MS09-065 and the Worrisome Web

Blog Post created by rapid7-admin on Nov 11, 2009

Originally Posted by Sean Taylor



Yesterday was Patch Tuesday. Unlike the month before, there were only a few bugs to be had-- but like everyone else, MS09-065 particularly caught my attention. 

For starters, MS09-065 is a kernel bug. This is bad enough. It's made much worse by the fact that the vulnerability goes all the way back to Windows 2000 and runs all the way up to Windows 2008. (The caveat being Vista and up are only "elevation of privilege" and not remote code execution. But MS09-050 at one point was only a "denial of service" vulnerability as well.) Finally completing the triad, the main attack vector is Internet Explorer. 

The triplet is enough to make anyone security-conscious groan. Not necessarily at yet another flaw in a Microsoft product-- this is to be expected, and their improvement over the years with more focus put toward security is something to be applauded-- but moreover at the implications. The MS09-065 advisory warns in careful wording that an attacker "would have no way to force users to visit a specially crafted Web site" and instead "would have to convince the user to visit the Web site." Unfortunately, a few factors render this comment mostly incorrect. 

Consider the web and its attack vectors. Cross-site scripting is a vulnerability that doesn't get too much respect but is quite abundant. It's easy to find and not a lot of people understand the implications of it, so as a result, it's everywhere. SQL injection is still a persistent problem as well, regardless of the education that's been put forth on its implications. With applications such as Twitter being a norm for advertising and communication, we move much, much more quickly and spread information at a faster pace than before. Amusingly, as a result of the attatchment to Twitter, shortened URLs via bit.ly and tinyurl have become a norm as well, rendering some social engineering tactics almost trivial. Essentially, the web is the low-hanging fruit of software exploitation and social engineering. 

So when a Ring 0 kernel exploit is released from a major vendor such as Microsoft that affects nearly all of their operating system product line thru a vector as massive as the Internet, it's reason to worry. One cross-site scripting bug in a website with lots of traffic-- say Facebook-- is enough to own perhaps hundreds of computers. Maybe even thousands if the attack is performed correctly. It's not fair to simply write this bug off as being a problem of social engineering or not browsing to the "bad parts" of the Internet. Due to the current nature of the web, this is a much larger issue than simply one of carefulness when clicking. 

Be cautious, patch your systems and try to browse without too much Javascript. This is a high profile bug. Lots of people with different backgrounds are looking at it.