Microsoft Fixes 23 Software Security Flaws
Microsoft on Tuesday issued eight security updates to plug at least 23 security holes in its Windows operating systems and other software. The patches are available through Windows Update or via Automatic Updates.
One patch fixes six flaws in Internet Explorer 6 & 7 (the flaws are not present in IE8), including the carpetbombing issue. Microsoft addressed that vulnerability with this IE update, as well as with a stand-alone fix for Windows XP and newer Windows versions. Microsoft has rated this update critical, meaning attackers could exploit these IE flaws merely by convincing a user to visit a hacked or booby-trapped Web site.
Redmond also issued updates to fix at least two zero-day threats, vulnerabilities that hackers have been exploiting in targeted attacks to break into Windows systems. These updates include a fix for an Microsoft Excel vulnerability, and an update for a hole in most supported versions of Wordpad/Microsoft Office that hackers have been exploiting since December.
One patch addresses a particularly insidious vulnerability that Microsoft assigns a lesser "important" rating, but one which security experts say could become a huge threat for Web hosting facilities that fail to apply this update.
The issue has to do with a vulnerability in Windows that is susceptible to a technique known as token kidnapping (PDF research paper). In a way-oversimplified explanation, one way to prevent programs from being able to make key changes to the underlying operating system is to run the program in a mode that simply does not have all-powerful, system-level rights to modify important settings on the host system.
Least-privilege approaches are most useful for applications that face known-hostile environments on a pretty much constant basis, such as Web browsers and Web servers. This vulnerability, however, could allow an attacker to bypass that protection, and gain full control over an affected system.
Eric Schultze, chief technology officer for Shavlik Technologies, said this flaw is especially dangerous for systems running IIS Web servers and SQL database servers. In the context of a shared Web hosting environment, where multiple customers will host their Web sites on the same Web servers, a malicious customer or hacked customer account could be used to upload a file to the server that gives the attacker total control over all of the sites on that server.
Schultze called this fix the most ambitious patch Microsoft has ever produced, noting that Microsoft originally said this was too complex of an issue to fix.
"Microsoft expended a great deal of effort in correcting this issue - even pulling developers off of Windows 7 to assist with this patch," Schultze said. Microsoft has even more detail on this process here.
Security researchers already have released instructions describing how to attack roughly half of all of the vulnerabilities Microsoft addressed in this patch release. If you run a Windows machine, try not to let too much time elapse before you apply these security updates. Most of the updates will not take effect until the patched system has been restarted.
As always, please sound off in the comments below if any of these updates appear to introduce problems for your system. Likewise, I will keep an eye out for any reports of issues with this large bundle of updates. A listing of each vulnerability addressed by today's updates can be found here.
April 15, 2009; 7:00 AM ET
Categories: New Patches , Safety Tips | Tags: carpetbombing, microsoft patch tuesday, token kidnapping
Save & Share: Previous: Report: China, Russia Top Sources of Power Grid Probes
Next: Glut of Stolen Banking Data Trims Profits for Thieves
Posted by: Bartolo1 | April 15, 2009 8:28 AM | Report abuse
Posted by: peterpallesen | April 15, 2009 10:11 AM | Report abuse
Posted by: VeronaItaly | April 15, 2009 11:39 AM | Report abuse
Posted by: peppermintpatti1 | April 16, 2009 3:25 PM | Report abuse
Posted by: funkmasterflex57 | April 21, 2009 12:39 AM | Report abuse
The comments to this entry are closed.