Assessing the risk of the December security bulletins

This morning we released six security bulletins, three Critical and three Important, addressing 12 CVE’s. Please apply the Internet Explorer update right away as it poses the most risk of all the bulletins due to severity and exploitability.The Internet Explorer update addresses the vulnerability described by Security Advisory 977981. We hope that the table and commentary below will help you prioritize the deployment of the other updates appropriately.

Bulletin Most likely attack vector Bulletin severity Max Exploit- ability Index Likely first 30 days impact Platform mitigations
MS09-072 (IE) Attacker hosts a malicious webpage, lures victim to it. Critical 1 Public exploit code already exists for CVE-2009-3672 affecting IE6 and IE7. We expect to see exploits for other vulnerabilities that affect other IE versions within 30 days. DEP is enabled by default for IE8 on Windows XP SP3, Windows Vista SP1 and later, Windows Server 2008, and Windows 7.

DEP makes exploiting the public vulnerability significantly more difficult.
MS09-073 (Wordpad converter) Attacker sends malicious .doc file (saved in legacy Word version 8 format) to victim who opens it in Wordpad. Critical 2 Less likely to be exploited in first 30 days. Affects only older platforms.
MS09-071 (IAS) Attacker on a wireless LAN attacks the Microsoft IAS server providing the 802.1x authentication and encryption via PEAP. Attack would be via the RADIUS protocol. Critical 2 Less likely to be exploited in first 30 days.  
MS09-074 (Project) Attacker sends a malicious Project file (MPP) to victim who opens it with Project 2003 or earlier. Critical (Critical on Project 2000 only) 2 Less likely to be exploited in first 30 days. Affects only older versions of Project.
MS09-070 (ADFS) Attacker able to authenticate to ADFS running in IIS can execute code within the IIS worker process. Important 1 While an exploit may be developed in the first 30 days, the risk to most organizations is low because attack surface is only exposed to authenticated attackers.  
MS09-069 (LSASS) Attacker on enterprise network authenticates to a server and remotely causes CPU exhaustion. Important 3 Unlikely to be exploited in first 30 days. No chance of code execution

This month, we’ve also released an advisory and non-security updates changing Windows behavior around credential forwarding. Maarten Van Horenbeeck explains the current protections against credential reflection and credential forwarding in a blog post at Definitely take a look if you are concerned about safeguarding credentials against these types of attacks.

Also, we have also released an advisory describing a security mitigation offered to all customers through Windows Update. The Indeo Codec is an older codec that is known to have several security vulnerabilities. Instead of fixing one-off vulnerabilities in this older codec, we’ve released an update that blocks this codec from running in common attack scenarios, such as watching videos or browsing the internet. See Security Advisory 954157 for more information.

We hope that helps you understand this month’s security updates. We recommend that you apply all security updates but especially please prioritize and deploy MS09-072 as it has a Critical severity rating, an Exploitability Index rate of 1 (“Consistent Exploit Code Likely”), and public Proof of Concept (PoC) code is available.

Have a safe holiday season and let us know if you have any questions.

Special thanks to the entire MSRC Engineering team for their work on this month’s security bulletins!  Thanks Andrew Roths for the help with this blog post.

– Jonathan Ness, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*