This morning we released 13 security bulletins, our largest release of 2009. Altogether, these bulletins address 34 separate CVEs. We’d like to use this blog post to help you prioritize your deployment of the updates.
Prioritization Criteria
We’ve provided a prioritized list of bulletins in the table below. The prioritization is based on the following criteria:
1. The bulletins are grouped and sorted according to severity and the exploitability.
2. Within each group we prioritize the bulletins with publicly available exploit code ahead of the others.
3. After that we list bulletins where technical details of the vulnerability have been widely discussed, even if no exploit is publicly available.
4. Finally, we take into account platform mitigations that impact the reliability of exploits.
Prioritization Table
| Bulletin | Most Likely Attack Vector | Bulletin Severity | Max Exploit-ability Index | Likely first 30 days Impact | Platform mitigations |
|---|---|---|---|---|---|
| MS09-051(Speech codec) | Browsing to a malicious website or ASF (WMA, WMV) attached to email. | Critical | 1 | We have reports from partners of limited attacks in-the-wild. | |
| MS09-050(SMBv2) | Attacker initiates a network connection to a vulnerable workstation or server. This would most likely be an attacker on the local subnet as SMB is typically blocked by edge firewalls. | Critical | 1 | We are aware of reliable working exploit code distributed to limited number of customers. We are also aware of unreliable exploit code available publicly. We have not, however, heard of customers being exploited by this vulnerability. We expect working reliable exploit code to be made public within the next 30 days. | Windows Vista not affected in ‘Public’ network profile |
| MS09-054(IE) | Browse to a malicious website. | Critical | 1 | One of the vulnerabilities addressed was presented publicly at BlackHat. We are not aware of any active exploits for these issues at time of release; however, we expect reliable exploit code to be made public within the next 30 days. | Windows Server 2003, 2008 and 2008 R2 at reduced risk due to Enhanced Security Configuration. |
| MS09-061(.NET) | Browse to a website hosting a malicious .NET application that runs in the browser. | Critical | 1 | One of the vulnerabilities was posted on a public forum. However, we are not aware of any working exploits for the issue or customers who have been impacted. We expect reliable exploit code to be made public within the next 30 days. | Windows Server 2003, 2008 and 2008 R2 at reduced risk due to Enhanced Security Configuration. |
| MS09-062(GDI+) | Browse to a malicious website or click on an image attached to an email | Critical | 1 | All vulnerabilities addressed have been responsibly disclosed. We expect reliable exploit code to be made public within the next 30 days. | Windows Server 2003 and 2008 at reduced risk due to Enhanced Security Configuration. |
| MS09-052(WMP) | Browsing to a malicious website or ASF (WMA, WMV) attached to email. | Critical | 1 | This vulnerability was responsibly disclosed. We expect attackers could develop a reliable exploit; however, only systems with Windows Media Player 6.4 are vulnerable. Therefore, the likelihood of attackers choosing to write exploits for this vulnerability is lower. | |
| MS09-055, MS09-060(ActiveX, Office ATL) | Browsing to a malicious website that instantiates an ActiveX control in a malicious manner. | Critical | 1 | So far, the only ATL-related vulnerability that has been exploited in the real world is msvidctl.dll, addressed by MS09-032. No other ATL vulnerabilities have been exploited. We expect the IE defense-in-depth mitigation combined with the difficulty building custom ATL streams to make these vulnerabilities less likely to be exploited. | |
| MS09-057(query.dll) | Browsing to a website that scripts an ActiveX control in a malicious manner. | Important | 2 | This vulnerability was responsibly disclosed. This one is less likely to see a working reliable exploit made publicly available due to the nature of the vulnerability. | |
| MS09-053(IIS) | An FTP server would need to grant untrusted users access to log into and create a specially-crafted directory. If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs. IIS5 & IIS6 are impacted. | Important | 1 | Public exploits are available for this issue. | Internet Information Services 6.0 on Windows Server 2003 is at reduced risk because it was compiled using the /GS compiler option. |
| MS09-059(LSASS) | Attacker initiates a network connection to a vulnerable workstation or server. LSASS crashes and forces the machine to reboot. | Important | 3 | This issue was responsibly disclosed. The impact of this vulnerability is denial-of-service only. | |
| MS09-058(Kernel) | An unprivileged user with logon rights and ability to run arbitrary executables can compromise a system locally. | Important | 2 | We rarely see exploits developed for local elevation of privilege vulnerabilities within the first 30 days after release. | |
| MS09-056(x.509) | Spoofing threat | Important | 3 | Attack details are public but code execution is not possible. We have seen limited exploitation of the spoofing threat. |
It is important to factor in your organization’s potential attack surface when deciding in which order to apply the updates. For example, if you grant FTP access to untrusted users, MS09-053 might be the most critical security update for you despite its “Important” rating. If your organization does not have Windows Vista or Windows Server 2008 systems, MS09-050 is less relevant for you because SMBv2 is not supported on earlier systems.
SRD Blog Posts This Month
In addition to this we’ve written several blog entries to help you understand the vulnerabilities more deeply and help you make a more informed risk analysis as you prepare to deploy these updates. Here are the topics covered:
MS09-051: Chen describes how you can know whether a system is vulnerable to this Windows Media Player issue, how the codec download behavior works, and what you can do to protect vulnerable systems. [link]
MS09-050: Mark walks through the history of the exploit landscape for the publicly disclosed SMB remote code execution vulnerability to help you understand the risk to your environment. [link]
MS09-054: Chen explains why there is a FireFox attack vector for this Internet Explorer bulletin, and how you can disable this attack surface if you choose to do so. [link]
MS09-061: Kevin lists the attack vectors for this .NET security bulletin and the various workaround options available. He also explains why we recommend disabling partially-trusted .Net applications and not fully-trusted .NET applications. [link]
MS09-062: Kevin discusses the “kill switches” for GDI+ image format parsers. He shows how you can permanently disable the parsing of, say, TIFF files as a defense-in-depth measure or in response to an unpatched vulnerability. [link]
MS09-056: Maarten outlines the impact of the X.509 / ASN.1 vulnerabilities and highlights some mitigating factors that make them less severe than you might think. [link]
We hope that helps you understand this month’s large security bulletin release. Please email us with any questions.
- Jonathan Ness and Andrew Roths, MSRC Engineering
Special thanks to the entire MSRC Engineering staff for their work on this month’s security bulletins and blogs.