Assessing the risk of the September security updates

Today we released nine security bulletins. Four have a maximum severity rating of Critical with the other five having a maximum severity rating of Important. Furthermore, six of the nine bulletins either do not affect the latest version of our products or affect them with reduced severity. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes
Windows XP systems sharing a printer compromised via over-the-network print request. Critical 1 Currently being exploited by Stuxnet malware. Windows Vista and later platforms not vulnerable by default, even if sharing a printer. For more information on risk-by-platform, see the SRD blog post.
Victim browses to a malicious webpage or opens a malicious AVI movie with Media Player. Critical 1 Likely to see an exploit released able to exploit the vulnerability in MPEG-4 codec. Code execution less likely on Windows Vista and Windows 7 due to additional heap mitigations.
Victim opens or previews a malicious RTF email if using Outlook in “Online Mode” Critical 2 Will be difficult to build a reliable exploit. Unlikely to see widespread exploitation due to mitigating factors. Office 2003 and Office 2007 not vulnerable in default “Cached Exchange” mode.
(OpenType font engine)
Victim browses to a malicious webpage or opens a malicious Office document. Critical 2 Difficult to build a reliable exploit for this vulnerability, may or may not see exploit developed in first 30 days.  
IIS servers using the FastCGI handler targeted with malicious HTTP requests. Important 1 Likely to see proof-of-concept code developed for FastCGI vulnerability. Less likely to result in reliable code execution. See SRD blog post for more about exploitability.

Only IIS 5.1 running on Windows XP is vulnerable to remote code execution in a default configuration.

However, administrators of internet-facing IIS servers with FastCGI enabled strongly encouraged to apply the update as soon as possible.

Authenticated attacker sends an LDAP request over the network to an Active Directory server. Important 1 Likely to see exploit code developed.  
Victim makes an RPC connection to a malicious RPC server. Server sends a malicious response that causes memory corruption on victim client. Important 1 Likely to see proof-of-concept code developed for this vulnerability. Attacker in most cases will need to be on same network as victim.
Victim opens a malicious .doc file with Wordpad. Important 1 Likely to see exploit code developed. Less likely to see wide-spread exploitation as many systems open .doc files with Microsoft Word which is not vulnerable.  
Attacker logged-on to a system with Far East locale exploits this vulnerability locally to elevate privileges. Important 1 Likely to see exploit code developed. Only Japanese, Korean, and Chinese locales affected.

Thanks to the whole MSRC Engineering for their work on this month’s cases.

– Jonathan Ness, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*