Microsoft kicked off another year of bug squashing Tuesday, releasing seven security bulletins to fix breaches involving remote code execution, elevation of privilege, information disclosure and, interestingly, one described as a security feature bypass. All seven target either Windows Server 2008 R2 or desktop Windows.
The bulletin classified as security feature bypass, which was rated as “important,” is designed to resolve a privately reported vulnerability that potentially allows an attacker to bypass the SafeSEH security capability that resides in applications.
Once attackers are past this security feature they can then use other vulnerabilities to leverage the structured exception handler to run arbitrary code, a company spokesman said. The only applications that are vulnerable, however, are those compiled with Microsoft’s Visual C++ and .Net 2003.
Paul Henry, security and forensic analyst at researcher Lumension, said that “it's not an exploit in itself, but it would let you run another exploit. Microsoft says that now that they've gotten most critical bugs [fixed], we will see them fix more important issues in the coming year.”
The fix affects only desktop Windows and once applied requires a system restart.
A second bulletin, also classified as “important,” shores up a vulnerability in the Windows Object Packager allows remote code execution if users open a legitimate file with an embedded packaged object located in the same network directory as a “specially crafted” executable file.
Any hacker who successfully exploits this weakness can gain the same user rights as any user that is logged on. They could then carry out any number of tasks including installing programs, view and delete data or create new accounts, according to the company.
A third bulletin, also privately reported, resolves a flaw in the client/server run-time subsystem in that it can allow elevation of privilege. The update, rated “important,” applies to all versions of Windows Server 2003 and Windows XP. Windows Server 2008 R2 and Windows 7 are not affected.
Specifically, the vulnerability could allow elevation of privilege if attackers successfully log on to an affected system and run a specially crafted application, company officials said. Attackers can then take complete control of the affected system and, again, install programs, change and delete data, or create new accounts. This flaw can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale, Microsoft officials said.
Microsoft released another security bulletin to block remote code execution in those cases where users open a Microsoft Office file containing a malicious embedded ClickOnce application. Attackers who exploit this flaw can gain the same user rights as any local user.
The company also released a bulletin to seal cracks in a vulnerability that allows information disclosure. This update, also rated “important,” fixes a vulnerability that allows information disclosure if an attacker intercepts encrypted web traffic being served up by affected systems. TLS 1.1, TLS 1.2 and all cipher suites not using CBC mode are not affected.
The only bulletin rated as “critical” was one that addresses vulnerabilities in Windows Media that allows remote code execution. This update is intended to fix two privately reported flaws in cases where users open up “specially crafted media files,” thereby giving intruders the same rights as local users. Users with fewer system rights are likely to be less affected, Microsoft officials said.
For more technical information about January’s security bulletins, users can visit Microsoft’s Security TechCenter.