Microsoft plugs ActiveX security holes
Software maker addresses some longstanding issues, as well as some rare vulnerabilities
There were no surprises with Microsoft's six-patch release
on July 14, but there is plenty of work to be done, according to security pros.
With three "critical" and three "important" items in the July patch, Microsoft is addressing some longstanding issues as well as some rare security holes. As usual, items with remote code execution (RCE) implications dominate the slate, with four bulletins devoted to this exploit. The remaining bulletins are notable for attempting to keep elevation-of-privilege attacks at bay.
Microsoft also has been rather vocal about fixing various DirectX security bugs leading up to this patch.
"Microsoft's July Security Bulletin does not have any surprises due to the intense pre-release activity around the three zero-day advisories that came out in the last six weeks," said Wolfgang Kandek, chief technology officer of Qualys. "Microsoft had already announced that they would address two advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video, respectively."
Microsoft's Embedded OpenType font engine, which facilitates the formation and structure of text fonts used on Web pages, is first on the roster of critical items in the patch. The fix addresses two privately disclosed holes and is designed to stave off RCE exploits for all supported versions of Windows operating systems.
The second critical item resolves one publicly reported hole and two privately reported weaknesses in Microsoft DirectShow. At the heart of the matter is the DirectX multimedia control solution. The patch will affect DirectX versions 7.0, 8.1 and 9.0 running on systems using Windows XP, Windows 2000 and Windows Server 2003.
In May, Microsoft began an investigation of a DirectX bug in its DirectShow framework for multimedia files. In June, the company announced it was investigating a potential DirectX bug in Internet Explorer.
The third critical item is what many security experts see as most critical because it suggests what Redmond plans to do to fix its many recurring ActiveX exploit problems.
This fix is a "cumulative security update of ActiveX kill bits," but it only resolves "a privately reported vulnerability" in Microsoft Video ActiveX control. Left unpatched, the vulnerability could allow RCE attacks via a malicious Web page where ActiveX controls are enabled.
Users with accounts configured to have fewer user rights on the system could be affected less by this bug than users with administrative rights.
"Typically, the fear is that you're downloading and installing a malicious ActiveX control from an untrustworthy source," said Eric Voskuil, chief technology officer of access control solution provider BeyondTrust. "But here we're seeing the dangers from vulnerabilities in multiple nonmalicious ActiveX controls from a known trusted source, Microsoft. In both situations, implementing the best practice of least privilege can have significant security benefits."
Kandek added that Monday's zero-day security advisory on ActiveX in Microsoft Office Web Components was nominally addressed through the cumulative patch rollout. However, he cautioned that "until an actual patch comes," IT pros should take a close look at the workaround published in Redmond's knowledgebase article released on Monday.
Yet another security gadfly, Tyler Reguly, doesn't think Redmond went far enough with these ActiveX security bulletins.
"It's interesting to once again see Microsoft issuing a bulletin for an ActiveX control, especially since the fix to this issue isn't to patch but to simply set kill bits," said Reguly who is senior security engineer at nCircle. "This means if the malicious individual can manage to convince you to revert the kill bits, then you're once again vulnerable. This is a really sad day, when a poor mitigation is acceptable as a valid patch. I expect more from Microsoft."
The first "important" fix is designed to stop potential elevation-of-privilege attacks in Microsoft Virtual PC 2004 and Microsoft Virtual PC 2007 editions, as well as Microsoft Virtual Server 2005 R2 and Virtual Server 2005 R2 x64.
Redmond is addressing a vulnerability that could allow for code execution on an infected "guest operating system." Having floating operating systems and guest sessions are key aspects of running virtual machines.
The second important fix addresses Microsoft Internet Security and Acceleration Server 2006. ISA servers provide an application-layer firewall and protect Web servers. The patch is said to help thwart a scenario where "an attacker successfully impersonates an administrative user account" for an ISA server configured specifically for Radius One Time password parameters.
Such a highly technical attack may make this vulnerability less of a risk, security experts say.
"These [ISA Server 2006 and Virtual PC patches] are some you don't see very often," said Eric Schultze, chief technology officer at Shavlik Technologies.
The last important item deals with 2007 Microsoft Office System Service Pack 1 in general, and Microsoft Office Publisher 2007 Service Pack 1 in particular. It is the rollout's fourth RCE exploit fix and is made to protect against an exploit trigger that happens when a user opens a malicious Publisher file.
All six items may require a restart.
Microsoft also provides a July knowledgebase article that describes nonsecurity changes for Vista and Windows Server 2008 as delivered via Windows Update, Microsoft Update and Windows Server Update Services.
Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.