Article

Microsoft gives Internet Explorer a major security overhaul

Robert Westervelt

Microsoft wrapped up its final regular patch release of 2009 issuing a massive security update to Internet Explorer, repairing a serious zero-day vulnerability and four other flaws in the browser.

The software giant issued six bulletins in December, three critical, repairing 12 vulnerabilities across its product line.

Security bulletin

Requires Free Membership to View

MS09-072 blocks proof-of-concept exploit code that surfaced in a public forum last month and enables attackers to use a flawed ActiveX control to gain access to a victim's system. The remote code execution vulnerability can enable an attacker to spread malicious code that bypasses IE security controls.

Jason Miller, data and security team leader at patch management vendor Shavlik Technologies called the public availability of exploit code serious even though no active attacks have been detected in the wild.

"The fact that this is Internet Explorer raises this bulletin more than anything else because one of the number one attack vectors in the world is a browser," Miller said. "Visit an evil website with a vulnerable browser and you can allow viruses or a Trojan to come down onto your system."

The vulnerable ActiveX control was built using a flawed version of the Active Template Library (ATL) – a massive error discovered by IBM ISS X-Force researchers last summer that has left a large number of browser components potentially vulnerable to attack. Microsoft issued an emergency update in July, addressing the ATL affecting IE and Visual Studio.

The bulletin also repairs four other memory corruption vulnerabilities when IE attempts to initialize objects in Web pages. The update is rated critical for all supported versions of Internet Explorer, including the latest version, IE 8. MS09-071 addresses two Windows vulnerabilities that could enable an attacker to gain complete control of a machine. A memory corruption error and authentication bypass vulnerability affects the Windows Internet Authentication Service and implementations of Protected Extensible Authentication Protocol (PEAP). The security update is rated critical on Windows Server 2008 for 32-bit systems and x64-based systems.

A vulnerability in Microsoft Office Project is rated critical. MS09-074 affects Microsoft Project 2002 Service Pack 1, and Microsoft Office Project 2003 Service Pack 3. The application contains a memory validation vulnerability that could be exploited by an attacker passing a malicious Project file to a victim.

Microsoft issued three bulletins rated important. MS09-069 addresses a denial of service vulnerability through Internet Protocol security (IPsec). The flaw affects Microsoft Windows 2000, Windows XP, and Windows Server 2003. MS09-070 repairs a single sign-on spoofing error and a remote code execution vulnerability in Windows for users of ADFS-enabled Web servers. To carry out an attack, a user would need to be authenticated, Microsoft said. The bulletin affects Windows Server 2003, Windows Server 2003 and their x64 Editions. MS09-072, also rated important, repairs a vulnerability in Microsoft WordPad and Office Text Converters could allow remote code execution.

DNS protection released for Windows 2000 systems
Microsoft also re-released MS08-037 issuing the patch once again to Windows 2000 SP4 systems against a massive flaw in the domain name server (DNS). The vulnerability, a fundamental error in a wide range of domain name servers, was discovered by Dan Kaminsky in 2008. An attacker could exploit the flaw to conduct DNS poisoning attacks.

If it was previously installed, Microsoft advises Windows 2000 SP4 customers to re-install the patch as a result of the revision.

Two advisories released
As part of its automatic update system, Microsoft issued two advisories. The first updates the Indeo Codec for Windows XP and Windows Server 2003. The media codec is old, rarely used and being retired by Microsoft. The update blocks Indeo from being used in IE and Windows Media Player in the Internet Zone, limiting its threat exposure, Microsoft said.

The second advisory explains Microsoft authentication protections to help administrators harden their systems against man-in-the-middle attacks. In the Security Research and Defense Blog, Maarten Van Horenbeeck said Microsoft was updating the Windows platform to safeguard authentication credentials. The feature was released in August. The non-security update enables users of Windows HTTP services and IIS Web servers to use the new feature, which safeguards against an attack called credential relaying. The attack technique works by enabling an attacker to use stolen credentials to authenticate against third-party servers in which the victim has similar credentials.