September Patch Aims at Windows Web Components

Microsoft on Tuesday rolled out its September security patch, which is notable for containing five "critical" security bulletins.

Expect a couple of themes with this patch. First, all of the fixes address remote code execution (RCE) risks. Second, every bulletin deals with Web components, from server connections to corrupt files distributed through e-mail.

The first critical patch is said to plug a hole in the Microsoft JScript Scripting Engine used in every supported Windows OS. The exploit can be triggered via a specially crafted corrupt file or even by clicking on an infected Web page with "malformed script," according to Microsoft. A hacker exploiting this vulnerability could set user administrative rights and could "view, change or delete" data.

The second patch touches an RCE vulnerability only in Vista and Windows Server 2008. It pertains to a single privately disclosed bug in the Wireless Local Area Network (LAN) AutoConfig Service. Client workstations and server systems without enabled wireless cards are immune to this bug, but it's a potential problem for networks with Wi-Fi access.

Potential malicious Windows Media Format files, such as corrupt audio or video files, are a consistent vector for client side attacks. These files are the focus of critical item No. 3. The patch is designed to fix vulnerabilities in Windows Media Format Runtime versions 9.0, 9.5 and 11 in every supported Windows OS.

TCP/IP Bug: A Focus for Security Pros
Fix No. 4 deals with a Transmission Control Protocol/Internet Protocol (TCP/IP) bug. The patch doesn't apply to Windows XP, but it does apply to all other OSes.

"In addition, it has maximum criticality only on Vista and Windows Server 2008, the newest generation of the OS family," said Wolfgang Kandek, chief technology officer at Qualys.

The fix deals with a rare server-side function and resolves several "privately" reported vulnerabilities, according to Microsoft. It addresses vulnerabilities in both Windows and Cisco Systems products. Microsoft says there are holes that could allow RCE exploits if malicious TCP/IP packets are sent over the network.

As a fail-safe, Microsoft recommends "firewall best practices," which include cutting hackers off at the pass by limiting exposed connection ports.

"Microsoft hasn't seen a serious bug in its TCP/IP stack in a long time, so it's pretty likely this is the exploit most people will focus on," said Andrew Storms, director of security at nCircle. "This update follows on the heels of a new zero-day 'blue screen of death' vulnerability and the combination of these two serious vulnerabilities will shake a lot of people's confidence in the integrity of Microsoft's networking stack."

The fifth and final patch in the slate describes a vulnerability in the DHTML Editing Component ActiveX control. This control found in Internet Explorer 5 and later IE versions. If a hacker gains control of this function, he could dump code that will execute when a user clicks on a corrupt Web page. The patch is rated critical on Windows 2000 and XP. It's doesn't apply to Vista and Windows Server 2008.

FTP Bug Still at Large
Fix No. 4 should be installed first, said Jason Miller, security and data team manager at Shavlik Technologies, joining a chorus of observers.

He also pointed out what wasn't in this month's slate, namely a fix for a File Transfer Protocol (FTP) service bug, which was disclosed in a security advisory last Thursday. The proof of concept for this bug is less than two weeks old, but the bug has become notable. Microsoft has now updated its advisory to reflect that the vulnerability is being used in "limited attacks."

"Administrators should look at addressing this vulnerability through workarounds provided by Microsoft until a security patch becomes available," Miller said.

Microsoft's Senior Security Program Manager Jerry Bryant said in an e-mailed statement that a patch will be released "once [such an update] has reached an appropriate level of quality for broad distribution."

All of the five patches that were released on Tuesday may require restarts.

Meanwhile, for IT pros who may want to do more housekeeping after implementing the critical fixes, there is the monthly knowledgebase article detailing nonsecurity updates via Microsoft Update, Windows Update and Windows Server Update Services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Touting Azure for Operators, Microsoft Joins SDN Standards Group

    As part of its Azure for Operators program, Microsoft this week joined a nonprofit standards association that focuses on SDN technologies used by enterprises and service providers.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Pilot Begins of Microsoft Teams-Salesforce CRM Integration

    A new capability that lets Microsoft Teams users access information from the customer relationship management (CRM) platform debuted this week.

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.