Microsoft Patch Release Fixes Windows Kernel Bug
The MS09-065 bulletin is the most urgent of the six bulletins in this month's update and addresses three vulnerabilities pertaining to the Windows kernel. Of these three, a vulnerability that affects the way the Windows kernel parses Embedded OpenType fonts is the most critical because the party that reported it to Microsoft also disclosed it to the public.
Attackers could use this remote code execution vulnerability to set up a rigged Web site with embedded fonts that could enable them to take control of visitors' PCs, says Jason Miller, Data and Security Team Leader at Shavlik Technologies, a St. Paul, Minn.-based security vendor.
"The Internet is the number one attack vector," said Miller. "With this one, all an attacker has to do is lure someone to a Web site, and because it's public, there's a race going on right now to exploit it."
The MS09-063 bulletin deals with a vulnerability that only affects Windows Vista and Windows Server 2008. It affects the Web Services on Devices API (WSDAPI) service, which is designed to help improve the user experience by allowing users to easily find devices on the network. Ironically, this convenience means that the service can be exploited by attackers through the use of specially crafted packets, according to Miller.
"Windows relies on services running in the background to carry out commands for you. The problem is, with every new feature in Windows there is a new line of code," and the attack target grows larger, Miller said.
Windows 2000 isn't in widespread use but is still kicking around the corners of some companies' server rooms. Two November Microsoft bulletins, MS09-066 and MS09-064, target vulnerabilities in Windows 2000 that could create problems for these firms.
One of these is a remote code execution flaw in License Logging Server, a service that's on by default in Windows 2000. This one would have been a big deal six years ago, when Windows 2000 was more prevalent. Still, companies that are still running older applications such as point of sale systems on Windows 2000 should apply this patch, Miller said.
The other Windows 2000-specific vulnerability affects Active Directory and could lead to denial of service attacks, although this one is difficult to exploit, Miller said.
Rounding out this month's Patch Tuesday release, which follows October's record 13 bulletins, are fixes for several vulnerabilities in Microsoft Word and Excel and hold the potential for remote code execution, according to Microsoft.