As Microsoft recommends that users focus first on installing the MS09-065 patch released Tuesday, experts are agreeing with that advice because exploit code for remote execution appears to be right around the corner.
The current proof-of-concept (POC) code that is circulating online for MS09-065, which is rated critical, is only for denial-of-service (DoS) attacks and not the much more serious remote code execution.
"We know that it is supposedly easy to write an exploit for it and we expect to see the exploit code shortly," says Richie Lai, director of vulnerability research for Qualys.
Best and worst of Exchange 2010The severity of the three vulnerabilities addressed by the 065 patch is high because it affects so many versions of Windows and because it is so easy to exploit. The 065 patch is rated "critical" for all supported editions of Windows 2000, XP and Server 2003.
Microsoft's exploitability index rates the patch as a '1', which means that consistent exploit code is likely.
Microsoft took the somewhat unusual step of offering users guidance on which of the six patches, which address 15 vulnerabilities, to install first.
"Because [065] is at the kernel level, it doesn't matter what system privileges the logged-in user has at the time of exploit, the entire system is at risk. This all makes it a potentially more lucrative vulnerability for attackers to exploit," says Ben Greenbaum, senior research manager for Symantec Security Response. Greenbaum says Symantec isn't seeing any active exploits in the wild yet, "but we think attackers will be paying a lot of attention to it in the future."
With MS09-065, a hacker would craft a Web page and embed a malformed Embedded OpenType (EOT) font. When a user visits the Web page, Internet Explorer loads the page and gets a request for the EOT file to be downloaded. When the Windows kernel processes the EOT file there is a buffer overrun or heap overflow. From there, hackers can create a DoS attack or take control of the machine's execution process."I am kinda hoping we did not get too desensitized last month (13 patches, 34 vulnerabilities), because it was so big and there was so much to do," says Jason Miller, data and security team leader for Shavlik Technologies. Hackers usually attack the user in order to get viruses and bots installed on these systems; especially with 065 just simply navigating to a site with an unpatched system can allow that to happen.
Despite 065's focus mostly on the server, Miller noted that this month's patch load leans more on the client side than the server side. "If you are going to have a huge outbreak of exploits this month it is likely going to be on the desktop."
Follow John on Twitter: twitter.com/johnfontana
Reprinted with permission from Networld World. Story copyright 2009 Networld World Inc. All rights reserved.
Post new comment