Microsoft patches 'evil' Windows kernel bug

Also fixes flaws in Windows DNS, but omits Excel update

Microsoft Corp. today patched eight vulnerabilities in Windows, including one rated "critical" that could be triggered by attackers simply by getting users to view a malicious image or visit a malicious site.

Of the three security updates the most serious, and the one to patch first, is MS09-006, researchers said today. That update, which contains three separate vulnerabilities, contains the month's single critical bug.

"It's in all versions of Windows, it's deep in the kernel and in GDI," said Wolfgang Kandek, chief technology officer at security company Qualys Inc. "And you could get exploited in many ways. I could send you an e-mail or I could get you to go to a malicious Web site."

"MS09-006, that's just pretty evil," said Eric Schultze, chief technology officer at Shavlik Technologies LLC. "View something evil, and you're hacked."

According to Microsoft, the critical vulnerability is the result of "improper validation of input passed from user mode through the kernel component of GDI." The GDI, or graphics device interface, is the core graphics rendering component of Windows. Because the flaw is in the kernel, a successful exploit would leave an attacker with complete control of a machine.

"With the history of GDI, people will really be looking at this," predicted Andrew Storms, director of security operations at nCircle Network Security Inc. Microsoft fixed GDI three times last year, most recently in December, and the Windows kernel twice. "It's like rewind, repeat," Storms said.

Attackers would use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) images to exploit the bug, feeding them to users via e-mail or hosting them on Web sites, according to Microsoft. Opening or viewing the images would trigger the vulnerability.

"I liked how Microsoft acknowledged that attackers could exploit this by getting users to view an e-mail or visit a Web site or open a document with an evil image," said Schultze.

But because Microsoft gave the vulnerability a score of "3" in its Exploitability Index, indicating that it doesn't believe functional attack code is likely in the next 30 days, Storms said he was confused. "Now I'm unsure. It's obviously the riskiest vulnerability, but with the exploitability index at 3, should I really worry about it or not?"

Storms answered his own question. "I have to take the safe side, and consider it a major bug and put it at the top of the list," he said.

The other update that Kandek, Schultze and Storms agreed needed immediate attention was MS09-008, which addressed four separate flaws in Windows' DNS and WNS servers. All four were rated as "important," the second-highest ranking in Microsoft's four-step scoring system. All currently-supported server editions of Windows should be patched, including Windows 2000 Server, Server 2003 and Server 2008.

"These vulnerabilities could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems," said Microsoft. Such attacks are often referred to as "cache poisoning" attacks because they replace the legitimate addresses in a DNS server's cache with bogus destinations. DNS cache poisoning vulnerabilities gained attention last July when researcher Dan Kaminsky discovered a major flaw in the underlying DNS protocol and organized an industrywide patching effort to plug the hole.

"These seem to be separate from [Kaminsky's vulnerability]," said Kandek, and Schultze concurred. Storms, however, wasn't as sure.

"It sounds a lot like what we saw last summer," he countered.

But while Microsoft rated the update as important, Schultze argued that it should be considered critical. "Microsoft seems to think that there not much likelihood of someone pulling off an exploit of this," he said, "but there was already code released for 08-037, another DNS vulnerability last year, and Microsoft rated that important, too. To me, that makes me rate this one kind of critical."

Today's third update, MS09-007, fixes a flaw in the Secure Channel (SChannel) security package within Windows. If exploited, that flaw could let attackers impersonate an authorized user. Kandek, Storms and Amol Sarwate, manager of the Qualys vulnerability lab, all said that the SChannel vulnerability was the one that could wait to be patched.

"I don't think it's a very big deal," said Kandek.

Missing from this month's updates, however, was a fix for a vulnerability in Excel that Microsoft revealed two weeks ago and that, the company reports, is already being used by attackers. According to researchers at Symantec Corp., the vulnerability is a file format bug in all supported versions of Excel, including the latest, Excel 2007 on Windows and Excel 2008 for the Mac.

Researchers today were split on whether it was reasonable to expect Microsoft to hustle an Excel patch quickly. "I expected one, given the high visibility of Excel and the number of Excel users," said Sarwate.

"We should have expected a patch," said Schultze. "And that we didn't get one, that sucks."

"No, I'm not surprised at all that it wasn't ready," said Storms. "But I wouldn't be surprised if we saw a patch in the next couple of weeks if things heat up."

March's three security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon