Microsoft closes one Windows hole
As announced, this Patch Tuesday Microsoft released only a single update (MS10-001) to close a hole in the code for processing "Embedded OpenType" fonts. The problem is caused by an overflow that can be triggered when decompressing specially crafted fonts which could, for instance, be embedded in documents or on web pages. This allows attackers to inject and execute arbitrary code on a system. However, Microsoft only rates the security risk as critical under Windows 2000. For Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2, the company has given the flaw a low risk rating.
The hole in the code for parsing file names with semicolon extension in Internet Information Server 6.0 (IIS), remains unpatched. In some configurations, this hole can be exploited to inject arbitrary scripts on Windows web servers and execute them there. Another unpatched hole is the DoS vulnerability in the SMB clients of Windows 7 and Windows Server 2008 R2, which has been known since mid November. However, this flaw can only be exploited using manipulated SMB servers which send compromised packets to clients – apparently a scenario which is so unlikely that Microsoft has reportedly not observed any attacks so far.
Furthermore, Microsoft hasn't offered any solution for the vulnerability in the Cross-Site Scripting (XSS) filter of Internet Explorer 8. This flaw makes otherwise secure web pages vulnerable. Microsoft has reportedly known of the problem for months, but hasn't officially confirmed it so far. Several weeks ago Google started disabling the XSS filter of Internet Explorer 8 by sending the X-XSS-Protection: 0 header, which makes it immune. Google knows about the vulnerability in IE and has said it wants to protect users until Microsoft has released a patch.
See also:
- Microsoft Security Bulletin Summary for January 2010, security advisory from Microsoft.
- Microsoft confirms IIS hole, a report from The H.
- Security feature of Internet Explorer 8 unsafe, a report from The H.
(crve)