Microsoft Plugs "Drive-By" and 14 Other Holes

CWmike writes "Microsoft today patched 15 vulnerabilities in Windows, Windows Server, Excel, and Word, including one that will probably be exploited quickly by hackers. None affects Windows 7. Of today's 15 bugs, Microsoft tagged three 'critical' and the remaining 12 'important.' Experts agreed that users should focus on MS09-065 first and foremost. That update, which was ranked critical, affects all still-supported editions of Windows except Windows 7 and its server sibling, Windows Server 2008 R2. 'The Windows kernel vulnerability is going to take the cake,' said Andrew Storms, director of security operations at nCircle Network Security. 'The attack vector can be driven through Internet Explorer, and this is one of those instances where the user won't be notified or prompted. This is absolutely a drive-by attack scenario.' Richie Lai, the director of vulnerability research at security company Qualys, agreed. 'Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver.'"

Re:And the others?

[somersault]

They're not fixes. They're just there to introduce more vulnerabilities that will "encourage" people to shift to Windows 7 ;)

Well...

[vistapwns]

If you patch, you're safe. Too bad so many XP users don't opt-in to patching, a lot of them will be infected, but it's a good thing MS started auto-patching by default with Vista, also since Vista has a lot of anti-exploit code (DEP, ASLR, Protected Mode Sandboxing, etc.) it probably won't see very many infections, although I thought I saw on another site that Vista wasn't affected.

Re:Well...

[RiotingPacifist]

Too bad so many XP users don't opt-in to patching

This is Microsoft's fault for not offering a security only patch channel and pushing WGA ,etc through as windows updates.

I know this is probably comes across as trolling but it's not just Microsoft bashing for the sake of it.

Re:Well...

[Spazztastic]

No, this is the fault of people who pirate their operating system and then expect it to be supported. Some things have a price. Pay the price if it is worth it to you. Don't use it if the price is not worth it to you. Some people call that "vote with your wallet". Just taking it for free and then expecting support is ludicrous and the height of hypocrisy.

While I do agree that pirating a piece of software and expecting support is unreasonable, Microsoft is only increasing the number of botnets when they refuse updates to pirated software. Refuse software and hardware updates, but at least include security updates. With the increased number of botnets, that's more computers out there trying to infect others and it will without a doubt hit legitimate systems owned by users who just ignore that little yellow shield with the exclamation point on their taskbar. It is also their fault, but some people just don't know better.

Re:Well...

[gbjbaanb]

Let's think about this not from a moral perspective, but from a business one

Ok, lets do that.

As Microsoft software is the single most predominately used OS in the world, having large numbers of these installations being vulnerable to botnets is not only putting the efficient working of the global networks at risk, costing large sums as innocent ISPs upgrade their infrastructure to cope with the deluge of useless spam traffic and and virus payloads; costing businesses large sums to protect themselves from the deluge of virus, phishing and spam that routinely attacks their users; costing consumers vast sums as they attempt to protect themselves from the same deluge of attacks; but also puts the economy at risk with phishing attempts and other fraudulent and criminal activities that at best reduce people's confidence in using it for economic activity.

Given the above, the government should step in and force Microsoft to be more responsible for securing the national infrastructure from these attacks. Infrastructure that the modern economy depends upon. They keep telling us how many billions of Dollars are lost to virus attacks, how much conficker cost business, etc. Imagine how much the economy would suffer if there was a really big botnet/virus that did more than inconvenience users.

You can ignore moral aspects here and focus on the purely economic. We did that with banker's bonus-driven practices, and look how well that turned out. By ignoring the 'moral' aspects of Microsoft's monopoly and their self-interested lack of securing their OS, we may yet suffer similar problems.

(this isn't really Microsoft bashing, its more monopoly bashing)(though, I recall someone senior at MS saying they liked piracy because it made developers and users become accustomed to Microsoft software which had a beneficial effect to them - perhaps it is Microsoft's fault after all).

Yay, tight integration of browser with OS...

[bcmm]

"Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver."

Anybody else think something is integrated with something else in a deeply, deeply wrong way here?

Re:Yay, tight integration of browser with OS...

[eldavojohn]

"Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver."

Anybody else think something is integrated with something else in a deeply, deeply wrong way here?

I most certainly do! This is unfair! When will Firefox and Opera have such privileged access to kernel space. It results in a bad user experience when the Javascript code I slave over can only help you manage your user files, registry keys and kernel libraries if you're using IE.

Yours truly,

Crafty McStealsYourShit

Re:Yay, tight integration of browser with OS...

[jspenguin1]

According to Microsoft, the Windows kernel improperly parses Embedded OpenType (EOT) fonts, which are a compact form of fonts designed for use on Web pages.

One question: Why is the kernel parsing fonts?

Re:Yay, tight integration of browser with OS...

[Ralish]

Anybody else think something is integrated with something else in a deeply, deeply wrong way here?

No, not really, at least, not in the way you're insinuating. The Win32k kernel mode driver is essentially the major component of the Windows kernel responsible for kernel-mode graphics related processing. Put more succinctly by MS from the MS09-065 security bulletin:

Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).

The handling of EOT (Embedded OpenType) fonts is apparently (at least partially) handled by the kernel and presumably a component of the GDI system. IE supports EOT fonts and presumably just hands them off to the kernel, after all, it is delegated the responsibility of handling them, so why re-implement it in IE? The flaw is not really in IE but in buggy code in the relevant processing. There is an argument to be made that IE really shouldn't be explicitly processing these fonts by default in an untrusted network (and this can be changed in the preferences, but is not the default), but the flaw itself is in the system call code itself; the latter is merely about reducing attack surface in the case of exploits such as this arising.

My point is, this isn't really a case of IE being "overly" coupled into the system (which isn't to say it isn't, just that I don't view this as an example of it). Whether it's sensible engineering to have the kernel handle this stuff is probably a far more interesting and valid argument. Protecting against system call vulnerabilities is pretty tough, as you do expect the kernel to be trusted, indeed, if you can't trust the kernel you have serious problems. A quick google seems to suggest Firefox doesn't support EOT fonts, and I'm not sure if any other browsers do either, but if they did, they may well have their own exploit situations as well.

Re:Yay, tight integration of browser with OS...

[b4dc0d3r]

From what I understand: GDI functions are in the kernel for speed reasons - constantly switching to usermode just to draw things slows down the system.

Vista moved it into userspace, and lots of users complained about slowness. Looking at the vulnerability details, this just gives you privilage elevation on Vista (and related servers), not remote code execution.

For Windows 7, MS moved GDI back into the kernel, with some redesign. So they apparently fixed this issue when they returned GDI to user mode.

Again, just my understanding, could be wrong.

Re:Yay, tight integration of browser with OS...

[bheer]

NT 3.x supported user-space drivers and was criticized by reviewers for poor graphics performance (especially those who wanted to run visualisation/CAD apps on it). But it was rock-solid, as you can imagine.

NT 4 introduced kernel-mode display drivers, which helped it become very popular with engineers who needed these apps (remember, the only other 'mainstream' OS on the market at this time was Win95/98 and System 8/9; NT was rock-solid by comparison and Linux didn't have many commercial apps at this time).

Given that stats show that 3rd-party drivers are the #1 reason behind Windows blue-screens, starting with Windows Vista, Microsoft started to use the mini-driver approach for drivers. They've expanded and refined the use of such drivers with Windows 7.

Essentially, vendors write a user mode client driver that executes in user-space, with some basic functionality being implemented in kernel-space by a Microsoft-written and Microsoft-QA'd driver. So you get crash resistance without losing speed. See Layered Driver Architecture on MSDN for more.

Re:And the others?

[eldavojohn]

What about the fourteen other fixes?

The article talks about them at the end (on the second page):

Microsoft also issued critical updates for Vista and Server 2008, as well as for Windows 2000 Server. On the latter, which harbors a bug in its implementation of the License Logging Server, a tool originally designed to help customers manage Server Client Access Licenses (CAL), Storms urged users of that aged operating system to apply the patch pronto, even though the machines are probably well-protected.

"Windows 2000 Server has the logging server enabled by default, but those systems are likely behind multiple firewalls, and people running [Windows 2000 Server] are pretty cognizant of the fact that it's an older version and will act accordingly."

Excel and Word also received patches today. Eight vulnerabilities were addressed in Excel in MS09-067 and one in Word with MS09-068. Both updates also affected the Mac editions, Office 2004 and Office 2008.

For more info, check out the top six listings here.

That's shocking!

[Rik+Sweeney]

They thank someone from Google for helping them spot the vulnerability! It's in the acknowledgements:

http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx

It's Still Windows

[dkh2]

No wonder my home system was such a dog this morning. It was pulling the latest patches and updates.

Meanwhile, it's still Windows. There's only so much improvement you can make when the manufacturer insists on packing so much into the "kernel." I was always taught that the OS kernel is the one piece that provides the interface between all software and all hardware. File systems, GUIs, internet browsers and lesbian Pr0n are all just forms of software that should be clients to the ultimately optimized but minimalist kernel.

Re:It's Still Windows

[Bacon+Bits]

There's only so much improvement you can make when the manufacturer insists on packing so much into the "kernel."

So in trying to bash Microsoft you're saying that Linux sucks?

Linux is a monolithic kernel. Windows is a hybrid kernel. Linux puts a lot more into kernel mode/real mode than Windows does. Many drivers in Windows are user mode drivers, for example, particularly printers. The only thing I can think of that runs in kernel mode in Windows and not in Linux is the graphics system -- which is why the screen flickers and changes resolutions slower in Linux and Windows tends to run full screen games and video better with DirectX, but it also rarely brings the system down... not that a system you can't get desired display output from is useful entirely.

Would the big customers know more?

[140Mandak262Jamuna]

From the article

But while Storms speculated that Microsoft knew the EOT font flaw was a security issue -- and waited until now to patch older Windows -- Lai thought that Microsoft didn't realize until recently that it was also a security vulnerability in editions prior to Windows 7. "I think they fixed this bug as part of the code sanitization during [Windows 7's] development cycle. It was actually only publicly disclosed recently, and then they patched it in other Windows

The article is speculating what did Micrsoft know and when did it know it etc. Microsoft's standard line defending its security through obscurity policy is, "we are not providing any details because it is going to help the hackers". But what about its big customers? Almost all businesses do not care much about its small customers. So forget small timers. But Microsoft has to coddle its big Fortune500 company customers. Would they be informed, even under confidentiality agreements and non disclosure agreements, which platforms and applications are vulnerable?

How do these big companies justify being so meek and acquiescing to Microsoft? If these Fortune 500 companies chip in 100,000$ a year, they can create an Institute of Software Interoperability and go towards reducing their switching costs. Microsoft has total revenue of more than 25 billion dollars, and a significant chunk comes from these big companies. They pay off has to be enormous for these companies.

Re:Would the big customers know more?

[thejynxed]

Yes, the appropriate contacts in such organizations get informed. Chiefly, the CIOs and their assorted assistants down the IT chain. What they then do with that information is up to them. There's a reason these companies pay for their overpriced support contracts and license aggreements with Microsoft.

I know the major security vendors like Symantec are also informed.

This has been addressed several times (redundantly, I might add) in Slashdot articles over the years, and can probably even be confirmed by your own IT department.

Fourteen?

[paimin]

I, for one, have been getting my hole plugged by Microsoft for a good twenty plus years now.

So sore.

+5 informative?

[vistapwns]

Good grief. MS offers ALL security patches to EVERYONE, including pirates, and also offers many other patches such as stability and performance updates to everyone as well.

---
"There seems to be a myth that Microsoft limits security updates to genuine Windows users," wrote Microsoft's Paul Cooke, who works in Windows Client Enterprise Security. "Let me be clear: all security updates go to all users."
----

From http://www.tomshardware.com/news/windows-pirate-bootleg-security-patches,7666.html

OK, just a second now...

[FatdogHaiku]

I gotta wonder about the line:
'Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver.'
Why aren't users of other browsers on the older Win platforms vulnerable? Is there some other risk or problem that is being ignored or even concealed?

Man, I can't believe I got that out without laughing...

Re:OK, just a second now...

[taviso]

I discovered this bug (check the credit section in the advisory), so can explain. The bug is in parsing a component of TTF files, which are handled by the GDI kernel subsystem in Windows. Anything that tries to load fonts can be used to exploit this vulnerability, as they will eventually reach this code, Internet Explorer just happens to be the easiest way to reach it remotely.

Other browsers _are_ affected, the difference is that there's only one level of indirection before the vulnerable code in Internet Explorer, and at least two in other browsers. This is because IE supports EOT files directly, which via TTLoadEmbeddedFont() are decoded and passed straight to GDI, where as other browsers take a TTF input, convert it into an EOT and then pass that to TTLoadEmbeddedFont, so you have to convince three different chunks of code your input is valid (the browser, t2embed, then gdi), instead of just two in IE.

If you use any browser that support @font-face on Windows (Safari, Firefox 3.5+), you should still patch and reboot.

Re:And the others?

[plague3106]

Not fixing would backfire. Would you buy a product from a company that totally abandons the existing product as soon as they release a new one?

"Opt-in" Is The Wrong Term

[EXTomar]

It isn't quite true to suggest people don't "opt-in to patching" on any Windows product. It is more the case the process is arcane and confusing to some users. And worse still, the system trains the rest of the users to blindly accept things that look like "official updates" when they are really malware. I've lost track on the number of times someone asked me what was going on when the WGA thing pops up. The way it is worded and framed seems to freak users out and I see why: Going for months with a legit copy and suddenly getting challenged makes people wonder if they accidentally broke or misconfiguration their system. That means many hit cancel because Microsoft gave these worried users a choice of "Do you want to take the chance breaking your system? Yes or No?"

Re:Have you considered decaf?

[somersault]

Dude. Yes I'm talking even tho I said I wouldn't but I've been thinking about this a lot.

Don't you wonder *why* you upset *everyone* every time you talk online? Think about it. You are the one who is acting like a troll. A quick google of your name (which I did because you called a slashdot account "easily trackable", even though I don't use this name anywhere else, but you have registered APK accounts all over the place, plus I found your email address and physical mailing address) brought up several threads where you have been emailing people whining, threatening to take "legal action" etc. It would be funny if it weren't so sad. Nobody needs a degree in psychiatry to tell that you have serious issues.

You purposely twist other people's words (said I "cannot" read instead of I chose not to), and I bet you have a list of insults that anyone ever called you that you then use on other people.. because almost every single thing you have tried to insult me with could equally apply to yourself (decaf, trolling, etc).

You are the only person I have called insane, and plenty of other people have pointed out that you must have a mental illness too. You certainly have a lot of pent up anger and aggression, that you unleash on people for no reason, and you seek attention by posting massive rants on completely unrelated threads. Then you wonder why everyone hates you and calls you a troll or thinks you have something wrong with you. Wake up. I'm sorry if you do have mental issues, though I hope at least you have seen a doctor about it. I myself needed to go on pills a few years ago for depression, and I had an episode of OCD, I know it's not pleasant to have mental issues. But anyway there's probably no point even trying to be friendly or reasonable with you, you just don't seem to have the capacity for either of those things from what I've seen so far.