Colossal Patch Tuesday addresses 31 Windows, IE8 vulnerabilities
Just when it appeared Windows and its associated services were looking more stable month after month, Microsoft chose June to tackle a plethora of vulnerabilities including no fewer than 14 that its security engineers believe could be exploitable within the next 30 days.
Microsoft Security Response Center engineers Adrian Stone and Jerry Bryant were audibly panting as they delivered the news to Microsoft customers today. One critical remote code execution vulnerability that's being treated very seriously affects a much older version of the server product, Windows 2000 Server with Service Pack 4 serving as domain controllers, and running Lightweight Directory Access Protocol. "While it's ranked as a '1,' which means we expect it to be easily exploitable over the next 30 days after [the patch] is released," explained Security Program Manager Lead Adrian Stone, "...it was privately disclosed to us. A security researcher worked with MSRC responsibly to make sure that we did address the vulnerability and release it without any knowledge of the vulnerability to date. It's not being actively exploited, nor is there any data publicly available at this time that talks about [it] in in-depth, technical detail."
That's actually phenomenal news in itself, because Microsoft disclosed the existence of the problem last October. The fact that no one took the bait with this one could be partly due to the age of the OS in question; Windows 2000 Server's support lifecycle is due to expire in a mere five weeks.
"Any time you're talking about remote code execution," Stone warned, "and a network vulnerable-by-default scenario, which is the case with LDAP, with this particular vulnerability, this one would be very high...in my priority to go patch this month."
The first cumulative update for Internet Explorer 8 is also part of today's batch of fixes. It includes a patch for a problem that was identified, Stone admitted, during last March's CanSecWest security conference in Vancouver. There, as part of the conference's "Pwn2Own" contest, one security researcher successfully wrested control of a Sony Vaio running a pre-release version of IE8 on a Windows 7 beta.
"It was a very interesting discovery," said Stone today, "...one of the unique opportunities of being able to work with the security community to identify vulnerabilities in our products, especially prior to release and prior to launch. Soon after, we had an update in hand to address the issue."
Interestingly, Stone went on to say that the vulnerable code in question is normally not accessible through outside means, due to two technologies introduced with Windows Vista: Address Space Load Randomization (ASLR) and Data Execution Prevention (DEP). For that reason, the vulnerability only rates a more moderate "3" on Microsoft's exploitability index in Vista specifically, while rating a "1" in Windows XP (highest level). While Stone didn't go on to mention this little fact, it was a Windows 7 beta machine that was "pwned" at CanSecWest, and the exploitability index for Win7 is also being rated a "1."
As company security engineer Jonathan Ness explained last March after the Vaio machine went down, "The final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious Web sites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone."
But the mitigation that Ness refers to may not yield the same results in the Windows 7 Release Candidate, for reasons no one has yet explained, although the relative severity of the vulnerability in Win7 is being acknowledged. The cumulative update introduced in this bulletin issued today will address the CanSecWest issue for all current versions of Windows, although the applicability of this update will likely best be felt by users of XP and Win7 RC.