26 Windows, Office holes patched in 13 bulletins

Microsoft fixed 26 vulnerabilities in 13 security bulletins as part of its Patch Tuesday, including critical ones for Windows that could be exploited to take control of a computer and one that has resided in the 32-bit Windows kernel since its release 17 years ago.

The top priorities for deployment are bulletins plugging holes in the SMB (Server Message Block) Protocol, Windows Shell Handler, ActiveX via Internet Explorer, DirectShow, and the 32-bit version of Windows, Jerry Bryant, a lead senior security communications manager at Microsoft, wrote in a blog post.

The DirectShow bulletin should be at the top of the list, according to Bryant. It is critical for all supported versions of Windows except Itanium-based server products. To exploit the hole, an attacker could host a malicious AVI (Audio Video Interleave) file on a Web site, and lure a user to visit the site or send the file via e-mail so the user could open it.

In the SMB bulletin, critical for all versions of Windows except Vista and Server 2008, an attacker would need to host a malicious server and convince a client system to connect to it, or an attacker could try to perform a man-in-the-middle attack by responding to SMB requests from clients, Bryant said.

In the critical Windows Shell Handler vulnerability, which affects Windows 2000, XP, and Server 2003, an attack could come via a specially crafted link that appears to be valid to the ShellExecute API (application programming interface).

The cumulative update for ActiveX Killbits is critical, but a Killbit does not address the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in IE.

The vulnerability affecting the 32-bit Windows kernel, which Microsoft announced last month, after Google engineer Tavis Ormandy disclosed it on a security e-mail list, could allow an attacker to elevate privileges to full system access, once the attacker is already in the system.

Much has been made of the fact that the hole is 17 years old, but Ormandy said he informed Microsoft about it in June 2009. "You can criticize them for taking a long time to fix a bug", but not if they didn't know about it, said Pedram Amini, who runs the Zero Day Initiative.

Microsoft is aware of publicly available proof-of-concept code for that issue, but is not aware of any active attacks at this time, Bryant wrote.

The most important bug for IT security teams is the one affecting DirectShow, said Andrew Storm, director of security compliance at security firm nCircle. "The nature of the exploit lends itself to drive-by attacks that leave unsuspecting victims infected," he said. "Since media is what excites people most on the Internet today, an exploit of this bug would make it extremely easy to entice users to watch videos that are actually gateways to malware."

Meanwhile, the Shell Handler vulnerability has the potential for an unlimited amount of damage, which should make potential attackers take notice, he said.

This month's "sleeper update" is probably a hole in Windows TCP/IP (Transmission Control Protocol-Internet Protocol) that could allow remote code execution if specially crafted packets were sent to a computer with IPv6 enabled, said HD Moore, chief security officer of Rapid7. "While it has an exploitability rating of 2 based on the requirement for an attacker to be on-link to the target host, Wi-Fi access points provide link level connectivity to target systems" he said. "Customers should not confuse the exploitability index with exposure severity--the priority of this patch should be raised where mobile users are prevalent."

Two bulletins, both rated "important", affect older versions of Microsoft Office and could allow an attacker to remotely execute code on the computer via a hole in PowerPoint or via a specially crafted Office file.

The bulletins affect Windows 2000, XP, Vista, and Windows 7, as well as Server 2003 and 2008, Office XP, Office 2003, and Office 2004 for Mac, according to the advisory.

Microsoft also issued a security advisory to provide a work-around for a publicly known hole in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

And Microsoft updated its Malicious Software Removal Tool to include the Win32/Pushbot, a worm that spreads via MSN Messenger and AIM, and opens a backdoor so an attacker can take complete control of the machine.

Microsoft is still working on patches for a hole disclosed last week in Internet Explorer that could lead to data leakage and an SMB hole that was disclosed in November.

"The [SMB] issue cannot be used to allow an attacker to take control of a system remotely, but instead can result in a system becoming unresponsive due to resource consumption," Microsoft said in a statement. "At this time, Microsoft is not aware of any attacks using this vulnerability."

This article was first published as a blog post on CNET News.