Microsoft released five critical security patches for September 2009’s Patch Tuesday, each counters a remote code execution vulnerability. Any Windows computer without these patches, or some means to compensate for these vulnerabilities, is at risk of a zero-day attack that anti-virus/spyware security products will NOT stop.

Vulnerabilities Related to Internet Explorer and Windows Media Player Can Result in Extreme Harm to Enterprise and Consumer

Do NOT ignore the top four vulnerabilities listed below (in bold text).  These vulnerabilities expose computers to drive-by download attacks that steal valuable information (identity, passwords, and credit card numbers), conduct fraudulent bank transactions, contaminate user documents to spread infection to other computers, and serve as nodes in a global Botnet.

Victims would be end-users of Internet Explorer and/or Windows Media Player that visits a malicious website, visits a hacked but legitimate website (10,000’s are), or renders a page from a ‘website’ with content from a hacked/malicious server.  These attacks can happen to anyone, even advanced, trained end-users because they require no end-user action other than visiting the malicious web content. Other victims will have run spiked Windows Media File encoded music or video they receive from friends, strangers, spear phishing attacks, or social networks. Remember, if a PC of a “familiar” (friend, family, or peer) is unknowingly infected, their documents and media files can be covertly spiked to infect other computers.

The remaining vulnerabilities should be patched in a timely manner as well but are not likely to result in a malware infestation.

Microsoft Advisory:

MS09-045
Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
CVE-2009-1920
1 – Consistent exploit code likely
Additional Comments: None

MS09-046
Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
CVE-2009-2519
2 – Inconsistent exploit code likely
Additional Comments: None

MS09-047
Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
CVE-2009-2498
1 – Consistent exploit code likely
Additional Comments: None

MS09-047
Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
CVE-2009-2499
1 – Consistent exploit code likely
Additional Comments: None

MS09-048
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
CVE-2008-4609
3 – Functioning exploit code unlikely
Additional Comments: This is a memory consumption type of denial of service.

MS09-048
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
CVE-2009-1925
2 – Inconsistent exploit code likely
Additional Comments: Functioning exploit code is possible but not likely to be reliable. Denial of service is a more likely result.

MS09-048
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
CVE-2009-1926
3 – Functioning exploit code unlikely
Additional Comments: This is a memory consumption type of denial of service.

MS09-049
Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
CVE-2009-1132
2 – Inconsistent exploit code likely
Additional Comments: Heap protections make this vulnerability difficult to exploit reliably.

Blue Ridge Customers Require No Further Action to Curb Above Zero-day Malware Risks

Computers already protected with AppGuard or EdgeGuard client security software guard Internet Explorer and Windows Media Player by default.   And, “drive-by download protection”, which prevents unknown executables from launching from user-space, is also enabled by default.

To those unfamiliar with these security software products, these protections were realized by users simply by installing the software. To guard other applications, which means to allow them to run as their developers intended but prevents them from harming the PC if they consume a malicious file, object, or communication, to guard other applications, one merely identifies the application by name. No further policy rules are required.

Contrast this with host intrusion prevention system (HIPS) security software, please do. HIPS products, which are included in the heavy security suites sold by the big vendors, are so complex to configure that they are frequently disabled completely or drastically under-utilized.

Do AppGuard, AppGuard Enterprise, or EdgeGuard replace existing anti-virus/spyware? Maybe. Blue Ridge, which has delivered high end security solutions for over a decade, has always recommended defense in depth, or layered defenses. Thus, our products serve as excellent supplements to your existing anti-virus/spyware, which excels at stopping malware over a month OLD. Our products stop the NEW malware your anti-virus/spyware miss. However, our products would also stop the OLD malware too. So, its ultimately up to you. Given the free or low-cost signature-based anti-malware software available today, Blue Ridge recommends using a freeware or shareware product to stop the OLD malware, and to use one of our products to stop the NEW malware.

Related Articles on Endpoint Security

Why Should UnPatched PC Software Concern You?

(Beladen) Websites Unknowingly Attacking PCs

Microsoft Patch Tuesday Reminds Us How Vulnerable PCs Are

Employee Owned Computers are Data Leak Risks to Employers

Posted: Wednesday, September 9th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback