Gladiator Research and Security

Microsoft has announced nine new patches for its monthly patch release cycle.  These patches fix multiple Microsoft products, including Windows, Remote Desktop, Office, Telnet, and more.   Five patches are rated Critical, allowing for remote code execution on vulnerable systems.   The other four patches are rated Important, leading to elevation of privileges, denial of service, and a remote code exploit for Telnet.  Gladiator recommends that users immediately apply all Critical patches to their systems. Detailed information for the patches can be found in Microsoft’s August Security Bulletin.  Summary information is included below:

• Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) (MS09-043) – This update fixes several remote code execution vulnerabilities in Microsoft Office Web Components.  This patch is rated Critical, and should be applied as soon as possible.  This vulnerability is exploitable by visiting a malicious website.
• Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927) (MS09-044) – This update fixes two remote code execution vulnerabilities in a Remote Desktop Connection.  This patch is rated Critical, and should be applied as soon as possible.  This vulnerability is exploitable by visiting a malicious website.
• Vulnerabilities in WINS Could Allow Remote Code Execution (969883) (MS09-039) - This update fixes two remote code execution vulnerabilities in WINS.  This patch is rated Critical and should be applied as soon as possible.  This vulnerability is exploitable by sending malicious packets to the WINS service.  This service is not installed by default on new servers, and is not allowed inbound from the Internet on Gladiator monitored firewalls in a default setup.
• Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557) (MS09-038) – This update fixes two remote code execution vulnerabilities in Windows Media File processing.  This patch is rated Critical and should be applied as soon as possible.  This vulnerability is exploitable by running maliciously crafted AVI files.  These files could be downloaded from a malicious website or attached to an email.
• Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908) (MS09-037) – This update fixes several remote code execution vulnerabilities in Microsoft Active Template Library.  This patch is rated Critical and should be applied as soon as possible.  This vulnerability is exploitable by visiting a malicious website.
• Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657) (MS09-041) – This update fixes an elevation of privilege vulnerability in the Workstation Service.  This vulnerability could lead to remote code execution.  This patch is rated Important and should be applied during your regularly scheduled patch release cycle.
• Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032) (MS09-040) – This update fixes an elevation of privilege vulnerability in the Message Queuing Service.  This service is not installed by default.  This patch is rated Important and should be applied during your regularly scheduled patch release cycle.
• Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957) (MS09-036) - This update fixes a denial of service vulnerability in the ASP.NET.  This vulnerability is only exploitable if IIS 7.0 is installed.  This patch is rated Important and should be applied during your regularly scheduled patch release cycle.
• Vulnerability in Telnet Could Allow Remote Code Execution (960859) (MS09-042) – This update fixes a remote code execution vulnerability in the Telnet service.  This vulnerability allows an attacker to gain system credentials, which could then be used to run code on a remote system.  This patch is rated Important and should be applied during your regularly scheduled patch release cycle.

Gladiator recommends that users patch their systems quickly for MS09-037, MS09-038, MS09-039, MS09-043, and MS09-044 as exploit code has either been released or is likely to be released in the near future.

Related Links:

• Microsoft Security Bulletin (http://www.microsoft.com/technet/security/bulletin/MS09-aug.mspx?pubDate=2009-08-11)
• SANS ISC Diary (http://isc.sans.org/diary.html?storyid=6937)