This month’s “Patch Tuesday” includes 6 security updates – of which Microsoft has rated 3 as Critical (all remote code execution vulnerabilities) and 3 Important (two remote code execution vulnerabilities and one denial of service).
MS09-065 addresses several kernel vulnerabilities. The vulnerability of particular concern is related to specially crafted Embedded OpenType fonts, and could be exploited to run unauthorized code in the system context.
Most remote code execution vulnerabilities we see typically run in the user context at the same privilege level as the currently authenticated user. Now, if you’re the user this means that all your files are at risk, but the system itself is reasonably safe (unless your administrator hasn’t been adhering to best practices, and has granted you administrative privileges … in which case you’ve pretty much granted the attacker’s code access to the entire box). With this kernel-mode driver remote code execution vulnerability, the current user’s privilege level is irrelevant. It doesn’t matter how unprivileged the current user is – the unauthorized code has unfettered access to the local system. Assuming, that is, the attacker doesn’t destabilize the system and BSOD before their code runs. Kernel vulnerabilities have a habit of not just bringing down processes, but bringing down entire boxes.
MS09-068 is mention-worthy, as it addresses issues in Microsoft Word, for both the Windows AND Apple platforms. Windows users that have automatic updates configured will automatically have protection provided to them – but Apple users will have to rely on the Microsoft Office Update Utility “Microsoft AutoUpdate” or go to here, here or here, to download the relevant update.
You can find the rest of our analysis here.
And, as always, if you’ve found our vulnerability posts to be valuable, or have some suggestions for how we can better serve you, please let us know at firstname.lastname@example.org