Microsoft patches critical Windows kernel flaw
link: original article - section: microsoft
Microsoft patched critical vulnerabilities in the Windows kernel that could be remotely exploited by an attacker to gain control of a computer. In all three bulletins patching eight Windows flaws were released Tuesday as part of Microsoft's monthly patching cycle.
Microsoft's MS09-006 bulletin is rated critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The kernel contains three vulnerabilities, a remote code execution vulnerability, rated critical, and two elevation of privilege vulnerabilities, rated important. Validation errors in the kernel graphics rendering component could be exploited to install programs; view, change, or delete data; or create new accounts with full user rights.
An end user can fall victim to an attack by opening a malicious email attachment or browsing to a malicious website that contains a malicious .WMF or .EMF picture file. But Microsoft gives the flaw a "3" on its exploitability index, indicating that exploit code is unlikely in the wild, said Andrew Storms, director of security operations at security and compliance auditing vendor nCircle Network Security Inc..
"Microsoft is saying that it's a pretty darn critical and nasty bug in Windows and easy to get users to go to a malicious website, but the exploit index says its more than likely not going to happen because it's very difficult to exploit this piece of code," Storms said. "It's still important to get it patched."
The MS09-007 bulletin is rated important and addresses a vulnerability in authentication handling of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The vulnerability is within Microsoft Windows Secure Channel, which processes SSL and TLS digital signatures. The update corrects the way Secure Channel parses key exchange data during the TLS handshake. A similar vulnerability was updated by Microsoft in 2007
