BeyondTrust Patch Tuesday
February 09, 2010
Microsoft Patch Disclosure
This month Microsoft released 13 patches which repair a total of 26 vulnerabilities. Of these 13 patches, 9 address Remote Code Execution vulnerabilities, 2 address Denial of Service (DoS) vulnerabilities, and 2 address Privilege Escalation vulnerabilities. Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically without the need for any updates.
Out of the 13 advisories this month, administrators are advised to patch MS10-006, MS10-009, MS10-013, MS10-015, and MS09-012 immediately. Machines with Microsoft Office installed should also be patched for MS10-003 and MS10-004 as soon as possible. The remainder of the patches should be applied after environment testing, or to environments that have the specifically affected software deployed. As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time: Feb 9, 2010
BULLETIN / ADVISORY DETAILS
MS10-003
Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
Microsoft Rating:
CVE:
CVE-2010-0243
Analysis:
This vulnerability is triggered by opening malformed Microsoft Office document files and could allow a remote attacker to execute arbitrary code in the context of the current user. Attackers will likely exploit this vulnerability using targeted and drive-by web attacks in order to compromise client machines. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendation:
Administrators are urged to roll out this patch as soon as possible to all vulnerable systems, especially internet-facing client machines with Microsoft Office XP SP3 or Microsoft Office 2004 for Mac installed.
MS10-004
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
Microsoft Rating:
CVE List:
CVE-2010-0029, CVE-2010-0030, CVE-2010-0031, CVE-2010-0032, CVE-2010-0033, CVE-2010-0034
Analysis:
This vulnerability is triggered by opening malformed Microsoft Office PowerPoint files and could allow a remote attacker to execute arbitrary code in the context of the current user. Attackers will likely exploit this vulnerability using targeted and drive-by web attacks in order to compromise client machines. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendation:
Administrators are urged to roll out this patch as soon as possible to all vulnerable systems, especially internet-facing client machines with Microsoft Office PowerPoint 2002 SP3, Microsoft Office 2003 SP3, or Microsoft Office 2004 for Mac installed.
MS10-005
Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
Microsoft Rating:
CVE:
CVE-2010-0028
Analysis:
This vulnerability is triggered when a malicious JPEG file is opened in Microsoft Paint. Attackers would likely convince the user to download the malicious file and further convince the user to open it. This will run arbitrary code, compromising the system. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. The attacker could use the system to use the compromised system to attack other systems on the network. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendation:
Administrators are urged to roll out this patch as they see fit to all Windows installations. Until administrators roll out the patch, it is highly advised that administrators use CACLS to block users from using Microsoft Paint.
MS10-006
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
Microsoft Rating:
CVE List:
CVE-2010-0016, CVE-2010-0017
Analysis:
Attackers will attempt to trick users into initiating a connection to a malicious SMB server, which would allow the attacker to send a response packet that compromises the victim’s system. Attackers will primarily focus on Windows 2000, XP, Server 2003, 7, and Server 2008 R2, since those are vulnerable to remote execution of arbitrary code. Secondary targets will be systems running Windows Vista and Server 2008, since those allow for privilege escalation. Attackers will likely install more malicious backdoor programs and use the compromised systems to launch attacks against other internal or external systems.
Recommendation:
Administrators are urged to roll out this patch as soon as possible to all Windows systems, especially Windows 2000, XP, Server 2003, 7, and Server 2008 R2. Until these systems are patched, it is strongly advised that a white list of trusted SMB servers be applied to the firewall rule sets. Initiating SMB connections to untrusted internal and external SMB servers should be blocked.
MS10-007
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
Microsoft Rating:
CVE:
CVE-2010-0027
Analysis:
This is a patch to the local validation of URLs. This is the counterpart to the URL validation vulnerability in Internet Explorer, which was patched in MS10-002. For the current vulnerability, attackers would trick users into clicking a malicious link that would run a file on the local system. Upon successfully compromising a system, attackers will load botnet malware onto the machine and likely use them as attack points to target other machines on the network.
Recommendation:
Administrators are urged to update all versions of Windows as soon as possible, starting with Windows 2000, XP, and Server 2003, and then continuing to update all other versions.
MS10-008
Cumulative Security Update of ActiveX Kill Bits (978262)
Microsoft Rating:
CVE:
CVE-2010-0252
Analysis:
Attackers will attempt to trick users into clicking a link to a malicious web page. Upon viewing the page, the user's system would execute malicious code that would allow the attacker to gain control of the system with the same rights as the user who visited the malicious page. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendation:
Administrators are urged to roll out this patch as soon as possible to all versions of Windows, starting with Windows 2000 and XP, followed by Vista and 7, followed by Server 2003, and then lastly Server 2008 and Server 2008 R2.
MS10-009
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
Microsoft Rating:
CVE List:
CVE-2010-0239, CVE-2010-0240, CVE-2010-0241, CVE-2010-0242
Analysis:
An attacker, connected to the local network, has the potential to execute remote code on a target system by sending malicious TCP/IP packets to the target machine. Upon successfully compromising a system, attackers will likely load botnet malware onto the machine in order to use them as attack points to target other machines on the network.
Recommendation:
Administrators should patch as soon as possible to mitigate against possible remote attacks.
MS10-010
Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
Microsoft Rating:
CVE:
CVE-2010-0026
Analysis:
This patch addresses a break out vulnerability within Microsoft Server 2008 Hyper-V that could allow arbitrary code to execute on the host machine in the context of the system kernel or ring0. Attackers, especially particular malware, can take advantage of this vulnerability in order to attempt to break out of a normally trusted virtual environment and compromise the host machine. Upon a successful exploitation, attackers would be able to install rootkit level malware and potentially bypass AV and other software based defenses due to arbitrary code executing at kernel levels.
Recommendation:
Administrators who implement Hyper-V in their environment are advised to apply this patch after testing in their environment.
MS10-011
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
Microsoft Rating:
CVE:
CVE-2010-0023
Analysis:
An attacker who gains administrative credentials to a vulnerable system would be able to take total control of it by running arbitrary code with SYSTEM level privileges. In addition to an attacker gaining the ability to install the typical range of malware, backdoors and information stealing software, attackers will likely install SYSTEM level rootkits since this vulnerability can give them SYSTEM level privileges.
Recommendation:
Currently there are no known mitigations for this vulnerability. eEye recommends this patch is tested and applied immediately into all vulnerable environments.
MS10-012
Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
Microsoft Rating:
CVE List:
CVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0231
Analysis:
Multiple vulnerabilities within SMB could allow remote anonymous attackers or malicious users to trigger Denial of Service (DoS) conditions, execute arbitrary code, or potentially bypass security on a vulnerable machine. These attacks require no user interaction and can be conducted via automated means such as malware in order to attack or disrupt systems in a local environment. Attackers are likely to start focusing on developing exploits and attack systems with CVE-2010-0231 and CVE-2010-0020 initially, followed by the remaining 2 vulnerabilities.
Recommendation:
Administrators are highly advised to roll out patches for MS10-012 immediately. During testing and prior to applying the patch, SMB connections should be limited to only trusted machines in order to limit attack vectors.
MS10-013
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
Microsoft Rating:
CVE:
CVE-2010-0250
Analysis:
An attacker would trick a user into viewing a malicious AVI file, which would allow for remote code execution by the attacker. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendation:
Administrators are highly advised to roll out this update to all Windows systems. Until the patch has been completely deployed, it is advised to block access to AVI files originating from untrusted sources, such as untrusted websites or file servers.
MS10-015
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
Microsoft Rating:
CVE List:
CVE-2010-0232, CVE-2010-0233
Analysis:
This patch addresses two vulnerabilities within Windows Kernel that could allow malicious applications to elevate their privileges and execute code at ring0 levels. One of these vulnerabilities has been made public and is currently being implemented by malware in order to install rootkits on vulnerable systems. Attackers will likely combine these vulnerabilities with any of the other vulnerabilities patched this month (such as the Office or DirectX vulnerabilities) in order to elevate their privileges and completely compromise a vulnerable machine. This vulnerability affects all versions of Microsoft Windows from Windows 3.1 thru Windows 7.
Recommendation:
Since this is a kernel patch, administrators are advised to apply this patch after testing; however since attacks are in the wild, administrators should take this into consideration and make this patch a priority.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.