Microsoft patches new GDI kernel flaw

Microsoft has patched seven vulnerabilities in Windows, including one marked "critical" that could be triggered by attackers simply by getting users to view a malicious image or visit a malicious site.

Of the three security updates the most serious, and the one to patch first, is MS09-006, researchers said today. That update, which contains three separate vulnerabilities, contains the month's single critical bug.

"It's in all versions of Windows, it's deep in the kernel and in GDI," said Wolfgang Kandek, chief technology officer at security company Qualys. "And you could get exploited in many ways. I could send you an email or I could get you to go to a malicious website."

"MS09-006, that's just pretty evil," said Eric Schultze, chief technology officer at Shavlik Technologies LLC. "View something evil and you're hacked."

According to Microsoft, the critical vulnerability is due to "improper validation of input passed from user mode through the kernel component of GDI." The Graphics Device Interface (GDI) is the core graphics rendering component of Windows. Because the flaw is in the kernel, a successful exploit would leave the attacker with complete control of the machine.

"With the history of GDI, people will really be looking at this," predicted Andrew Storms, director of security operations at nCircle Network Security Microsoft fixed GDI three times last year, most recently in December 2008, and the Windows kernel twice. "It's like rewind, repeat," Storms said.

Attackers would use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) images to exploit the bug, Microsoft said, feeding them to users via email or hosting them on websites. Opening or viewing the images would trigger the vulnerability.

"I liked how Microsoft acknowledged that attackers could exploit this by getting users to view an email or visit a website or open a document with an evil image," said Schultze.

But because Microsoft rated the vulnerability as "3" in its Exploitability Index, indicating that it doesn't believe functional attack code is likely in the next 30 days, Storms said he was confused. "Now I'm unsure. It's obviously the riskiest vulnerability, but with the exploitability index at 3, should I really worry about it or not?"

Storms answered his own question. "I have to take the safe side, and consider it a major bug and put it at the top of the list," he said.

The other update that Kandek, Schultze and Storms agreed needed immediate attention was MS09-008, which contained four separate flaws in Windows' DNS and WNS servers. All four were pegged as "important," the second-highest ranking in Microsoft's four-step scoring system. All currently supported server editions of Windows should be patched, including Windows 2000 Server, Server 2003 and Server 2008.

"These vulnerabilities could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems," said Microsoft. Such attacks are often referred to as "cache poisoning" attacks because they replace the legitimate addresses in a DNS server's cache with bogus destinations. DNS cache poisoning vulnerabilities gained attention last July when researcher Dan Kaminsky discovered a major flaw in the underlying DNS protocol, and organised an industry-wide patching effort to plug the hole.

"These seem to be separate from [Kaminsky's vulnerability]," said Kandek, and Schultze concurred. Storms, however, wasn't as sure.

"It sounds a lot like what we saw last summer," he countered.

But while Microsoft tagged the update as important, Schultze argued that it should be considered critical. "Microsoft seems to think that there not much likelihood of someone pulling off an exploit of this," he said, "but there was already code released for 08-037, another DNS vulnerability last year, and Microsoft rated that important, too. To me, that makes me rate this one kind of critical."

Missing from this month's updates, however, was a fix for a vulnerability in Excel that Microsoft revealed two weeks ago, and has admitted is already being used by attackers. According to researchers at Symantec, the vulnerability is a file format bug in all supported versions, including the latest - Excel 2007 on Windows and Excel 2008 for the Mac.

"We should have expected a patch," said Schultze. "And that we didn't get on, that sucks."

"No, I'm not surprised at all that it wasn't ready," said Storms. "But I wouldn't be surprised if we saw a patch in the next couple of weeks if things heat up."