Microsoft Patch Snuffs Out Major Worm Potential

Microsoft today released four patches as part of its regularly scheduled patch cycle, including a critical fix to a flaw that could allow attackers to launch a dangerous worm.

This month’s patches affects all versions, including Windows 7 and Windows Server 2008 R2, with two patches rated important and one rated moderate. All three patches require a restart.

The update labeled MS11-083 fixes a problem with the TCP/IP stack in Windows, or what Microsoft describes as “an externally found reference counter issue in TCP/IP stack.” The good news is that exploiting this vulnerability isn’t easy.

BACKGROUND: Duqu Malware Exploits Windows Zero-Day Kernel Bug

“Since this vulnerability does not require any user interaction or authentication, all Windows machines, workstations and servers that are on the Internet can be freely attacked. The mitigating element here is that the attack is complicated to execute,” says Amol Sarwate, manager of vulnerability labs for patch management vendor Qualys. “But otherwise this has all the required markings for a big worm.”

Essentially, the attack involves sending a large number of UDP packets to an unprotected port. When the system is deluged with network packets, the reference counter in the stack will keep incrementing and eventually wrap around. At that point, the system could crash, or if the attacker has planted other malware, the hacker could own the system.

Notes Joshua Talbot, security intelligence manager, Symantec Security Response: “We estimate an attack attempting to leverage it would take a considerable amount of time; perhaps four to five hours to complete a single attack. However, if an attacker can pull it off the result would be a complete system crash or compromise if the attacker develops a reliable means of exploitation.”

Among the important patches is one that fixes a DLL preloading vulnerability in Windows Mail (MS11-085). This class of attack has been around since August 2010, Sarwate says.

“The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained,” Microsoft says.

Microsoft has also fixed another vulnerability in Active Directory, Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Service (AD LDS) via MS11-086. It could allow elevation of privileges “if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain,” Microsoft says. However, Active Directory is not configured to use LDAP over SSL by default.

Although these two patches are only rated as important, Microsoft says that it is likely that exploit code is available in the wild, or will be soon.

The final patch, MS11-084, rated moderate, fixes a hole in Windows Kernel Mode Drivers. If executed, it could lead to a denial of service “if a user opens a specially crafted TrueType font file as an email attachment or navigates to a network share or WebDAV location” with the evil TrueType font file, Microsoft says.

A patch for the zero-day vulnerability used by the Duqu installer did not arrive, nor was it expected. Last week, Microsoft released a manual fix that IT administrators can execute themselves. Symantec’s Talbot believes that Microsoft may not wait until a routine Patch Tuesday and will release an out-of-band fix for Duqu when it is ready.

Julie Bort is the editor of Network World’s Microsoft Subnet and Open Source Subnet communities. She writes the Microsoft Update and Source Seeker blogs. Follow Bort on Twitter @Julie188.

Read more about software in Network World’s Software section.