Before we get into today's details, apologies for the lack of an advanced notification post last Thursday - I was out of the office and good ghost writers are hard to find these days.
As for the security bulletins, Microsoft answered back with ten this month - gone is the hope of leaving at a reasonable time today. On top of that, it isn't even dinner time and we are almost out of my current caffeinated beverage of choice, Heritage Dr. Pepper. It is going to be a long night for everyone.
Here are our recommendations for the ten security updates. You can find our full write-up in newsletter format here.
MS10-032 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)MS10-033 - Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
- Analysis This patch affects all supported versions of Windows. Publically available proof of concepts are available for two of the CVEs. To exploit these vulnerabilities, attackers need to be able to log into a system. This can be done by exploiting vulnerabilities, such as those patched in MS10-33, MS10-34 and/or MS10-35. Once the attacker has the same rights as a valid user, they can use this to log into the target machine and exploit a vulnerability in how Windows displays TrueType fonts. This would elevate the attacker's privileges to that of system level, giving them kernel access. This would allow the attacker to install malicious software and attack further computers within or outside of the network.
- Recommendations Administrators should roll out this patch as soon as possible to vulnerable systems.
MS10-034 - Cumulative Security Update of ActiveX Kill Bits (980195)
- Analysis All supported versions of Windows are affected by this vulnerability. Attackers will try to convince users to open malicious media files or links to malicious media files and/or streams. Upon viewing these malicious media, the vulnerability would be exploited and the attacker would be able to control the system with the same rights as the current user. If the current user has administrator rights, the attacker will most likely install backdoors and other malicious programs, which would be used to further compromise the internal and/or external network.
- Recommendations Administrators are urged to roll out this patch as soon as possible to all Windows systems. Until the patch is rolled out, administrators should use CACLS to disable Quartz.dll, Asycfilt.dll, and Windows Media Encoder 9.
MS10-035 - Cumulative Security Update for Internet Explorer (982381)
- Analysis Attackers will target client machines since ActiveX vulnerabilities require user-interaction. Attackers will try to convince users to click a link to a malicious web page. When the page is viewed, the user's system would execute malicious code, exploiting the vulnerability, and giving the attacker the ability to control the system with the same rights as the current user. If the current user has Administrator privileges, the attacker would have gained complete control of the system. At this point, they could install malicious backdoor software, keyloggers, and other malware to be used in future attacks, launched from the compromised machine.
- Recommendations Administrators are urged to roll out this patch as soon as possible to vulnerable systems or manually install the KillBit IDs into Windows Registry where applicable.
MS10-036 - Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
- Analysis Primary targets will be Windows client machines, while secondary targets will be Windows server machines. Attackers will try to convince users to visit a specially crafted web page, which would exploit one of the vulnerabilities in Internet Explorer. This would give the attacker the same rights as the current user. If the current user has administrator rights, the attacker would be able to install malicious software, such as keyloggers and/or backdoor Trojans. From this point, the attacker could use the compromised machine to attack more systems within or outside of the network.
- Recommendations Administrators are urged to roll out this patch as soon as possible to vulnerable systems.
MS10-037 - Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
- Analysis Attackers will try to convince users to open a malicious Office file or open a link to a malicious Office file on an attacker controlled site. If the user opens this file, arbitrary code would be executed, giving the attacker the same privileges as the current user. If the user is an administrator, the attacker would likely install malicious software and use the compromised machine to launch more attacks through the internal and external network.
- Recommendations Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Note: there are documented issues regarding installation of this patch, available at https://support.microsoft.com/en-us/kb/2252664.
MS10-038 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
- Analysis This patch resolves a vulnerability in the way Windows processes OpenType font formats. The driver, in all supported versions of Windows, responsible for processing OpenType fonts, does not properly transfer data between user and kernel mode, which causes the vulnerability. Attackers would need to log into the system or utilize other vulnerabilities, such as those patched by MS10-033, MS10-034, and/or MS10-035, to gain the same access to a system as a currently logged on user. From that point, the attacker would run a special program to exploit the OpenType vulnerability. Once the vulnerability had been exploited, the attacker would have system level access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.
- Recommendations Administrators are urged to roll out this patch as soon as possible to vulnerable systems.
MS10-039 - Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
- Analysis This patch addresses fourteen vulnerabilities within Microsoft Excel that could allow remote code execution in the context of the local user. Attackers will use spear-phishing email tactics or email attachments to trick users into downloading malicious Excel documents. From here, attackers will compromise machines and install botnet Trojans or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.
- Recommendations Administrators should roll out this patch as soon as possible to vulnerable systems.
MS10-040 - Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
- Analysis Attackers exploiting this vulnerability will attempt to trick SharePoint clients to click on a malicious link that would be sent to the targeted user via email, instant messaging, or other social engineering methods. When a user clicks the link to the targeted SharePoint server, the vulnerability will be exploited, and potentially allow the attacker to gain privileges on the targeted SharePoint server at the same level as the targeted user. Alternatively attackers could also use this attack to trigger denial of service conditions against the SharePoint server via specially crafted HTTP requests.
- Recommendations Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Prior to deploying this patch, administrators can roll out IPS mechanisms or IP Address allow lists to prevent attackers from exploiting these vulnerabilities.
MS10-041 - Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
- Analysis IIS 6, 7, and 7.5 servers with Microsoft Extended Protection for Authentication (KB973917) installed and enabled are vulnerable to a remote code execution vulnerability that could allow remote anonymous attackers to trigger a memory corruption in the context of the Worker Process Identity thread. Attackers can leverage this attack using HTTP or HTTPS connections to the vulnerable IIS server without any interaction from the server.
- Recommendations Administrators are urged to roll out this patch as soon as possible to vulnerable systems. In the mean time, enforce an allow list of trusted clients or disable Microsoft Extended Protection for Authentication (KB973917) would mitigate against this vulnerability - however it will expose the vulnerable server to potential Man-in-the-Middle attacks and should only be considered if patching the vulnerable server is not an immediate option.
- Analysis XMLDsig is vulnerable to a publicly known cryptographic weakness in the process of signing of XML control messages and E03 Hash-based Message Authentication Code (HMAC) truncation handling. This could potentially allow attackers to hijack or subvert encryption in between two XMDsig endpoints in order to tamper or to intercept communication when it is not being used in conjunction with other secure protocols.
- Recommendations Administrators are urged to roll out this patch as soon as possible to vulnerable systems particularly those running XMLDsig endpoints and signed XML content.
eEye Digital Security will be holding a vulnerability expert forum (VEF) Wednesday June 9 at 11AM PDT. The vulnerability expert forum is a live webcast where the eEye research team will discuss these patches and additional security landscape topics. Be sure to sign up in advance.