26 patches from Microsoft Windows, Office 13 holes Bulletins

Microsoft fixed 26 vulnerabilities in 13 security bulletins as part of its Patch Tuesday, including critical ones for Windows that could be exploited to take control of a computer and one that has resided in the 32-bit Windows kernel since its release 17 years ago.

The top priorities for deployment are bulletins plugging holes in the SMB (Server Message Block) Protocol, Windows Shell Handler, ActiveX via Internet Explorer, DirectShow, and a hole in the 32-bit version of Windows, Jerry Bryant, a lead senior security communications manager at Microsoft, wrote in a blog post.

The DirectShow bulletin should be at the top of the list, according to Bryant. It is critical for all supported versions of Windows except Itanium-based server products. To exploit the hole an attacker could host a malicious AVI [Audio Video Interleave] file on a Web site and lure a user to visit the site or send the file via e-mail so the user could open it.

In the SMB bulletin, critical for all versions of Windows except Vista and Server 2008, an attacker would need to host a malicious server and convince a client system to connect to it, or an attacker could try to perform a man-in-the-middle attack by responding to SMB requests from clients, Bryant said.

In the critical Windows Shell Handler vulnerability, which affects Windows 2000, XP and Server 2003, an attack could come via a specially crafted link that appears to be valid to the ShellExecute API [application programming interface].

The cumulative update for ActiveX Killbits is critical. but a Killbit does not address the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in IE.

The vulnerability affecting the 32-bit Windows kernel, which Microsoft announced last month after Google engineer Tavis Ormandy disclosed it on a security e-mail list, could allow an attacker to elevate privileges to full system access once the attacker is already in the system.

Much as been made of the fact that the hole is 17-years-old, but Ormandy said he informed Microsoft about it in June 2009. “You can criticize them for taking a long time to fix a bug,” but not if they didn’t know about it, said Pedram Amini, who runs the Zero Day Initiative.

Microsoft is aware of publicly available proof-of-concept code for that issue, but is not aware of any active attacks at this time, Bryant wrote.

Two bulletins, both rated “important,” affect older versions of
Microsoft Office and could allow an attacker to remotely execute code on the computer via a hole in PowerPoint or via a specially crafted Office file.

The bulletins affect Windows 2000, XP, Vista, and
Windows 7, as well as Server 2003 and 2008, Office XP, Office 2003 and Office 2004 for
Mac, according to the advisory.

Microsoft also issued a security advisory to provide a workaround for a publicly-known hole in the Transport Layer Security [TLS] and Secure Sockets Layer [SSL] protocols.

And Microsoft updated its Malicious Software Removal Tool to include the Win32/Pushbot, a worm that spreads via MSN Messenger and AIM and opens a backdoor so an attacker can take complete control of the machine.

Microsoft is still working on patches for a hole in Internet Explorer that could lead to data leakage and which was disclosed last week, and an SMB hole that was disclosed in November.

“The [SMB] issue cannot be used to allow an attacker to take control of a system remotely, but instead can result in a system becoming unresponsive due to resource consumption,” Microsoft said in a statement. “At this time, Microsoft is not aware of any attacks using this vulnerability.”