Microsoft gives Internet Explorer a major security overhaul

By Robert Westervelt, News Editor 08 Dec 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Microsoft wrapped up its final regular patch release of 2009 issuing a massive security update to Internet Explorer, repairing a serious zero-day vulnerability and four other flaws in the browser.

The software giant issued six bulletins in December, three critical, repairing 12 vulnerabilities across its product line.

Security bulletin MS09-072 blocks proof-of-concept exploit code that surfaced in a public forum last month and enables attackers to use a flawed ActiveX control to gain access to a victim's system. The remote code execution vulnerability can enable an attacker to spread malicious code that bypasses IE security controls.

Jason Miller, data and security team leader at patch management vendor Shavlik Technologies called the public availability of exploit code serious even though no active attacks have been detected in the wild.

"The fact that this is Internet Explorer raises this bulletin more than anything else because one of the number one attack vectors in the world is a browser," Miller said. "Visit an evil website with a vulnerable browser and you can allow viruses or a Trojan to come down onto your system."

The vulnerable ActiveX control was built using a flawed version of the Active Template Library (ATL) – a massive error discovered by IBM ISS X-Force researchers last summer that has left a large number of browser components potentially vulnerable to attack. Microsoft issued an emergency update in July, addressing the ATL affecting IE and Visual Studio.

The bulletin also repairs four other memory corruption vulnerabilities when IE attempts to initialize objects in Web pages. The update is rated critical for all supported versions of Internet Explorer, including the latest version, IE 8. MS09-071 addresses two Windows vulnerabilities that could enable an attacker to gain complete control of a machine. A memory corruption error and authentication bypass vulnerability affects the Windows Internet Authentication Service and implementations of Protected Extensible Authentication Protocol (PEAP). The security update is rated critical on Windows Server 2008 for 32-bit systems and x64-based systems.

A vulnerability in Microsoft Office Project is rated critical. MS09-074 affects Microsoft Project 2002 Service Pack 1, and Microsoft Office Project 2003 Service Pack 3. The application contains a memory validation vulnerability that could be exploited by an attacker passing a malicious Project file to a victim.

Microsoft issued three bulletins rated important. MS09-069 addresses a denial of service vulnerability through Internet Protocol security (IPsec). The flaw affects Microsoft Windows 2000, Windows XP, and Windows Server 2003. MS09-070 repairs a single sign-on spoofing error and a remote code execution vulnerability in Windows for users of ADFS-enabled Web servers. To carry out an attack, a user would need to be authenticated, Microsoft said. The bulletin affects Windows Server 2003, Windows Server 2003 and their x64 Editions. MS09-072, also rated important, repairs a vulnerability in Microsoft WordPad and Office Text Converters could allow remote code execution.

DNS protection released for Windows 2000 systems
Microsoft also re-released MS08-037 issuing the patch once again to Windows 2000 SP4 systems against a massive flaw in the domain name server (DNS). The vulnerability, a fundamental error in a wide range of domain name servers, was discovered by Dan Kaminsky in 2008. An attacker could exploit the flaw to conduct DNS poisoning attacks.

If it was previously installed, Microsoft advises Windows 2000 SP4 customers to re-install the patch as a result of the revision.

Two advisories released
As part of its automatic update system, Microsoft issued two advisories. The first updates the Indeo Codec for Windows XP and Windows Server 2003. The media codec is old, rarely used and being retired by Microsoft. The update blocks Indeo from being used in IE and Windows Media Player in the Internet Zone, limiting its threat exposure, Microsoft said.

The second advisory explains Microsoft authentication protections to help administrators harden their systems against man-in-the-middle attacks. In the Security Research and Defense Blog, Maarten Van Horenbeeck said Microsoft was updating the Windows platform to safeguard authentication credentials. The feature was released in August. The non-security update enables users of Windows HTTP services and IIS Web servers to use the new feature, which safeguards against an attack called credential relaying. The attack technique works by enabling an attacker to use stolen credentials to authenticate against third-party servers in which the victim has similar credentials.

Tags: Web Application Security,  Platform and OS Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Exploit code targets Internet Explorer zero-day display flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary