Beyondtrust

BeyondTrust Patch Tuesday

October 12, 2010

Microsoft Patch Disclosure

This month, Microsoft released 16 patches which repair a total of 51 vulnerabilities. Of these 16 patches, 10 address Remote Code Execution vulnerabilities, 3 address Elevation of Privilege vulnerabilities, 1 addresses an Information Disclosure vulnerability, 1 addresses a Denial of Service condition, and 1 addresses a information Tampering scenario. Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.

Administrators are advised to patch MS10-071, MS10-073, MS10-075, MS10-076, MS10-077, MS10-079, MS10-080, MS10-081, and MS10-084 immediately to prevent exploitation by attackers. Next, administrators should patch MS10-074, MS10-078, MS10-082, and MS10-083 as soon as possible. Lastly, administrators should patch MS10-072, MS10-085, and MS10-086 at their earliest convenience. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
Register Now >>

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday October 13th at
    11am PDT / 2pm EDT

BULLETIN / ADVISORY DETAILS

MS10-071

Cumulative Security Update for Internet Explorer (2360131)


Microsoft Rating:

Critical

CVE List:

CVE-2010-0808, CVE-2010-3243, CVE-2010-3324, CVE-2010-3325, CVE-2010-3326, CVE-2010-3327, CVE-2010-3328, CVE-2010-3329, CVE-2010-3330, CVE-2010-3331

 

Analysis:

11 vulnerabilities exist within Internet Explorer 6, 7 and 8; the worst of these vulnerabilities can allow an attacker to remotely execute code if a user views a maliciously crafted web page in Internet Explorer. Upon successful exploitation of the remote code execution vulnerability, an attacker can gain complete control of the system; however users with fewer user rights may be impacted less than users who operate with administrative rights.

 

Recommendation:

Administrators should apply the patch immediately because 3 of the vulnerabilities have been publicly disclosed, yet reports have not surfaced of these vulnerabilities being used in the wild. To mitigate all of the non-remote code execution vulnerabilities and one of the remote code execution vulnerabilities without patches, run IE in Enhanced Security Configuration mode (if possible). To mitigate all the vulnerabilities except the remote code execution vulnerabilities without running IE in ESC mode, disable the AutoComplete feature and set the IE security level for the internet zone to high.

 

MS10-072

Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)


Microsoft Rating:

Important

CVE List:

CVE-2010-3243, CVE-2010-3324

 

Analysis:

Two vulnerabilities exist within SharePoint and Windows SharePoint Services using SafeHTML. In order to exploit this vulnerability, an attacker must have the ability to submit scripts to the target site that is using SafeHTML. If an attacker has this ability, they can then send specially crafted scripts to the site which will subsequently not be properly cleaned by SafeHTML. After the malicious script is loaded on to the target site, any page on the web site that references the malicious script becomes a vector for persistent cross-site scripting attacks. Workstations and terminals that connect to a server using SafeHTML to clean HTML content are primarily at risk.

 

Recommendation:

Administrators should apply the patch immediately as this vulnerability has been publicly disclosed and Microsoft did not provide any mitigations.

 

MS10-073

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)


Microsoft Rating:

Important

CVE List:

CVE-2010-2549, CVE-2010-2743, CVE-2010-2744

 

Analysis:

Three vulnerabilities exist within Windows Kernel-Mode Drivers allowing an attacker to elevate privileges and subsequently run arbitrary code at elevated privileges. To exploit this vulnerability an attacker must have log-on credentials and be able to log-on locally or have previously compromised the targeted system. Once logged on to the target machine, an attacker can run a specially crafted program and gain kernel level privileges. Remote and/or anonymous users can not exploit this vulnerability. This exploit was believed to be have been used by the Stuxnet family of malware in order to elevate its privileges and fully compromise systems.

 

Recommendation:

Administrators should patch this immediately as the vulnerabilities are publically disclosed and being exploited in the wild in Stuxnet attacks.

 

MS10-074

Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)


Microsoft Rating:

Moderate

CVE:

CVE-2010-3227

 

Analysis:

A vulnerability exists within the Microsoft Foundation Classes which can allow Remote Code Execution. An attacker can gain can take complete control of a system if a user logged on with administrative privileges opens a specially crafted application built with the MFC Library. Users logged on with fewer rights may be less affected than users running with Administrator privileges.

 

Recommendation:

Administrators should patch this vulnerability as soon as possible, as no reasonable workarounds have been provided..

 

MS10-075

Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)


Microsoft Rating:

Critical

CVE:

CVE-2010-3225

 

Analysis:

A vulnerability exists within the Media Player Network Sharing Service which can allow Remote Code Execution. In order to exploit this vulnerability, an attacker must send a specially crafted RTSP packet to a system that has enabled Internet access to home media. By default, Internet access to home media is disabled, in which case an attacker would have to be within the same subnet as the target machine in order to attempt to exploit the target. Once successfully exploited, an attacker can gain complete control of the system.

 

Recommendation:

Administrators should apply the patch as soon as possible; otherwise, disable Internet access to home media within Media Player.

 

MS10-076

Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)


Microsoft Rating:

Critical

CVE:

CVE-2010-1883

 

Analysis:

The vulnerability is an integer overflow that occurs when the Embedded OpenType Font Engine parses tables in specially crafted files and content that contains embedded fonts. Successful exploitation of the integer overflow can allow an attacker to perform remote code execution, with the same privileges as the user, on the affected system. Users running with administrator rights will be vulnerable to a more sever attack than those running with less privileges.

 

Recommendation:

It is recommended that this patch be applied immediately. Until then, disable support for parsing embedded fonts in Internet Explorer.

 

MS10-077

Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)


Microsoft Rating:

Critical

CVE:

CVE-2010-3228

 

Analysis:

The vulnerability is in the JIT compiler and how it performs optimizations. A specially crafted .NET application will be able to perform arbitrary unmanaged code execution. It could also allow remote code execution if the user views a specially crafted webpage using a web browser that can run XAML Browser Applications. This vulnerability can also allow remote code execution on a server running IIS if that server allows processing and uploading ASP.NET pages. The attacker could upload a specially crafted ASP.NET page to the server and then execute the page, like in a we- hosting scenario. The code that is executed on the user’s machine is executed with the same rights as the user’s account, users running as administrator may experience more severe effects than those running with less privileges.

 

Recommendation:

It is recommended that this patch be applied immediately. Until then, disable partially trusted Microsoft .NET application, disable XAML browser application in Internet Explorer and in a Web hosting situation only allow trusted users to upload pages to the IIS server.

 

MS10-078

Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)


Microsoft Rating:

Important

CVE List:

CVE-2010-2740, CVE-2010-2741

 

Analysis:

An OpenType font parsing and font validation vulnerability exists in the way OpenType Font format driver allocates memory and performs integer calculations. Attackers could use specially crafted OpenType Font to perform an elevation of privilege attack on a local machine to gain kernel level privileges.

 

Recommendation:

Apply patches as soon as possible. Microsoft has not provided any workarounds to address these vulnerabilities.

 

MS10-079

Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)


Microsoft Rating:

Important

CVE List:

CVE-2010-2747, CVE-2010-2748, CVE-2010-2750, CVE-2010-3214, CVE-2010-3215, CVE-2010-3216, CVE-2010-3217, CVE-2010-3218, CVE-2010-3219, CVE-2010-3220, CVE-2010-3221

 

Analysis:

This patch addresses multiple vulnerabilities all versions of Microsoft Word during the parsing of malformed Word files. Attackers could specially crafted a Word file that, when opened, would allow remote code execution with the same rights as the user. Users running with administrator rights are more vulnerable than those running with lower privileges. Attackers could easily use these vulnerabilities within spear-phishing attacks in order to compromise high-priority targets.

 

Recommendation:

Apply patches as soon as possible, as no other mitigation strategy exists that provides complete security and continued ease of use within the vulnerable product.

 

MS10-080

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)


Microsoft Rating:

Important

CVE List:

CVE-2010-3230, CVE-2010-3231, CVE-2010-3232, CVE-2010-3233, CVE-2010-3234, CVE-2010-3235, CVE-2010-3236, CVE-2010-3237, CVE-2010-3238, CVE-2010-3239, CVE-2010-3240, CVE-2010-3241, CVE-2010-3242

 

Analysis:

The patch addresses multiple vulnerabilities in the way Microsoft Excel parses Excel and Lotus 1-2-3 files. Opening a maliciously crafted Excel or Lotus 1-2-3 file would allow remote code execution with the same rights as the user. Users running with administrator rights are more vulnerable than those running with lower privileges.

 

Recommendation:

Apply patches as soon as possible, as no other mitigation strategy exists that provides complete security and continued ease of use within the vulnerable product.

 

MS10-081

Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)


Microsoft Rating:

Important

CVE:

CVE-2010-2746

 

Analysis:

A heap overflow vulnerability exists within the Windows common control library, which utilizes a scalable vector graphics (SVG) viewer. Applications using the vulnerable COM control viewer are potentially vulnerable to a remote code execution flaw that would allow anonymous attackers to execute code at the same privileges as the current user. Although no Microsoft products are directly affected by this vulnerability, it does potentially affect a large number of third-party applications which support SVG files. Attackers could easily exploit this vulnerability through the use of web-drive by or file exchange scenarios.

 

Recommendation:

Administrators should patch this vulnerability as soon as possible, as Microsoft has not identified any successful mitigation strategies to product the multiple vulnerable third-party applications.

 

MS10-082

Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)


Microsoft Rating:

Important

CVE:

CVE-2010-2745

 

Analysis:

A memory corruption vulnerability exists within Windows Media player. This vulnerability occurs during the reload operation performed by a browser. An attacker that successfully exploits this vulnerability is capable of executing remote code within the context of the current user, meaning the attacker could gain complete control of a system where users are logged in with administrative privileges. Exploitation requires the use of social engineering in order to compromise machines.

 

Recommendation:

Administrators should patch this vulnerability as soon as possible. Until a patch is applied to the affected systems, unregister the use of wmp.dll by using regsvr32.exe with the -u flag.

 

MS10-083

Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)


Microsoft Rating:

Important

CVE:

CVE-2010-1263

 

Analysis:

A COM validation vulnerability exists within Microsoft Windows WordPad and the Windows Shell that could allow an attacker to execute remote arbitrary code within the context of the current user. If users are logged in with administrative privileges and open a malicious file with WordPad, the attacker could take complete control of the system.

 

Recommendation:

Administrators should patch this vulnerability as soon as possible. Until patch is applied to affected systems, prevent users from using WordPad to open untrusted documents. Users should also be restricted from clicking links to WordPad files on WebDAV shares, until the patch is applied.

 

MS10-084

Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)


Microsoft Rating:

Important

CVE:

CVE-2010-3222

 

Analysis:

A message buffer overrun vulnerability exists within the Remote Procedure Call Subsystem (RPCSS) that could allow an attacker to execute arbitrary remote code within the context of the NetworkService account. Certain applications running with NetworkService privileges can be elevate to LocalSystem privileges, and thus an attacker could utilize this to raise their privileges to LocalSystem privileges. This vulnerability was made public prior to the patch and is considered a high priority for malicious attackers.

 

Recommendation:

Administrators should patch this vulnerability as soon as possible, as no mitigation strategies exist to completely secure systems from this threat.

 

MS10-085

Vulnerability in SChannel Could Allow Denial of Service (2207566)


Microsoft Rating:

Important

CVE:

CVE-2010-3229

 

Analysis:

A denial of service vulnerability exists within the SChannel with respect to how it parses client certificates. An anonymous attacker could send a malicious network packet to the vulnerable system, which would cause the LSASS server to stop, which would in turn cause the computer to restart.

 

Recommendation:

Administrators should patch this vulnerability as soon as possible, as no reasonable workarounds have been provided.

 

MS10-086

Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)


Microsoft Rating:

Moderate

CVE:

CVE-2010-3223

 

Analysis:

This bulletin addresses a vulnerability in the user interface of the Failover Cluster Manager, with respect to how the UI sets permissions for shared cluster disks. When an administrator sets up a cluster, the default permissions given are than all users have full read/write/delete access on administrative shares of the failover cluster disk. This patch changes the way new disks are set up through the UI to have safer default settings.

 

Recommendation:

Administrators should apply the patch at their earliest convenience. Until patches are applied, if it is necessary to create a new cluster disk administrative share, be sure to manually set the permissions to Full Control for administrators only. Once the patch has been applied, administrators can re-cluster any affected disks to properly set permissions on newly shared cluster disks.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.