BeyondTrust Patch Tuesday
April 13, 2010
Microsoft Patch Disclosure
This month, Microsoft released 11 patches which repair a total of 25 vulnerabilities. Of these 11 patches, 8 address Remote Code Execution vulnerabilities, 1 addresses a Denial of Service (DoS) vulnerability, 1 addresses a Privilege Escalation vulnerability, and 1 addresses a Spoofing vulnerability. Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
Of the 11 bulletins released this month, administrators are advised to patch MS10-019, MS10-020, MS10-021, MS10-022, MS10-024, MS10-026, and MS10-027 immediately to prevent exploitation of Exchange, SMB and Windows client side applications by attackers. Administrators should then patch MS10-023 and MS10-025 wherever necessary, as attackers can easily target users who have certain optional Windows components installed. The remainder of the patches should be applied after environment testing, or to environments that have the specifically affected software deployed. As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time: April 13, 2010
BULLETIN / ADVISORY DETAILS
MS10-019
Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
Microsoft Rating:
CVE List:
CVE-2010-0486, CVE-2010-0487
Analysis:
Attackers will try to trick users into opening a malicious signed portable executable or cabinet file. Upon opening the file, a vulnerable machine would be exploited and the attacker would have gained complete control of the system. This vulnerability affects all supported versions of Windows and can be used to execute code outside the context of the current user, so it will be a prime target for attackers. After the attacker has successfully compromised the system, the attacker will likely install malicious backdoor programs and use the compromised system to launch attacks against other internal or external systems.
Recommendation:
Administrators are urged to roll out this patch as soon as possible to all Windows systems. Until these systems are patched, it is strongly advised that users not attempt to use signed portable executable files or cabinet files from untrusted sources.
MS10-020
Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
Microsoft Rating:
CVE List:
CVE-2009-3676, CVE-2010-0269, CVE-2010-0270, CVE-2010-0476, CVE-2010-0477
Analysis:
The SMB protocol contains multiple vulnerabilities that could allow remote anonymous attackers to trigger a Denial of Service attack or execute arbitrary code, giving the attacker complete control of the system. These attacks require the user to initiate a connection to a malicious server, upon which the malicious server is given the opportunity to send a malicious response and compromise the system. Attackers are likely to focus on developing exploits for systems with the vulnerabilities described in CVE-2010-0269, CVE-2010-0270, CVE-2010-0476, and CVE-2010-0477, followed by CVE-2009-3676.
Recommendation:
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. In the mean time, enforce a whitelist of trusted SMB servers that users can access.
MS10-021
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
Microsoft Rating:
CVE List:
CVE-2010-0234, CVE-2010-0235, CVE-2010-0236, CVE-2010-0237, CVE-2010-0238, CVE-2010-0481, CVE-2010-0482, CVE-2010-0810
Analysis:
This patch addresses 2 privilege elevation vulnerabilities and 6 local denial of service conditions within Microsoft Windows Kernel. Attackers could potentially leverage 2 of these vulnerabilities on systems in order to elevate their privileges to ring0 level, thus allowing full system compromises to occur. Attackers are likely to combine these vulnerabilities with other exploits in order to leverage browser based exploits into full blown rootkit installations. Alternatively attackers could also use the denial of service exploits in order to trigger a blue screen of death/bugcheck on the system, thus hindering workflow.
Recommendation:
Apply the patch after testing in virtual environments or test environments in order to ensure the kernel patch does not trigger conflicts with mission critical software.
MS10-022
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
Microsoft Rating:
CVE:
CVE-2010-0483
Analysis:
A remote code execution vulnerability exists within VBScript that could allow attackers to trick users into downloading a malicious HLP file. This attack was made public and was dubbed the "F1 Help Key" exploit, and attackers would leverage social engineering web pages in order to trick users into pressing the F1 key on a website thus triggering a download to a Trojanized HLP file stored on the attacker's server. Once ran, this malicious HLP file would compromise a system, typically installing additional malware, botnets, rootkits, or giving the attacker's remote access to the compromised machines.
Recommendation:
Use CACLs to disable access to the Windows Help Subsystem ("%windir%\winhlp32.exe") until the patch can be applied.
MS10-023
Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
Microsoft Rating:
CVE:
CVE-2010-0479
Analysis:
A single vulnerability within Microsoft Office Publisher could allow remote attackers to trigger a memory corruption that potentially could be leveraged to execute arbitrary code on the system. Attackers will exploit this vulnerability by crafting a malformed Publisher file (.PUB) and email or use social engineering exploits to convince users to download and execute these files. Once ran, this malicious .PUB file would compromise a system, typically installing additional malware, botnets, rootkits, or giving the attacker's remote access to the compromised machines.
Recommendation:
For users with Microsoft Office Publisher, until the patch is installed, do not download and view untrusted PUB files until the patch is applied.
MS10-024
Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
Microsoft Rating:
CVE List:
CVE-2010-0024, CVE-2010-0025
Analysis:
This patch addresses 2 remote vulnerabilities within Microsoft Exchange and SMTP that could allow remote attackers to trigger a persistent denial of service attack or gain access to sensitive email content on the vulnerable system. Attackers will use these vulnerabilities to disrupt mission critical servers or potentially steal sensitive information from targeted environments.
Recommendation:
Apply the patch immediately to prevent attackers from exploiting either vulnerability against the vulnerable Exchange or SMTP servers.
MS10-025
Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
Microsoft Rating:
CVE:
CVE-2010-0478
Analysis:
Attackers will send malicious transport information network packets to vulnerable systems, which include all Windows 2000 Servers SP4 and prior, running the optional Windows Media Services component. This will compromise the system, giving the attacker complete control of the machine. At that point, the attacker will likely install backdoor access programs and use the system to launch attacks against other internal and external machines.
Recommendation:
Administrators are urged to apply the patch as soon as possible to all vulnerable Windows 2000 machines. Until this is complete, Administrators should block access to port 1755 on Windows 2000 servers running Windows media services.
MS10-026
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
Microsoft Rating:
CVE:
CVE-2010-0480
Analysis:
This remote code execution vulnerability is due to a flaw within Microsoft Audio codecs when they handle malformed AVI media files. Attackers could set up drive-by exploit websites that play an embedded Trojanized AVI file upon a visitor browsing to the malicious site. Once played, the malicious file would trigger a memory corruption scenario that allows attackers to execute arbitrary code on the vulnerable system. At this point, the attackers will likely install backdoor access programs and use the system to launch attacks against other internal and external machines.
Recommendation:
Administrators are urged to roll out this patch as soon as possible to all Windows systems, prior to distributing the patch administrators can disable access to "%windir%\system32\l3codeca.acm" and "%windir%\system32\l3codecx.ax" via using CACLS in order to prevent AVI files with embedded MP3 audio codecs from being played. (Note: this will cause some videos to not be displayed properly).
MS10-027
Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
Microsoft Rating:
CVE:
CVE-2010-0268
Analysis:
This remote code execution vulnerability is due to a flaw within Microsoft Windows Media ActiveX controls when they handle malformed script requests. Attackers could set up drive-by exploit websites that auto-exploit Internet Explorer visitors browsing to the malicious site. Once played, the malicious html page would trigger a memory corruption scenario that allows attackers to execute arbitrary code on the vulnerable system. At this point, the attackers will likely install backdoor access programs and use the system to launch attacks against other internal and external machines.
Recommendation:
Until administrators apply this critical patch, they are advised to set the killbit flag to the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6BF52A52-394A-11d3-B153-00C04F79FAA6} and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6BF52A52-394A-11d3-B153-00C04F79FAA6}. This would disable the ActiveX components of Windows Media player from executing until administrators can apply the patch.
MS10-028
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
Microsoft Rating:
CVE List:
CVE-2010-0254, CVE-2010-0256
Analysis:
This patch addresses 2 vulnerabilities that allow remote attackers to execute arbitrary code within the context of the currently logged on user. Attackers will try to trick users into opening malicious Visio files. Upon opening this malicious file, the user's machine will become compromised. If the user has Administrator rights, the attacker would have complete control of the system and potentially use it as a base for future attacks against machines within and outside the user's network.
Recommendation:
For users with Microsoft Office Visio, until the patch is installed, do not download and view untrusted Visio files until the patch is applied.
MS10-029
Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)
Microsoft Rating:
CVE:
CVE-2010-0812
Analysis:
This patch addresses a vulnerability in the Windows IPv6 stack implementation that allows malicious users to impersonate another valid computer or user. This could then be used to bypass firewalls that only allow connections from certain systems and/or users.
Recommendation:
Apply this update as soon as possible to affected systems. Until the patch is applied, block IPv6 communications through a firewall.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.