Microsoft Fixes Zero Day XP Bug In Nine-Patch Release

Microsoft released another giant security bulletin for its September Patch Tuesday, repairing 11 vulnerabilities with nine updates in Windows and Microsoft Office, including a critical zero-day flaw in the Print Spooler Service actively being exploited in the wild by the Stuxnet virus.

In addition to the Print Spooler Service bug, the patches plug holes in a range of Windows and Office systems, including MPEG-4 Codec, Microsoft Outlook, Unicode Scripts Processor, Internet Information Service (IIS), Wordpad Text Converters, Remote Procedure Call, Local Security Authority Subsystem and Windows Client/Server Runtime.

Four of the bulletins Microsoft released Tuesday are designated with the highest severity rating of "critical," while the remaining five are labeled with the slightly less severe rating of "important."

Of the critical updates, Microsoft placed high priority on MS10-061, a vulnerability in the Print Spooler Service rated "critical" for Windows XP and "important" for all other affected platforms, targeting Windows XP systems that share a printer. The vulnerability, first detected by Kaspersky Lab and later by Symantec, was used in attacks propagated by the Stuxnet virus, which spread to vulnerable Print Spooler service systems inside organizations' networks.

Security experts contend that the fact that the flaw is being used in active attacks is cause for users to give the Printer Spool patch a high priority.

"(The vulnerability) doesn't sound too scary. But this vulnerability is being used by the Stuxnet virus. It is in the wild, it is being exploited," said Jason Miller, data and security team manager for Shavlik Technologies. "Windows XPs that are sharing a printer -- that's not very common. If you do have that, you're going to need to address that right away. That goes with any vulnerability that's a zero day or actively exploited."

In addition, Microsoft addressed a critical media file vulnerability in the MPEG-4 codec, affecting supported versions of Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 with the patch MS10-62. Like many media vulnerabilities, the flaw enables remote attackers to launch arbitrary code by enticing a user to open a malicious media file or stream infected media content from a Web site or application.

Miller said that media file exploits are becoming more prevalent with the explosion of social media and related applications on the Internet.

"Media files are very, very prevalent in our social media age," Miller said. "Addressing that one is pretty important as well."

Miller said that the other seven patches address specific vulnerabilities that require special configurations in order for attackers to launch a successful exploit.

One such vulnerability, a flaw rated "important" and addressed by MS10-065, occurs in the IIS, which could potentially enable remote code execution if an attacker sent a malicious HTTP request to the server.

"This is definitely one of those months where people are going to read through these bulletins. It's probably not going to affect you. But some of these could be very critical on your network it it's configured a certain way," he said. "Some of these could go up your chart a little bit higher if you have one of those configurations."

Unlike previous months, the September patch didn't include a critical fix for Windows 7 or Windows Server 2008 R2.

"This is due to security enhancements such as additional heap mitigations built into the newer operating systems," said Jerry Bryant, Microsoft group manager for response communications in a blog post Tuesday.

Meanwhile, Microsoft is already looking ahead to current security vulnerabilities it hopes to address in the future. Down the road, the company plans to release a fix for two critical (EoP) vulnerabilities -- one of which affects Windows XP while the other affects Windows Vista, Windows 7, Windows Server 20078, and Windows Server 2008 R2. The vulnerabilities could also be used by malicious attackers -- or in this case the Stuxnet virus -- to gain permission to run malicious code that would enable it full access to an affected system.