As you hopefully know by now, Microsoft released a dozen security patches last week. Microsoft rated eight of the patches as critical, meaning that the related problems could be exploited without user interaction to possibly spread a worm. The remaining four patches are rated important, meaning that the related problem could be exploited to compromise sensitive information, hinder access to data, or affect availability and integrity of processing resources.
After Microsoft releases security patches, intruders often quickly release exploits that take advantage of the vulnerabilities or researchers sometimes discover that previously known security problems still exist and that the latest batch of patches left problems unfixed. This past week was no different.
Reading the Handler's Diary blog at SANS Internet Storm Center (at the URL below) last week, I learned that the day after Microsoft released its security patches, there were at least six new exploits. Fortunately, two of those exploits, which affect Microsoft Windows Media Player and RRAS, were released by a security vendor to its customers, so those weren't floating around in the wild. Another exploit, which affects TCP/IP networking, was released privately, so it wasn't in the wild either. Yet another exploit, which affects Microsoft Word, was already in the wild before the related patch was released. That leaves at least two new exploits that are in the wild, both of which affect Server Message Block (SMB) and could be used to elevate privileges or hide a running process.
These last two exploits caught my attention because installing the patch in the related Microsoft Security Bulletin MS06-030: Vulnerability in Server Message Block Could Allow Elevation of Privilege doesn't completely fix the security problems. Even with the patch installed, vulnerability remains, although to an arguably lesser extent.
Ruben Santamarta, who runs the reversemode.com Web site, posted a message to SecurityFocus's BugTraq mailing list (at the URL below) in which he stated in reference to MS06-030, "Microsoft has not fixed the NtClose/ZwClose DeadLock vulnerability.... I think that the Driver Developer community should be informed that using NtClose/ZwClose, the driver will be exposed to a security issue by default."
Santamarta published a document on his Web site that discusses the problem in considerable technical detail (at the URL below). If I understand correctly, Santamarta has found that a malware writer could use the still existing vulnerability to essentially hide a process. As demonstrated in one of his published exploits, even if you try to terminate the process, it will disappear but not actually stop running. This of course gives the malware writer a great way to avoid malware removal. Santamarta's proof of concept points out that Microsoft needs to fix this problem sooner rather than later.
Finally, another exploit you need to be aware of, which isn't related to Microsoft's June release of patches, is a zero-day exploit released last week that affects Microsoft Excel. At the time of this writing, no patch was available from Microsoft to correct the problem. The problem is serious in that it allows the execution of arbitrary code when someone opens an affected Excel document. Security vendors are working to provide detection of this exploit, so hopefully you'll have the protection you need by the time you read this newsletter.