BeyondTrust Patch Tuesday
December 14, 2010
Microsoft Patch Disclosure
This month, Microsoft released 17 patches which repair a total of 40 vulnerabilities. Of these 17 patches, 10 address Remote Code Execution vulnerabilities, 4 address Elevation of Privilege vulnerabilities, and 3 address Denial of Service. eEye's Blink Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
eEye advises administrators to patch MS10-090 and MS10-091, followed by MS10-092, MS10-093, MS10-094, MS10-095, MS10-096, MS10-097, MS10-098, MS10-099, MS10-100, MS10-101, MS10-102, MS10-103, MS10-104, and MS10-105, and then patch MS10-106. For those unable to deploy the patches in a timely fashion, see the mitigation sections below.
As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
Register Now >>
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time:
Wednesday December 15th at
11am PST / 2pm EST
BULLETIN / ADVISORY DETAILS
MS10-090
Cumulative Security Update for Internet Explorer (2416400)
Microsoft Rating:
CVE List:
CVE-2010-3340, CVE-2010-3342, CVE-2010-3343, CVE-2010-3345, CVE-2010-3346, CVE-2010-3348, CVE-2010-3962
Analysis:
This bulletin addresses multiple vulnerabilities in Internet Explorer; 5 remote code execution vulnerabilities and 2 information disclosure vulnerabilities. To exploit the remote code execution vulnerabilities, an attacker would need to create a malicious web page and convince a user to view that web page. For four of the remote code execution vulnerabilities, exploitation would occur immediately.
Recommendation:
Configure Internet Explorer to either disable Active Scripting entirely or prompt before executing Active Scripts. Block ActiveX scripting. Read emails in plain text. Disable mstime.dll by using the Access Control List. Finally, apply a custom CSS style sheet, by running the Fix-It tool at http://support.microsoft.com/kb/2458511.
MS10-091
Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)
Microsoft Rating:
CVE List:
CVE-2010-3956, CVE-2010-3957, CVE-2010-3959
Analysis:
This bulletin addresses three remote code execution font parsing vulnerabilities within the OpenType Font (OTF) driver. These vulnerabilities are caused by improperly parsing OpenType Fonts. Attackers could use this vulnerability to gain the ability to execute malicious code with kernel privileges on a victim's machine. Attackers would simply need to host the malicious font on a network share and convince the user to open a document that used that font. Alternatively, the user could also view the malicious file's preview via Windows Explorer, by navigating to the malicious font's location within Windows Explorer.
Recommendation:
Disable the ability for users to preview fonts in the Preview or Details Pane within Windows Explorer.
MS10-092
Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)
Microsoft Rating:
CVE:
CVE-2010-3338
Analysis:
This bulletin addresses an elevation of privilege vulnerability within the Windows Task Scheduler which could allow for an attacker to run arbitrary code with local system rights. The vulnerability is caused by the fact that the Task Scheduler does not always run tasks within the intended security context. The local attacker would likely use elevated privileges, gained by exploiting this vulnerability, to install malicious software and install backdoors to the compromised system.
Recommendation:
Disable the Task Scheduler service within the Windows Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule by changing the Start value from 2 to 4.
MS10-093
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434)
Microsoft Rating:
CVE:
CVE-2010-3967
Analysis:
This bulletin addresses an insecure DLL loading vulnerability within Windows Movie maker which could lead to remote code execution. Successful exploitation would lead to the attacker having gained the ability to execute remote arbitrary code within the context of the current user.
Recommendation:
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.
MS10-094
Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)
Microsoft Rating:
CVE:
CVE-2010-3965
Analysis:
This bulletin addresses a remote code execution vulnerability in the way Windows Media Encoder loads DLLs. Successful exploitation would lead to the attacker having gained the ability to execute remote arbitrary code within the context of the current user.
Recommendation:
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.
MS10-095
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)
Microsoft Rating:
CVE:
CVE-2010-3966
Analysis:
This bulletin addresses a remote code execution vulnerability caused by the way Windows loads DLLs on systems where BranchCache functionality is unavailable. Successful exploitation would result in the attacker being able to execute arbitrary code within the context of the current user.
Recommendation:
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.
MS10-096
Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)
Microsoft Rating:
CVE:
CVE-2010-3147
Analysis:
This bulletin addresses a remote code execution vulnerability caused by the way Windows Address Book loads DLLs. Successful exploitation would result in the attacker being able to execute arbitrary code within the context of the current user.
Recommendation:
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.
MS10-097
Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)
Microsoft Rating:
CVE:
CVE-2010-3144
Analysis:
This is a standard DLL Hijacking error that has been seen in the past with other applications. When opened, Internet Connection Signup Wizard will attempt to load one of its DLLs from a network or WebDAV share. An attacker could place a specially crafted DLL in a share that, when loaded, would execute arbitrary code with the same permissions as the user.
Recommendation:
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.
MS10-098
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)
Microsoft Rating:
CVE List:
CVE-2010-3939, CVE-2010-3940, CVE-2010-3941, CVE-2010-3942, CVE-2010-3943, CVE-2010-3944
Analysis:
This bulletin addresses multiple elevation of privilege vulnerabilities within Windows kernel drivers. They range from improper allocation of data sent from userland to the kernel, double free vulnerabilities, and improperly managing kernel driver objects. They all lead to the attacker gaining the ability to run arbitrary code with kernel privileges.
Recommendation:
Five of the six vulnerabilities have no mitigation. For CVE-2010-3941, administrators can disable the NTVDM subsystem through gpedit.msc or by modifying the registry key DisallowedPolicyDefault, at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW, to 1.
MS10-099
Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591)
Microsoft Rating:
CVE:
CVE-2010-3963
Analysis:
This bulletin addresses an elevation of privilege vulnerability within the Routing and Remote Access NDProxy portion of the kernel. This is caused by the improper validation of data sent from userland to the kernel. This could allow an attacker to execute arbitrary code with kernel rights on the compromised system.
Recommendation:
No mitigations have been provided my Microsoft.
MS10-100
Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962)
Microsoft Rating:
CVE:
CVE-2010-3961
Analysis:
This bulletin addresses an elevation of privilege vulnerability that occurs within the Consent User Interface in Windows. This occurs due to the improper validation of certain registry values, which would allow an attacker to run arbitrary code with elevated privileges.
Recommendation:
No mitigations have been provided my Microsoft.
MS10-101
Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)
Microsoft Rating:
CVE:
CVE-2010-2742
Analysis:
This bulletin addresses a remote authenticated denial of service vulnerability within the Netlogon RPC Service on certain versions of Windows Server. The attacker must be authenticated in order to successfully cause the DoS. Upon successful exploitation the attacker causes the server to restart.
Recommendation:
No mitigations have been provided my Microsoft.
MS10-102
Vulnerability in Hyper-V Could Allow Denial of Service (2345316)
Microsoft Rating:
CVE:
CVE-2010-3960
Analysis:
This bulletin addresses a denial of service vulnerability within the Hyper-V portion of Server 2008 and Server 2008 R2. This requires an attacker to be an authenticated user of one of the guest virtual machines running on the server. The attacker would need to send a malicious packet to VMBus which would exploit the vulnerability. This attack is not possible if the user is remotely authenticated or not unauthenticated at all.
Recommendation:
No mitigations have been provided my Microsoft.
MS10-103
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970)
Microsoft Rating:
CVE List:
CVE-2010-2569, CVE-2010-2570, CVE-2010-2571, CVE-2010-3954, CVE-2010-3955
Analysis:
This bulletin addresses multiple remote code execution vulnerabilities within Microsoft Office Publisher. The vulnerabilities are caused by improper parsing of publisher files. Successful exploitation results in giving the attacker the ability to execute arbitrary code within the context of the current user.
Recommendation:
Four of the five vulnerabilities can be fixed by using CACLS to prevent use of pubconv.dll within the office10 suite. CVE-2010-3954 has no mitigation available.
MS10-104
Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)
Microsoft Rating:
CVE:
CVE-2010-3964
Analysis:
A remote code execution vulnerability exists within the Document Conversions Launcher Service which is caused by improperly validating SOAP requests prior to processing them on a SharePoint server. Successful exploitation would permit an attacker to execute remote arbitrary code on the SharePoint server, but only with guest user rights.
Recommendation:
Stop and disable the dclauncher service. Block Office Document Conversions Launcher Service port, which is normally 8082.
MS10-105
Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)
Microsoft Rating:
CVE List:
CVE-2010-3945, CVE-2010-3946, CVE-2010-3947, CVE-2010-3949, CVE-2010-3950, CVE-2010-3951, CVE-2010-3952
Analysis:
Multiple vulnerabilities exist within Microsoft Office due to improper parsing of TIFF images, FlashPix images, and improper buffer size allocation while parsing CGM and PICT images. Successful exploitation permits an attacker to execute remote arbitrary code with the same rights as the current user.
Recommendation:
Use CACLS to deny all users' access to cgmimp32.flt, pictim32.flt, tiffim32.flt, mspcore.dll, and fpx32.flt.
MS10-106
Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132)
Microsoft Rating:
CVE:
CVE-2010-3937
Analysis:
This bulletin addresses a remote denial of service vulnerability within Microsoft Exchange caused by Exchanges' improper processing of certain RPC calls. Successful exploitation will cause Exchange to stop responding until it is manually restarted.
Recommendation:
No mitigations have been provided my Microsoft.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.