Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing six bulletins covering a total of nine vulnerabilities.
Six of the issues are rated “Critical” and affect Windows, DirectX, and Windows OpenType Font engine. One of the DirectX issues and one of the ActiveX issues were previously disclosed back in May of this year and earlier this month. Both issues have also seen active exploit attempts in the wild. The remaining issues, rated “Important,” affect Publisher, Virtual PC, Virtual Server, and ISA Server.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.
Microsoft’s summary of the July releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx
The following is a breakdown of the “Critical” issues being addressed this month:
1. MS09-028 Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
CVE- 2009-1537 (BID 35139) Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)
A previously public (May 28, 2009) remote code execution vulnerability affects DirectX when parsing a specially crafted QuickTime file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: DirectX 7.0, 8.1, and 9.0
CVE- 2009-1538 (BID 35600) DirectX Pointer Validation Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects DirectX due to a validation error when updating certain pointer values. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious QuickTime file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: DirectX 7.0, 8.1, and 9.0
CVE-2009-1539 (BID 35616) DirectX Size Validation Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects DirectX due to a failure to properly validate certain fields when processing a QuickTime file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: DirectX 7.0, 8.1, and 9.0
2. MS09-032 Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution (973346)
CVE-2009-0015 (BID 35558) Microsoft Windows 'MPEG2TuneRequest' ActiveX Control Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)
A previously public (July 6, 2009) remote code execution vulnerability affects the ‘MPEG2TuneRequest’ ActiveX control provided by the 'msvidctl.dll' library file. To exploit this issue an attacker must trick an unsuspecting victim into viewing a webpage containing malicious content. A successful exploit will result in the execution of arbitrary code in the context of the application running the control (typically Internet Explorer).
Affects: Microsoft Windows XP and Windows Server 2003
3. MS09-029 Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
CVE-2009-0231 (BID 35186) Embedded OpenType Font Heap Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects the Embedded OpenType (EOT) font component due to how it parses data records in specially crafted embedded fonts. An attacker can exploit this issue by tricking a victim into opening a file or viewing a web page containing malicious embedded fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista, Vista SP1, and Vista SP2, Windows Vista x64 Edition, Vista x64 Edition SP1, and Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems SP2, and Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems SP2
CVE-2009-0232 (BID 35187) Embedded OpenType Font Integer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects the Embedded OpenType (EOT) font component due to how it parses name tables in specially crafted embedded fonts. An attacker can exploit this issue by tricking a victim into opening a file or viewing a web page containing malicious embedded fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista, Vista SP1, and Vista SP2, Windows Vista x64 Edition, Vista x64 Edition SP1, and Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems SP2, and Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems SP2
More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.