This morning we released five security bulletins, all of them having a bulletin maximum severity rating of Critical and two having a bulletin maximum exploitability index rating of "1" (Consistent exploit code likely). We wanted to just say a few words about each bulletin to help you prioritize your deployment this month.

The following table presents a high-level view of the severity of each of the five Critical bulletins and the platforms at reduced risk:

Bulletin Primary Attack Vector Max Exploit-ability Index Likely first 30 days Impact Platform mitigations
MS09-047 IE browsing to malicious website, ASF or MP3 files attached to email.
1
Exploit developed for code execution in context of logged-in user. IE8 running on XP SP3 or Vista SP1 at reduced risk due to DEP.

Windows Server 2003 and 2008 at reduced risk due to Enhanced Security Configuration.

The hardened heap improvements in Vista and Windows Server 2008 makes exploitation harder.
MS09-045 IE browsing to malicious website.
1
Exploit developed for code execution in context of logged-in user. IE8 running on XP SP3 or Vista SP1 at reduced risk due to DEP.

Windows Server 2003 and 2008 at reduced risk due to Enhanced Security Configuration.
MS09-048 Attacker sending stream of malicious TCP/IP packets
2
Exploit developed causing a machine resource exhaustion denial-of-service. Windows Vista not affected in ‘Public’ network profile
MS09-049 Attacker sends malformed wireless frames to nearby workstation.
2
Exploit developed causing wlansvc service to crash.

Windows Server 2008 at reduced risk due to Enhanced Security Configuration.  

The hardened heap improvements in Vista and Windows Server 2008 makes exploitation harder.

MS09-046 IE browsing to malicious website.
2
Exploit developed causing IE to crash. IE8 running on XP SP3 at reduced risk due to DEP.

Windows Server 2003 at reduced risk due to Enhanced Security Configuration.

Information about MS09-045 and MS09-046

MS09-045 and MS09-046 are both “driveby-style” vulnerabilities. The attack vector is most likely malicious websites hosting specially-crafted javascript (MS09-045) or malicious use of the DHTML ActiveX control (MS09-046) to infect browsing users. Vulnerabilities that confuse the script engine can be tough to reverse-engineer from the update so it may take a while for attackers to discover and weaponize. We still might see a reliable exploit within 30 days, hence the “1” rating for MS09-045. The MS09-046 repro is more straight-forward and is likely to be discovered but it will be more difficult to produce a reliable exploit for code execution.

Information about MS09-047

The attack vector for both CVE’s addressed by MS09-047 is most likely again a malicious website but these vulnerabilities could also be exploited via media files attached to email. When a victim double-clicks the attachment and clicks “Open” on the dialog box, the media file could hit the vulnerable code. Both these vulnerabilities were responsibly-disclosed with no attacks known in the wild. However, both are fairly straightforward so it probably won’t take the community long to figure them out. We would not be surprised to see an exploit for one or both of these CVE’s within the first month of release.

Information about MS09-048

Next up is MS09-048 addressing vulnerabilities in the TCP/IP stack implementation. To hit the vulnerable code, an attacker must flood a victim with specially-crafted TCP/IP packets inducing one of two denial-of-service outcomes:

  • System runs out of non-paged pool memory (CVE-2008-4609 and CVE-2009-1926)
  • System incorrectly handles the hash value of a connection, crashing in kernel-mode code leading to a reboot / blue-screen-of-death (CVE-2009-1925)

CVE-2009-1925 is rated Critical because the attacker is forcing the system to call into a random kernel address. However, based on our research, the attacker does not have sufficient control of the address to reliably achieve code execution. You can read all about it in Mark Wodrich’s blog post here. The exploitability rating of this issue is “2.”

CVE-2008-4609 is the most likely issue from MS09-048 to be further researched as it was a coordinated release between multiple companies having the same vulnerability. Cisco is planning a 10am advisory release this morning as well. Check http://www.cisco.com/en/US/products/products_security_advisories_listing.html#advisory for more information from them.

Information about MS09-049

MS09-049 addresses an issue with the way Windows Vista handles Wireless networking requests. An attacker able to send malformed wireless frames can cause the Windows Vista user-mode service (wlansvc) to crash. This will be tricky to exploit due to Windows Vista’s hardened heap manager. Attacks will most likely crash the service, disrupting the ability to browse for (or automatically connect to) new networks. If already associated to a network, the machine will remain connected. Attacks will not cause the machine to reboot. The community will likely discover the vulnerability; however the Windows Vista heap mitigations will make it difficult to reliably exploit.

Thanks Mark Wodrich for your analysis of the TCP/IP and Wireless issues that went into this blog post.  Big thanks also to the reviewers who re-shaped this post making it much better than my original: Damian Hasse, Andrew Roths, Greg Wroblewski, Robert Hensing, and Gavin Thomas from the MSRC Engineering team; Mike Reavey from MSRC Operations.

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*