Qualys Blog

www.qualys.com
wkandek

Patch Tuesday Bottomline – November 2009

Today Microsoft released patches for 6 security updates that address 15 individual vulnerabilities. Three patches were rated as critical and the other 3 are rates as important. Here is a recap of today’s advisory:

  • MS09-065 was rated as Critical due to the EOT (Embedded Open Type Font) vulnerability in which an attacker can execute arbitrary commands on the victim’s computer. This can be achieved by enticing the victim to visit a web page with malicious EOT fonts or open an e-mail which contains malicious content. A proof of concept that causes the application to crash is publicly disclosed. All Windows operating systems except Windows 7 and Windows 2008 R2 are affected.
    We can expect working exploits soon and this is the most critical vulnerability to address – for users that cannot patch the vulnerability immediately Microsoft has provided also some workarounds in a detailed blog post including instructions on how to use GPOs to roll them out in an automated way.
  • MS09-063 and MS09-064 are critical as well as they allow a remote un-authenticated attacker to send malicious packets to the affected systems to cause a remote code execution. MS09-063 is limited to attacks from the local subnet.
  • MS09-067 and MS09-068 affect Microsoft Excel and Word. They are standard file format issues that affect consumers and enterprise users alike.
  • Three of the six advisories (MS09-063, MS09-064 and MS09-066) have listening ports open which can be targeted for network based attacks.

The newer OS versions Windows 7 and Windows 2008 R2 were not affected by any of the bulletins released today, a good indication of the progress that Microsoft has made in securing the base Operating System.

In a similar way the security features included in the new Office 2010 would have prevented both MS09-067 and MS09-068. We saw a demo of these features the other day at BlueHat and the strict sandboxing imposed on files that are received through e-mail or Internet download should take care of 2 of the main attack vectors for this type of exploit.

References:

Leave a Reply