As everyone knows by now, this was a gigantic patch Tuesday with Microsoft delivering 14 security bulletins (in addition to the out-of-band bulletin from last week). On top of that, Adobe patched Flash and ColdFusion. It is once again going to be a long night for IT and security engineers everywhere.
One important thing to note is that MS10-054 (Vulnerabilities in SMB Server Could Allow Remote Code Execution) has public exploit code available AND affects Windows 2000. As Windows 2000 is no longer supported, no patch is available (nor will one be made available unless Microsoft has a change of heart). Be sure to block ports 139 and 445 at the public-facing firewall for any of your legacy Windows 2000 systems. Alternatively you could use a Host Based Intrusion Prevention product to block the attack.
Here are our recommendations for the fourteen security updates. You can find our full write-up in newsletter format here.
CRITICAL
MS10-049 - Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)IMPORTANTMS10-051 - Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
- Analysis This patch addresses 1 remote code execution vulnerability and 1 spoofing vulnerability within the SChannel security package in Windows. Attackers will attempt to lure victims to view an attacker-controlled site, which will execute remote arbitrary code on the victim's machine.
- Recommendations Administrators are urged to patch all affected systems as soon as possible. There is currently no workaround for the remote code execution vulnerability described in this bulletin. Until patches are complete, a workaround for the spoofing vulnerability can be made. Require mutual authentication on IIS servers.
MS10-052 - Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)
- Analysis A memory corruption vulnerability exists in Microsoft XML Core Services, when handling malformed HTTP responses. Attackers could leverage this vulnerability by tricking a user into visiting a malicious website. This could ultimately lead to remote code execution on the target's machine that would run at the same permissions as the current user.
- Recommendations Administrators should roll out this patch as soon as possible. Until then, set a killbit on {F5078F35-C551-11D3-89B9-0000F81FE221} for Internet Explorer by setting its "Compatibility Flags" flag to dword:00000400.
MS10-053 - Cumulative Security Update for Internet Explorer (2183461)
- Analysis A buffer overflow vulnerability, which could lead to remote code execution, exists in the MPEG Layer-3 Audio Decoder on Windows. This can be exploited by tricking a user to view a site that will automatically play a crafted MP3 file. Alternatively attackers could spread the MP3 across peer-to-peer networks, disguising it as something like a newly released track from a famous artist. Upon successful exploitation, the attacker would have gained control of the affected system with the same rights as the current user.
- Recommendations Administrators should roll out the patch as soon as possible. Until then, disable the use of l3codecx.ax on affected systems. In addition, remove the ClassID, {38BE3000-DBF4-11D0-860E-00A024CFEF6D}, from affected systems.
MS10-054 - Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
- Analysis Multiple memory corruption vulnerabilities exist in Internet Explorer, allowing attackers to exploit these vulnerabilities to execute remote code on a target's system. In addition, an information disclosure vulnerability allows attackers to gain access to browser windows in other domains or trust zones. Publicly available information exists for these vulnerabilities, allowing attackers to easily craft successful exploits targeting issues addressed by MS10-053.
- Recommendations Administrators should roll this patch out as soon as possible.
MS10-055 - Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
- Analysis This bulletin addresses 1 remote code execution vulnerability and 2 denial of service vulnerabilities. The remote code execution vulnerability will be of particular interest attackers, since it does not require the attacker to be authenticated. All the attacker needs to do is send a malicious SMB request and they would successfully compromise that server, which would allow them to run arbitrary remote code at kernel-level privileges. As of this writing, public proof of concept code exists for this vulnerability; which is being used by attackers in efforts to compromise and disable vulnerable systems.
- Recommendations Roll out the patch to affected systems as soon as possible. Until this is done, block ports 139 and 445 at the public-facing firewall. Please note this vulnerability will also affect Windows 2000 systems, and due to Windows 2000 being End Of Lifed; there is no expected patch release to provide mitigation for this vulnerability.
MS10-056 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
- Analysis This bulletin addresses a remote code execution vulnerability within processing malformed media files encoded with Cinepack codecs. After exploiting this vulnerability, attackers will be able to execute remote code within the context of the currently logged on user.
- Recommendations Administrators should push this patch to affected systems as soon as possible. Until this is possible, restrict access to iccvid.dll. In addition, modify the registry under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32 (or HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindows NTCurrentVersionDrivers32 for 64 bit systems) to remove the vidc.cvid value.
MS10-060 - Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)
- Analysis This bulletin addresses 4 remote code execution vulnerabilities in Microsoft Office Word (versions) while parsing malformed word files (extensions). These vulnerabilities would allow an attacker to create a specially-crafted file that includes malformed records or malicious rich text data, which would exploit the vulnerability. When a user opens the file, the vulnerability would be exploited, granting the attacker the ability to execute code within the context of the current user.
- Recommendations Administrators are urged to patch all affected systems as soon as possible.
- Analysis This bulletin addresses 2 remote code execution vulnerabilities in Microsoft Silverlight, which allow the execution of unmanaged code, by an attacker. A user would be tricked into viewing an attacker-controlled site, which would host a malicious Silverlight application. Upon executing this application, the vulnerability on the victim's system would be exploited, giving the attacker the ability to run arbitrary code within the context of the current user. Additionally, web servers that allow uploading and running of ASP.NET code would be vulnerable to the vulnerability patched in this bulletin. A user would upload the code to exploit this vulnerability as a web page and then view it as it is parsed by the target web hosting server.
- Recommendations Administrators are urged to push this patch out to affected systems as soon as they are able.
MS10-047 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)eEye Digital Security will be holding a vulnerability expert forum (VEF) Thursday August 12th at 11AM PDT. The vulnerability expert forum is a live webcast where the eEye research team will discuss these patches and additional security landscape topics. Marc Maiffret will be making a special guest appearance, so be sure to sign up in advance.MS10-048 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
- Analysis This patch addresses 2 privilege elevation vulnerabilities and 1 denial of service vulnerability within the Microsoft Windows Kernel. Attackers will likely use the privilege elevation vulnerabilities to transform browser-based vulnerabilities, such as CVE-2010-2559 in MS10-053, which execute remote code at the current user's level, into an attack that gains kernel-level privileges. This sort of combination will be a prime target for attackers.
- Recommendations Currently, there are no workarounds for this bulletin. Administrators are strongly urged to update affected systems as soon as possible.
MS10-050 - Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)
- Analysis This patch addresses 4 privilege elevation vulnerabilities and 1 denial of service vulnerability within the Microsoft Windows Kernel. Similar to MS10-047, attackers will look for ways to gain user privileges on a target system and then exploit one or more of these vulnerabilities in the kernel. This would grant the attacker kernel-level access to the target machine. Attackers will be very interested in this kind of vulnerability, since it can be used to control all aspects of a system and launch further attacks at other computers.
- Recommendations Currently, there are no workarounds for this bulletin. Administrators are strongly urged to update affected systems as soon as possible.
MS10-057 - Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)
- Analysis A remote code execution vulnerability exists in Windows Movie Maker in how it parses the project file formats. If an attacker were to convince a user to open an attacker-provided Movie Maker project file, the vulnerability would be exploited and the user's system would become compromised, allowing the attacker to execute code at the same level as the currently logged on user.
- Recommendations Administrators should patch affected systems at the soonest time after the critical patches have been applied. Until that can be done, administrators mitigate this threat by removing the .MSWMM file extension association in the registry. This can be done by deleting the HKEY_CLASSES_ROOT.MSWMM key.
MS10-058 - Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
- Analysis This bulletin addresses a remote code execution vulnerability that exists, due to how Microsoft Office Excel parses Excel files. If an attacker were to convince a user to open an Excel file hosted on a site or sent through a spoofed email, the vulnerability would be exploited on the victim's system and would provide the attacker with the ability to execute remote arbitrary code on the victim's machine, within the context of the current user.
- Recommendations Administrators are urged to roll out this patch to affected systems as soon as possible.
MS10-059 - Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)
- Analysis A privilege elevation vulnerability exists in how Microsoft Windows processes TCP/IP stacks. An attacker would need to be able to log into a system and run a malicious program that exploits this vulnerability, which would give the attacker system-level access to the machine. Attackers would likely use these compromised servers as a launching point for further attacks.
- Recommendations Administrators are urged to push this patch out to affected systems as soon as they are able.
- Analysis A vulnerability exists in the Tracing Feature for Services in Microsoft Windows, which could allow for elevation of privileges. To successfully exploit this vulnerability, an attacker would need to log into the target machine, or gain access through the use of other means like browser exploits, and execute a malicious application. This would give an attacker complete control of the target system, from which they are likely to launch further attacks against other systems.
- Recommendations Administrators are urged to push this patch out to affected systems as soon as they are able.