Microsoft recently released 10 patches to users of Windows® operating system. Apart from fixing a host of issues, the patches will also fix a server-side glitch that was often exploited directly by hackers and worms, and a client-side issue that acquired much publicity after being discovered at the hacker conference, earlier this year. The update will patch up around 20 vulnerabilities, including some critical ones.
Experts at the conference where the patch was officially released were unanimous about the decision that MS09-020, which addressed two critical vulnerabilities in Internet Information Services (IIS) of Windows®, was one of the most significant updates released by the software giant in recent times. Microsoft had previously commented that the patch was important only in terms of severity. They stated that a successful exploit of the IIS could only end up causing a privilege escalation, not execution of code. However, they did admit that a limited number of attacks could be made using one of those flaws.
Another significant patch was the one with code number MS09-019, which had a critical rating and included 7 significant flaws in Internet Explorer™. One of these bugs is even present in Internet Explorer 8, which was discovered by a hacker with pseudo-name “Nils” during a contest. The contest was a part of the CanSacWest hacker conference, held at Vancouver, British Columbia, in March this year. The details of the bug discovery were kept hidden by Microsoft and Tipping Point, the sponsor of the contest. Steve Manzuik, the Senior Manager of Security Research at the company Juniper Networks, commented, “”I know a lot of people were interested in having more details about the vulnerability that he (Nils) used.” He also predicted that with the release of the new patch, a working exploit was likely to be found pretty soon. “Unfortunately, that has become the reality,” Manzuik said. “We have ‘Patch Tuesday’ and then we have ‘Exploit Thursday’.”
Other recent patches have included one dedicated to plugging one of the two holes in the security of Active Directory, and another for the three exploits existing in Windows® Print Spooler. All of these bugs could be used for executing codes from a remote location, which made these critical in nature. The updates also patched up holes in the security of Microsoft Word, Excel and Works on the client side.
One patch which was surprisingly absent from the list of patches was a bug fix for a vulnerability in DirectShow that could allow a remote hacker to execute some embedded code, if the user played a particular QuickTime movie file with embedded code. Windows® XP and Windows® Server 2003 are vulnerable to this exploit, while most versions of Windows® Vista and Windows® Server 2008 are safe from it.