Microsoft Fixes Critical IE Bug In Final 2009 Patch Tuesday Update
Included in the December patch load were three bulletins fixing seven flaws ranked with the highest severity rating of critical, which affected numerous versions of Windows, including Windows 7, XP, Vista and 2000 as well as several versions of Web browser IE, Server 2003 and 2008. In addition, Microsoft also issued three patches with the less severe ranking of "important."
Altogether, Microsoft's December patch plugged holes in IE, Microsoft Office, Active Directory Federation Services, Internet Authentication Service, and Local Security Authority Subsystem Service.
However, security experts say that the most significant patch this month was a cumulative fix for four critical errors in IE 6 and 7 running on Windows XP, Windows Server 2003, Vista and Server 2008. The hole enabled hackers to infect users with malicious code either by compromising legitimate Web sites or by enticing them to view a malicious Web page, usually through some kind of social engineering scheme delivered via e-mail. Users would then automatically download malware onto their systems once they viewed the site, which could enable attackers to take over the users' PCs to record keystrokes and steal information.
"IE is a pretty important piece of software to patch," said Jason Miller, data and security team leader for Shavlik Technologies. "There are a lot of evil malicious attackers who want to take advantage of you if you're unpatched."
Microsoft issued a security advisory warning users of the IE flaw after proof-of-concept code was made public last month. However, thus far, Microsoft maintains that it has seen no evidence of attacks exploiting the vulnerability.
In addition, Microsoft issued a fix for two critical memory vulnerabilities occurring in the Internet Authentication Service, which allowed attackers to execute malicious code remotely onto users' PCs using VPN connections. Specifically, the flaw occurred in the handling of PEAP authentication requests, when messages received by the IAS server were copied incorrectly into memory. As usual, hackers could then download information-stealing malware onto users' systems to take control of their computers.
The vulnerability affects remote users applying wireless VPN connectivity, however Miller said that "if you don't have that technology and don't have that enabled, [the patch] might not be as high a priority."
Microsoft also repaired a critical error in Microsoft Office Project, which allowed remote attackers to launch malware onto a victim's PC via a malicious Project file, usually sent over e-mail. Attackers could then infiltrate users' computers to install malware or access, delete or alter sensitive data once the user opened the infected file.
Meanwhile, Microsoft also released three bulletins for Windows errors with the slightly less severe ranking of "important," including two vulnerabilities in the Active Directory Federation Services, which could allow remote code execution. An attacker could infect victims with malware by sending a maliciously crafted HTTP request to an ADFS-enabled Web Server, however Microsoft claims that the attacker would also have to be an authenticated user in order to exploit either vulnerability, mitigating the threat.
In addition, the December patch addressed a vulnerability in WordPad and Microsoft Office text converter, also given an "important" rating, which could enable attackers to infect client-side users remotely by sending a malicious Word 97 document opened in WordPad or Microsoft Office Word. The infected Word file would automatically install malware once opened.
"Hopefully, administrators should be telling people if they don't know where the Office document comes from, don't open it," Miller said.
Meanwhile, Microsoft also issued an "important" patch for a flaw in Local Security Authority Subsystem Service, which, if exploited, could enable hackers to launch a denial of service attack by sending a specially crafted ISAKMP (Internet Security Association And Key Management Protocol) message.
While so far there are no known attacks exploiting the vulnerabilities, Microsoft recommends that users apply the patches as soon as possible.