulnerabilities and have a downgraded severity of “Important” for the codec vulnerability.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

As the CTO for Qualys, Wolfgang Kandek is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Wolfgang has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the Internet. Prior to joining Qualys, Wolfgang was Director of Network Operations at the Online Music streaming company and at iSyndicate, an Internet media syndication company. Earlier in his career, Wolfgang held a variety of technical positions at EDS, MCI and IBM. Wolfgang earned a Masters and a Bachelors degree in Computer Science from the Technical University of Darmstadt, Germany.