This morning we released five security bulletins, all of them having a bulletin maximum severity rating of Critical and two having a bulletin maximum exploitability index rating of "1" (Consistent exploit code likely). We wanted to just say a few words about each bulletin to help you prioritize your deployment this month.
The following table presents a high-level view of the severity of each of the five Critical bulletins and the platforms at reduced risk:
Windows Server 2008 at reduced risk due to Enhanced Security Configuration.
The hardened heap improvements in Vista and Windows Server 2008 makes exploitation harder.
Information about MS09-045 and MS09-046
Information about MS09-047
The attack vector for both CVE’s addressed by MS09-047 is most likely again a malicious website but these vulnerabilities could also be exploited via media files attached to email. When a victim double-clicks the attachment and clicks “Open” on the dialog box, the media file could hit the vulnerable code. Both these vulnerabilities were responsibly-disclosed with no attacks known in the wild. However, both are fairly straightforward so it probably won’t take the community long to figure them out. We would not be surprised to see an exploit for one or both of these CVE’s within the first month of release.
Information about MS09-048
Next up is MS09-048 addressing vulnerabilities in the TCP/IP stack implementation. To hit the vulnerable code, an attacker must flood a victim with specially-crafted TCP/IP packets inducing one of two denial-of-service outcomes:
CVE-2009-1925 is rated Critical because the attacker is forcing the system to call into a random kernel address. However, based on our research, the attacker does not have sufficient control of the address to reliably achieve code execution. You can read all about it in Mark Wodrich’s blog post here. The exploitability rating of this issue is “2.”
CVE-2008-4609 is the most likely issue from MS09-048 to be further researched as it was a coordinated release between multiple companies having the same vulnerability. Cisco is planning a 10am advisory release this morning as well. Check http://www.cisco.com/en/US/products/products_security_advisories_listing.html#advisory for more information from them.
Information about MS09-049
MS09-049 addresses an issue with the way Windows Vista handles Wireless networking requests. An attacker able to send malformed wireless frames can cause the Windows Vista user-mode service (wlansvc) to crash. This will be tricky to exploit due to Windows Vista’s hardened heap manager. Attacks will most likely crash the service, disrupting the ability to browse for (or automatically connect to) new networks. If already associated to a network, the machine will remain connected. Attacks will not cause the machine to reboot. The community will likely discover the vulnerability; however the Windows Vista heap mitigations will make it difficult to reliably exploit.
Thanks Mark Wodrich for your analysis of the TCP/IP and Wireless issues that went into this blog post. Big thanks also to the reviewers who re-shaped this post making it much better than my original: Damian Hasse, Andrew Roths, Greg Wroblewski, Robert Hensing, and Gavin Thomas from the MSRC Engineering team; Mike Reavey from MSRC Operations.
- Jonathan Ness, MSRC Engineering
*Posting is provided "AS IS" with no warranties, and confers no rights.*