Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month. The vendor is releasing three bulletins covering a total of eight vulnerabilities. Ben Greenbaum (Sr. Research Manager, Symantec Security Response) discusses these vulnerabilities in a video that can be viewed here.
Of the eight vulnerabilities, only one is rated “Critical”—a remote code-execution vulnerability affecting the Windows kernel. This is a fairly serious issue, because a successful exploit will result in a complete compromise of the affected computer. The remaining issues, all rated “Important”, affect the Windows kernel, SChannel, and Windows WINS and DNS servers.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Block external access at the network perimeter to all but specific sites and computers only.
- Run all software with the least privileges required while still maintaining functionality.
- Do not follow links or open files from unknown or questionable sources.
- Permit local access to known and trusted individuals only.
Microsoft’s summary of the March releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx
1. MS09-006 Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (KB958690)
CVE-2009-0081 (BID 34012) Microsoft Windows Kernel GDI EMF/WMF Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.8/10)
A remote code-execution vulnerability affects the GDI component of the Windows kernel when handling malformed EMF or WMF files. Remote attackers can exploit this issue by tricking a victim into viewing a specially crafted image; this can occur simply by visiting a malicious web page or viewing a specially crafted email. Successful exploits will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.
Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems, x64-based Systems, and Itanium-based Systems
CVE-2009-0082 (BID 34027) Microsoft Windows Kernel Handle Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency Rating 6.6/10)
A local privilege-escalation vulnerability affects the Windows kernel because it does not properly validate handles in certain situations. A local attacker can exploit this issue by running a specially crafted program on the local system. Successful exploits will result in the execution of attacker-supplied code with SYSTEM-level privileges.
Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems, x64-based Systems, and Itanium-based Systems
CVE-2009-0083 (BID 34025) Microsoft Windows Invalid Pointer Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency Rating 6.6/10)
A local privilege-escalation vulnerability affects the Windows kernel because it does not properly handle invalid pointers in certain situations. A local attacker can exploit this issue by running a specially crafted program on the local system. Successful exploits will result in the execution of attacker-supplied code with SYSTEM-level privileges.
Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows Server 2003 SP1, Windows Server 2003 x64 Edition
2. MS09-007 Vulnerability in SChannel Could Allow Spoofing (KB960225)
CVE-2009-0085 (BID 34015) Microsoft Windows SChannel Authentication Spoofing Vulnerability (MS Rating: Important / Symantec Urgency Rating 6.1/10)
An authentication-bypass vulnerability affects the Microsoft Windows SChannel authentication component because it does not properly verify the existence of an associated private key when using certificate-based authentication. An attacker in possession of a valid certificate, can exploit this issue to authenticate to a vulnerable server without requiring the private key.
Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems, x64-based Systems, and Itanium-based Systems
3. MS09-008 Vulnerabilities in DNS and WINS server could allow Spoofing (962238)
CVE-2009-0233 (BID 33982) Microsoft Windows DNS Server Response Caching DNS Spoofing Vulnerability (MS Rating: Important / Symantec Urgency Rating 6.8/10)
A remote DNS cache poisoning vulnerability affects the Windows DNS Server because of decreased entropy in Transaction IDs. Specifically, the service does not re-use cached responses when receiving specially crafted duplicate queries. This can aid an attacker in guessing a valid Transaction ID to insert arbitrary addresses into the DNS cache. Successful attacks may aid in other attacks such as phishing.
Affects: Microsoft Windows 2000 Server SP4, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, and Windows Server 2008 for 32-bit Systems, and x64-based Systems
CVE-2009-0234 (BID 33988) Microsoft Windows DNS Server Incorrect Caching DNS Spoofing Vulnerability (MS Rating: Important / Symantec Urgency Rating 6.8/10)
A remote DNS cache poisoning vulnerability affects the Windows DNS Server because of decreased entropy in transaction IDs. Specifically, an attacker can send multiple specially crafted requests to reduce entropy in the Transaction IDs enabling the attacker to guess a valid ID. Successful attacks will result in arbitrary attacker-supplied addresses being added to the DNS cache; this may aid in other attacks such as phishing.
Affects: Microsoft Windows 2000 Server SP4, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, and Windows Server 2008 for 32-bit Systems, and x64-based Systems
CVE-2009-0093 (BID 33989) Microsoft Windows DNS Server WPAD Access Validation Vulnerability (MS Rating: Important / Symantec Urgency Rating 7.5/10)
A vulnerability in Windows DNS Server occurs because it does not properly validate who can register a WPAD (Web Proxy Auto-Discovery) entry. An attacker can exploit this issue to register a malicious WPAD entry to spoof the legitimate web proxy and redirect Internet traffic. Successful exploits may aid in other attacks such as phishing.
Affects: Microsoft Windows 2000 Server SP4, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, and Windows Server 2008 for 32-bit Systems, and x64-based Systems
CVE-2009-0094 (BID 34013) Microsoft Windows WINS Server WPAD and ISATAP Access Validation Vulnerability (MS Rating: Important / Symantec Urgency Rating 7.5/10)
A vulnerability in Windows WINS Server occurs because it does not properly validate who can register a WPAD (Web Proxy Auto-Discovery) or ISATAP entry. An attacker can exploit this issue to register a malicious entry to spoof the legitimate web proxy or ISATAP route and redirect Internet traffic. Successful exploits may aid in other attacks such as phishing.
Affects: Microsoft Windows 2000 Server SP4, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, and Windows Server 2003 with SP1 and SP2 for Itanium-based Systems
More information on this and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.