Beyondtrust

BeyondTrust Patch Tuesday

September 14, 2010

Microsoft Patch Disclosure

This month, Microsoft released 9 patches which repair a total of 11 vulnerabilities. Of these 9 patches, 7 address Remote Code Execution vulnerabilities and 2 address Elevation of Privilege vulnerabilities. Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.

Administrators are advised to patch MS10-063, MS10-064, and MS10-068 immediately to prevent exploitation by attackers. Next, administrators should patch MS10-061, MS10-062, and MS10-065 as soon as possible, followed by MS10-66 and MS10-067. Lastly, administrators should patch MS10-069 at their earliest convenience. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday September 15th at
    11am PDT / 2pm EDT

BULLETIN / ADVISORY DETAILS

MS10-061

Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)


Microsoft Rating:

Critical

CVE:

CVE-2010-2729

 

Analysis:

A vulnerability exists within the Printer Spooler in Windows, which could allow an attacker to run remote arbitrary code with system level permissions. It does not completely enforce user permission settings that pertain to print spoolers. Attackers would be able to exploit this vulnerability by sending an RPC request to create a malicious file in a specific folder on a target system, which would then be automatically executed by the system. The vulnerability lies in the fact that the attacker's credentials are not properly validated prior to allowing them to create a file on the remote system.

 

Recommendation:

Administrators should install this patch as soon as possible, since it has been publicly disclosed, as well as the fact it is currently being exploited in the wild. To mitigate without patches, block all ports associated with RPC at the external firewall level. In addition, disable printer sharing until patches have been applied.

 

MS10-062

Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558)


Microsoft Rating:

Critical

CVE:

CVE-2010-0818

 

Analysis:

The vulnerability is exploited by opening a malicious video stream or file (eg: asf, wmv, and wma file types) that is parsed by the Windows MPEG-4 decoder. Any program that utilizes this decoder is vulnerable to exploitation through this Windows-based vulnerability. Upon successful exploitation, the attacker gains complete control of the system.

 

Recommendation:

Administrators should install the patch as soon as possible. Until the patch is installed, restrict access to the MPEG-4 version 1 by removing the registry key HKEY_CLASSES_ROOT\CLSID\{82CCD3E0-F71A-11D0-9FE5-00609778EA66} and HKEY_CLASSES_ROOT\CLSID\{2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2}.

 

MS10-063

Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113)


Microsoft Rating:

Critical

CVE:

CVE-2010-2738

 

Analysis:

A vulnerability exists in the way the Unicode Scripts Processor processes OpenType fonts in Windows and third-party applications. Programs such as Microsoft Office and Web browsers can be exploited when they attempt to parse specially constructed content (eg: a document or web page). If successfully exploited, the attacker can run arbitrary code on the affected system as the logged-on user. Users with fewer user rights may not be as affected as users who are Administrators.

 

Recommendation:

Administrators are urged to patch this immediately. Until this can be done, system administrators are urged to modify the ACL (Access Control List) on usp10.dll and disable support for parsing embedded fonts in Internet Explorer.

 

MS10-064

Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011)


Microsoft Rating:

Critical

CVE:

CVE-2010-2728

 

Analysis:

A heap-based buffer overflow vulnerability exists within Microsoft Outlook that could allow an attacker to execute remote arbitrary code on a victim's system, within the context of the current user. An attacker merely needs to craft a malicious email to a victim and convince them to either preview or open the email. At this point, the vulnerability would be exploited.

 

Recommendation:

Administrators should patch this immediately, but until patches have been applied, emails should be read in plain-text to mitigate this vulnerability.

 

MS10-065

Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)


Microsoft Rating:

Important

CVE List:

CVE-2010-1899, CVE-2010-2730, CVE-2010-2731

 

Analysis:

A malformed parameter request denial of service vulnerability exists in the way that IIS servers, with FastCGI enabled, handle request headers. An attacker can construct a specially formed HTTP request and gain control of servers with FastCGI enabled, allowing the attacker full access to the machine.

 

Recommendation:

System Administrators are urged to install the patch as soon as possible. Until this is done, administrators should disable ASP on IIS servers.

 

MS10-066

Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802)


Microsoft Rating:

Important

CVE:

CVE-2010-2567

 

Analysis:

A memory corruption vulnerability exists in the RPC protocol, within Windows XP3 and Server 2003 SP2, which could allow an attacker to execute remote arbitrary code. This vulnerability could be exploited by an attacker that utilizes either their own server or a compromised server that handles RPC requests. When it receives an RPC request, it would send a malicious response, which would exploit the vulnerability on the client's system that sent the request. Any malicious code executed would run with the same rights as RPC client application.

 

Recommendation:

Administrators should patch this as soon as possible. To mitigate without patches, block all ports associated with RPC at the external firewall level.

 

MS10-067

Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922)


Microsoft Rating:

Important

CVE:

CVE-2010-2563

 

Analysis:

A vulnerability allowing an attacker to remotely execute code exists within WordPad. This attack exploits the way the WordPad text converter parses specific fields within a Word 97 document. A user would have to open a Word 97 document, either from an email or hosted on a Web page, in order for the attacker to gain control of the machine. Code execution is executed at the current level of the logged-in user.

 

Recommendation:

System Administrators are urged apply the patch as soon as possible, however administrators can disable WordPad's access to the Word 97 text converter until the patch is applied.

 

MS10-068

Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539)


Microsoft Rating:

Important

CVE:

CVE-2010-0820

 

Analysis:

A vulnerability exists within the Windows Local Security Authority Subsystem Service (LSASS), which could allow an attacker to elevate their privileges, but will most likely result in the machine failing to respond and eventually restarting. To successfully exploit the system, however, the attacker must have an authenticated session with the target server.

 

Recommendation:

System administrators should patch this immediately, especially those users on a domain. For those not running systems on a domain, this is less critical.

 

MS10-069

Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546)


Microsoft Rating:

Important

CVE:

CVE-2010-1891

 

Analysis:

A vulnerability exists in the Windows Client/Server Runtime Subsystem that allows an attacker to execute an elevation of privilege attack, but only on machines with Chinese, Japanese or Korean system locales. To exploit this issue, an attacker would have to log on to the system and run a specially constructed application that would execute remote arbitrary code.

 

Recommendation:

System Administrators are urged to apply the patch lastly, however best practices should mitigate the opportunity for an attacker to gain access to the system and run programs.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.