Microsoft patches slew of 'drive-by attack' bugs

Microsoft today delivered five critical security updates that patched eight vulnerabilities in Windows, including one in the JavaScript engine that ships with every supported version of the company's operating system.

The other flaws lie in a pair of Windows Media Player file formats; in Windows' implementation of TCP/IP, the Web's default suite of connection protocols; and in the operating system's wireless network's automatic-configuration service.

"The fog of last week has cleared, but what we're seeing today is a lot of bugs related to Internet Explorer that were labeled as Windows vulnerabilities before," said Andrew Storms, director of security operations at nCircle Network Security. Storms was referring to Microsoft's advance notification last Thursday, when the company only divulged that it would issue updates for Windows.

Three of the updates, said Storms -- MS09-045, MS09-046 and MS-09-047 -- actually are better categorized as Internet Explorer (IE) issues because hackers will exploit the updates' four bugs through IE. "Those are the big problem this month," argued Storms, "because they affect IE when the user is doing the normal thing on the computer ... surfing the Internet."

MS09-045 updates Windows' JavaScript/JScript parsing engine to stymie "drive-by" attacks that hackers can craft simply by injecting malicious script in a Web page.

"In most cases, a malicious attacker can easily abuse this flaw by simply coercing a Windows user to view an attacker's Web site," said Derek Brown, a security researcher with 3Com's TippingPoint DVLabs. TippingPoint's Zero Day Initiative -- one of two bug bounty programs in existence -- was credited by Microsoft with reporting the flaw.

Brown said users should expect exploits of the JavaScript/JScript vulnerability shortly. "Due to the widespread distribution of the parsing engine and the relative ease in crafting an exploit, [users should] apply the patch immediately," he said in an e-mail. Microsoft ranked the bug as a "1" on its accompanying exploitability index, meaning that "consistent exploit code [is] likely."

Every currently-supported version of Windows contains the flaw. Only Windows 7 and Windows Server 2008 R2 -- neither of which have officially been released -- are immune, said Microsoft.

But while Storms urged users to prioritize the IE-related bugs, he was afraid that advice might get lost in the attention paid to MS09-048, which updates Windows' TCP/IP stack. "I think a lot of people will focus on the TCP/IP problem, because it's been awhile since we've seen a problem with the IP stack," he said.

That wouldn't be smart. "Exploiting this will be very difficult," Storms predicted. Microsoft agreed, saying that MS09-048's three separate vulnerabilities would be tough to exploit in the next 30 days by assigning them either as a "2" (inconsistent exploit code likely) or a "3" (consistent exploit code unlikely) in its index.