Wow. Microsoft has outdone itself this time, releasing 16 security bulletins for October - a personal best for them. That puts them at 86 for the year - so I'm pegging the over / under for 2010 security bulletins at 100.
Microsoft patched quite a few zero day vulnerabilities this month, most notably in MS10-073, MS10-074 and MS10-084. Two of these (CVE-2010-2743 and CVE-2010-2744) were privilege escalations that were being used in the wild as part of the Stuxnet worm.
Not to be left out of the festivities, Oracle also released their quarterly critical patch updates which contain 85 security fixes across all of their product families.
As usual, eEye Digital Security will be hosting the vulnerability expert forum (VEF) on Wednesday, October 13th at 11AM PDT. The vulnerability expert forum is a live webcast where the eEye research team will discuss these patches and additional security landscape topics. Be sure to sign up in advance.
Here are our recommendations for the sixteen security updates. You can find our full write-up in newsletter format here. Retina Network Security Scanner customers can view the list of audits associated with these bulletins.
CRITICAL
MS10-071 - Cumulative Security Update for Internet Explorer (2360131)IMPORTANTMS10-075 - Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)
- Analysis 11 vulnerabilities exist within Internet Explorer 6, 7 and 8; the worst of these vulnerabilities can allow an attacker to remotely execute code if a user views a maliciously crafted web page in Internet Explorer. Upon successful exploitation of the remote code execution vulnerability, an attacker can gain complete control of the system; however users with fewer user rights may be impacted less than users who operate with administrative rights.
- Recommendations Administrators should apply the patch immediately because 3 of the vulnerabilities have been publicly disclosed, yet reports have not surfaced of these vulnerabilities being used in the wild.To mitigate all of the non-remote code execution vulnerabilities and one of the remote code execution vulnerabilities without patches, run IE in Enhanced Security Configuration mode (if possible).To mitigate all the vulnerabilities except the remote code execution vulnerabilities without running IE in ESC mode, disable the AutoComplete feature and set the IE security level for the internet zone to high.
MS10-076 - Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)
- Analysis A vulnerability exists within the Media Player Network Sharing Service which can allow Remote Code Execution. In order to exploit this vulnerability, an attacker must send a specially crafted RTSP packet to a system that has enabled Internet access to home media. By default, Internet access to home media is disabled, in which case an attacker would have to be within the same subnet as the target machine in order to attempt to exploit the target. Once successfully exploited, an attacker can gain complete control of the system.
- Recommendations Administrators should apply the patch as soon as possible; otherwise, disable Internet access to home media within Media Player.
MS10-077 - Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)
- Analysis The vulnerability is an integer overflow that occurs when the Embedded OpenType Font Engine parses tables in specially crafted files and content that contains embedded fonts. Successful exploitation of the integer overflow can allow an attacker to perform remote code execution, with the same privileges as the user, on the affected system. Users running with administrator rights will be vulnerable to a more sever attack than those running with less privileges.
- Recommendations It is recommended that this patch be applied immediately. Until then, disable support for parsing embedded fonts in Internet Explorer.
- Analysis The vulnerability is in the JIT compiler and how it performs optimizations. A specially crafted .NET application will be able to perform arbitrary unmanaged code execution. It could also allow remote code execution if the user views a specially crafted webpage using a web browser that can run XAML Browser Applications. This vulnerability can also allow remote code execution on a server running IIS if that server allows processing and uploading ASP.NET pages. The attacker could upload a specially crafted ASP.NET page to the server and then execute the page, like in a web- hosting scenario. The code that is executed on the user’s machine is executed with the same rights as the user’s account, users running as administrator may experience more severe effects than those running with less privileges.
- Recommendations It is recommended that this patch be applied immediately. Until then, disable partially trusted Microsoft .NET application, disable XAML browser application in Internet Explorer and in a Web hosting situation only allow trusted users to upload pages to the IIS server.
MS10-072 - Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)MODERATEMS10-073 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)
- Analysis Two vulnerabilities exist within SharePoint and Windows SharePoint Services using SafeHTML. In order to exploit this vulnerability, an attacker must have the ability to submit scripts to the target site that is using SafeHTML. If an attacker has this ability, they can then send specially crafted scripts to the site which will subsequently not be properly cleaned by SafeHTML. After the malicious script is loaded on to the target site, any page on the web site that references the malicious script becomes a vector for persistent cross-site scripting attacks. Workstations and terminals that connect to a server using SafeHTML to clean HTML content are primarily at risk.
- Recommendations Administrators should apply the patch immediately as this vulnerability has been publicly disclosed and Microsoft did not provide any mitigations.
MS10-078 - Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)
- Analysis Three vulnerabilities exist within Windows Kernel-Mode Drivers allowing an attacker to elevate privileges and subsequently run arbitrary code at elevated privileges. To exploit this vulnerability an attacker must have log-on credentials and be able to log-on locally or have previously compromised the targeted system. Once logged on to the target machine, an attacker can run a specially crafted program and gain kernel level privileges. Remote and/or anonymous users can not exploit this vulnerability. This exploit was believed to be have been used by the Stuxnet family of malware in order to elevate its privileges and fully compromise systems.
- Recommendations Administrators should patch this immediately as the vulnerabilities are publically disclosed and being exploited in the wild in Stuxnet attacks.
MS10-079 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)
- Analysis An OpenType font parsing and font validation vulnerability exists in the way OpenType Font format driver allocates memory and performs integer calculations. Attackers could use specially crafted OpenType Font to perform an elevation of privilege attack on a local machine to gain kernel level privileges.
- Recommendations Apply patches as soon as possible. Microsoft has not provided any workarounds to address these vulnerabilities.
MS10-080 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)
- Analysis This patch addresses multiple vulnerabilities all versions of Microsoft Word during the parsing of malformed Word files. Attackers could specially crafted a Word file that, when opened, would allow remote code execution with the same rights as the user. Users running with administrator rights are more vulnerable than those running with lower privileges. Attackers could easily use these vulnerabilities within spear-phishing attacks in order to compromise high-priority targets.
- Recommendations Apply patches as soon as possible, as no other mitigation strategy exists that provides complete security and continued ease of use within the vulnerable product.
MS10-081 - Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)
- Analysis The patch addresses multiple vulnerabilities in the way Microsoft Excel parses Excel and Lotus 1-2-3 files. Opening a maliciously crafted Excel or Lotus 1-2-3 file would allow remote code execution with the same rights as the user. Users running with administrator rights are more vulnerable than those running with lower privileges.
- Recommendations Apply patches as soon as possible, as no other mitigation strategy exists that provides complete security and continued ease of use within the vulnerable product.
MS10-082 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)
- Analysis A heap overflow vulnerability exists within the Windows common control library, which utilizes a scalable vector graphics (SVG) viewer. Applications using the vulnerable COM control viewer are potentially vulnerable to a remote code execution flaw that would allow anonymous attackers to execute code at the same privileges as the current user. Although no Microsoft products are directly affected by this vulnerability, it does potentially affect a large number of third-party applications which support SVG files. Attackers could easily exploit this vulnerability through the use of web-drive by or file exchange scenarios.
- Recommendations Administrators should patch this vulnerability as soon as possible, as Microsoft has not identified any successful mitigation strategies to product the multiple vulnerable third-party applications.
MS10-083 - Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)
- Analysis A memory corruption vulnerability exists within Windows Media player. This vulnerability occurs during the reload operation performed by a browser. An attacker that successfully exploits this vulnerability is capable of executing remote code within the context of the current user, meaning the attacker could gain complete control of a system where users are logged in with administrative privileges. Exploitation requires the use of social engineering in order to compromise machines.
- Recommendations Administrators should patch this vulnerability as soon as possible. Until a patch is applied to the affected systems, unregister the use of wmp.dll by using regsvr32.exe with the -u flag.
MS10-084 - Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)
- Analysis A COM validation vulnerability exists within Microsoft Windows WordPad and the Windows Shell that could allow an attacker to execute remote arbitrary code within the context of the current user. If users are logged in with administrative privileges and open a malicious file with WordPad, the attacker could take complete control of the system.
- Recommendations Administrators should patch this vulnerability as soon as possible. Until patch is applied to affected systems, prevent users from using WordPad to open untrusted documents. Users should also be restricted from clicking links to WordPad files on WebDAV shares, until the patch is applied.
MS10-085 - Vulnerability in SChannel Could Allow Denial of Service (2207566)
- Analysis A message buffer overrun vulnerability exists within the Remote Procedure Call Subsystem (RPCSS) that could allow an attacker to execute arbitrary remote code within the context of the NetworkService account. Certain applications running with NetworkService privileges can be elevate to LocalSystem privileges, and thus an attacker could utilize this to raise their privileges to LocalSystem privileges. This vulnerability was made public prior to the patch and is considered a high priority for malicious attackers.
- Recommendations Administrators should patch this vulnerability as soon as possible, as no mitigation strategies exist to completely secure systems from this threat..
- Analysis A denial of service vulnerability exists within the SChannel with respect to how it parses client certificates. An anonymous attacker could send a malicious network packet to the vulnerable system, which would cause the LSASS server to stop, which would in turn cause the computer to restart.
- Recommendations Administrators should patch this vulnerability as soon as possible, as no reasonable workarounds have been provided.
MS10-074 - Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)MS10-086 - Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)
- Analysis A vulnerability exists within the Microsoft Foundation Classes which can allow Remote Code Execution. An attacker can gain can take complete control of a system if a user logged on with administrative privileges opens a specially crafted application built with the MFC Library. Users logged on with fewer rights may be less affected than users running with Administrator privileges.
- Recommendations Administrators should patch this vulnerability as soon as possible, as no reasonable workarounds have been provided.
- Analysis This bulletin addresses a vulnerability in the user interface of the Failover Cluster Manager, with respect to how the UI sets permissions for shared cluster disks. When an administrator sets up a cluster, the default permissions given are than all users have full read/write/delete access on administrative shares of the failover cluster disk. This patch changes the way new disks are set up through the UI to have safer default settings.
- Recommendations Administrators should apply the patch at their earliest convenience. Until patches are applied, if it is necessary to create a new cluster disk administrative share, be sure to manually set the permissions to Full Control for administrators only. Once the patch has been applied, administrators can re-cluster any affected disks to properly set permissions on newly shared cluster disks.