BeyondTrust Patch Tuesday
March 09, 2010
Microsoft Patch Disclosure
This month Microsoft released two patches which repair a total of eight vulnerabilities. These patches address remote code execution vulnerabilities within Microsoft Movie Maker, Microsoft Producer 2003 Plug-in, and all versions of Microsoft Office Excel and Excel Viewer from XP/2002 through 2008. Additionally, Microsoft issued a security advisory for a new zero-day vulnerability discovered in Internet Explorer 6 and Internet Explorer 7 that could allow remote code execution. Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
Of the two bulletins and one advisory released this month, administrators are advised to patch 981374 and MS10-017 immediately due to the common installation base of Internet Explorer 6, Internet Explorer 7, Microsoft Office and Microsoft Office Viewer. Administrators should then patch MS10-016 wherever necessary, as attackers can easily target users who have any of the Microsoft Movie Maker software preinstalled. As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time: Mar 9, 2010
BULLETIN / ADVISORY DETAILS
SECURITY ADVISORY 981374
Vulnerability in Internet Explorer Could Allow Remote Code Execution (981374)
Microsoft Rating:
CVE:
CVE-2010-0806
Analysis:
Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.
Recommendation:
Download eEye's Blink Professional and Blink Personal Endpoint Security solutions to protect from memory-corruption vulnerabilities generically without the need for any updates. Alternatively, users can upgrade to Internet Explorer 8 to mitigate against this vulnerability.
MS10-016
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)
Microsoft Rating:
CVE:
CVE-2010-0265
Analysis:
This vulnerability is due to Windows Movie Maker and Microsoft Producer 2003 mishandling malformed project files (.MSWMM, .MSProducer, .MSProducerZ, .MSProducerBF extensions) when they are opened. This will lead to a memory corruption scenario that could potentially allow arbitrary code execution in the context of the current user. Attackers could use emails, social engineering tactics, and web sites that host malicious files in order to trick users into executing a malicious file that would compromise a system.
Recommendation:
Block the vulnerable file formats (.MSWMM, .MSProducer, .MSProducerZ, .MSProducerBF extensions) at the email and web gateway from being downloaded. Disable file associations with the Microsoft Movie Maker file types and use CACLs to disable execution of Microsoft Producer wherever it is installed. Administrators should also patch this vulnerability wherever possible.
MS10-017
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)
Microsoft Rating:
CVE List:
CVE-2010-0257, CVE-2010-0258, CVE-2010-0258, CVE-2010-0261, CVE-2010-0262, CVE-2010-0263, CVE-2010-0264
Analysis:
This patch addresses seven vulnerabilities within Microsoft Excel that could allow remote code execution in the context of the current user. Attackers will likely focus on this vulnerability this Patch Tuesday, developing exploits which they will host on malicious websites. Attackers will then use spear-phishing email tactics or email attachments in order to trick users into downloading malicious Excel documents. From here, attackers will compromise machines and install botnet Trojans or other malware in order to maintain control over the machine and steal potentially sensitive information to be sold or used at a later time.
Recommendation:
Administrators are urged to patch this vulnerability as soon as possible, as there is currently no effective alternate mitigation strategy that does not impair the functionality of Microsoft Office rendering and performance abilities.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.