Finally a reprieve from the barrage of Microsoft Patches. This month, Microsoft only released 3 security bulletins, patching a total of 11 vulnerabilities. Good news for IT server admins, as the patches only affected Microsoft Office and Microsoft Forefront Unified Access Gateway. This means that most of you won't need to reboot your servers this week. It should be noted that late last week Adobe released an out-of-band patch for Reader, Acrobat and AIR. This was for a zero-day vulnerability (CVE-2010-2884) that was initially patched in Flash on September 20th. Even with this patch, Adobe currently has several additional zero-day vulnerabilities within Reader and Shockwave. Check out our Zero-Day Tracker for more details. Again, eEye Digital Security will be hosting the vulnerability expert forum (VEF) on Wednesday, November 10th at 11AM PST. The vulnerability expert forum is a live webcast where the eEye research team will discuss these patches and additional security landscape topics. Be sure to sign up in advance. As there are only three Microsoft bulletins to cover, we should have a fair amount of time to review the security landscape and answer any questions that you might have. Here are our recommendations for the three security updates. You can find our full write-up in newsletter format here. Retina Network Security Scanner customers can view the list of audits associated with these bulletins. CRITICAL
MS10-087 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)IMPORTANT
MS10-088 - Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)
- Analysis Several vulnerabilities exist in the way Microsoft Office handles Office files; the most severe of which could allow for Remote Code Execution. To successfully exploit these vulnerabilities, an attacker would need to convince a user to open a specially crafted Office file or Rich Text Format file, which would be hosted on the attacker-controlled site. Successful exploitation would permit the attacker to execute code within the user's context. If a user had administrative privileges, the attacker could gain full control of the computer.
- Recommendations Apply patch as soon as possible. Until patches can be applied, avoid opening Microsoft Office files from untrusted or unknown sources and set all emails to be displayed as plain text rather than rich text format. Additionally, administrators my set a Microsoft Office File Block Policy to block all files from Office 2003 and earlier from unknown and untrusted sources.
- Analysis There is a buffer overflow vulnerability and a heap corruption vulnerability in the way Microsoft PowerPoint handles PowerPoint files. An attacker would need to convince a user to open a specially crafted PowerPoint file in order to exploit this vulnerability, which could be hosted on an attacker-controlled site or sent via email or instant messenger. Once exploited, these vulnerabilities allow an attacker to execute code with the same privileges as the user. An attacker could gain full control of the computer if the user had administrative privileges.
- Recommendations Apply patch as soon as possible. Until patches can be applied, restrict the access to the pp7x32.ddl file for any user running PowerPoint 2002. Additionally, administrators my set a Microsoft Office File Block Policy to block all files from Office 2003 and earlier from unknown or untrusted sources.
MS10-089 - Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)
- Analysis There are 4 vulnerabilities within Microsoft Forefront Unified Access Gateway, the most severe of which is a spoofing vulnerability. This could be used by an attacker to convince a user that they are viewing a legitimate UAG page. The attacker could trick the user into providing credentials to the attacker, since the attacker's page would look like the UAG page they were attempting to visit. That could be used by the attacker to gain unauthorized access to the UAG.
- Recommendations Administrators are urged to patch this at their earliest convenience. There are no workarounds other than the patch provided by Microsoft.