Gladiator Research and Security

Microsoft has announced 13 new patches for its monthly patch release cycle.  These patches fix multiple Microsoft products, including Windows, Internet Explorer, Microsoft Office, and Microsoft .NET Framework.   Eight patches are rated Critical, and affect all of the previously listed products, thereby allowing for remote code execution on vulnerable systems.  Gladiator recommends that users  immediately apply all Critical patches to their systems. Detailed information for the patches can be found in Microsoft’s October Security Bulletin.  Summary information is included below:

• Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) MS09-050 – This update fixes two privately released remote code execution vulnerabilities in Windows SMBv2.  These vulnerabilities are rated Critical and should be patched as soon as possible.
• Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682) MS09-051 – This update fixes two privately reported vulnerabilities in Windows Media Runtime.  These vulnerabilities are rated Critical and should be patched as soon as possible on all workstations and servers.
• Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112) MS09-052 – This patch fixes a privately reported vulnerability in Windows Media Player when playing an ASF file.  This vulnerability allows remote code execution.  Gladiator recommends that all workstation systems be patched as soon as possible.
• Cumulative Security Update for Internet Explorer (974455) MS09-054 – This patch fixes three privately disclosed vulnerabilities in Internet Explorer, all of which allow remote code execution. Gladiator recommends that users apply this patch as soon as possible to all systems.
• Cumulative Security Update of ActiveX Kill Bits (973525) MS09-055 – This patch disables ActiveX controls that are currently being exploited on the Internet.  Gladiator recommends that users apply this patch as soon as possible to all systems.
• Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965) MS09-060 – This vulnerability affects ActiveX controls that were compiled using a vulnerable version of ATL on systems with Microsoft Office.  This patch is rated critical.  Gladiator recommends that users patch all systems affected by this vulnerability.
• Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378) MS09-061 – This patch resolves three privately disclosed vulnerabilities in the .NET and Silverlight libraries.  This patch is rated critical by Microsoft.  A system can be compromised by visiting a malicious website.  Gladiator recommends that users apply this patch as soon as possible.
• Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) MS09-062 - This patch resolves several privately disclosed vulnerabilities in GDI+ (a component of Microsoft Windows).  This patch is rated Critical by Microsoft.  Gladiator recommends that users apply this patch immediately.
• Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)MS09-053 – This patch resolves two publicly disclosed vulnerabilities in IIS.  This patch is rated Important by Microsoft.  This vulnerability affects different IIS versions differently.  Refer to the Microsoft Bulletin for details.  Gladiator recommends that users apply this patch to all Microsoft FTP Servers.
• Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)MS09-056 – This patch updates two publicly disclosed vulnerabilities in Microsoft Windows.  If unpatched, an attacker may be able to spoof his identity.  This patch is rated Important by Microsoft.  Gladiator recommends applying this patch during your regularly scheduled patch cycle.
• Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)MS09-057 – This patch resolves a privately reported vulnerability in the Windows Indexing Service.  A machine could be exploited by a malicious website to run arbitrary code.  Microsoft rates this patch as Important.  Gladiator recommends users apply this patch as soon as possible.
• Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)MS09-058 – This patch resolves several privately reported vulnerabilities in the Windows Kernel, which could allow for an escalation of privileges.  This patch is rated Important by Microsoft.  Gladiator recommends applying this patch during your regularly scheduled patch cycle.
• Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)MS09-059 – This patch resolves a privately reported vulnerability in Microsoft Windows LSASS (using during authentication).  A denial-of-service issue could exist if this patch is not applied.  This patch is rated Important by Microsoft.  An attacker must have access to a system with the ability to authenticate using the NTLM protocol to take advantage of this vulnerability.  Gladiator recommends users patch their systems during the regularly scheduled patch cycle.

Gladiator recommends that users patch their systems quickly for MS09-050 through MS09-055, MS09-057, and MS09-060 through MS09-062, as exploit code has either been released or is likely to be released in the near future.

Related Links:

• Microsoft Security Bulletin (http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx)
• US-CERT Technical Alert (http://www.us-cert.gov/cas/techalerts/TA09-286A.html)
• SANS ISC Diary Entry (http://isc.sans.org/diary.html?storyid=7345)