This month, Microsoft released 11 patches which repair a total of 25 vulnerabilities. Of these 11 patches, 8 address Remote Code Execution vulnerabilities, 1 addresses a Denial of Service (DoS) vulnerability, 1 addresses a Privilege Escalation vulnerability, and 1 addresses a Spoofing vulnerability.
Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
Of the 11 bulletins released this month, administrators are advised to patch MS10-019, MS10-020, MS10-021, MS10-022, MS10-024, MS10-026, and MS10-027 immediately to prevent exploitation of Exchange, SMB and Windows client side applications by attackers. Administrators should then patch MS10-023 and MS10-025 wherever necessary, as attackers can easily target users who have certain optional Windows components installed. The remainder of the patches should be applied after environment testing, or to environments that have the specifically affected software deployed.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's
Vulnerability Expert Forum hosted by the eEye Security Research Team.
For more information on patch precedence, see the eEye Versa Newsletter article
Patch Tuesday Prioritization for a Large Enterprise.
MS10-019 - Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
MS10-020 - Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
MS10-025 - Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
MS10-026 - Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
MS10-027 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
MS10-021 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
MS10-022 - Vulnerability in VBScript Could Allow Remote Code Execution (981169)
MS10-023 - Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
MS10-024 - Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
MS10-028 - Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
MS10-029 - Vulnerabilities in Windows ISATAP Component Could Allow Spoofing (978338)
Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
http://www.microsoft.com/technet/security/Bulletin/MS10-019.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves two privately reported vulnerabilities in Windows Authenticode Verification that could allow remote code execution. An attacker who successfully exploited either vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerabilities by performing additional verification operations when signing and verifying a portable executable or cabinet file.
- WinVerifyTrust Signature Validation Vulnerability - CVE-2010-0486
A remote code execution vulnerability exists in the Windows Authenticode Signature Verification function used for portable executable (PE) and cabinet file formats. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to manipulate unverified portions of the signature and file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Cabview Corruption Validation Vulnerability - CVE-2010-0487
A remote code execution vulnerability exists in the Windows Authenticode Signature verification for cabinet (.cab) file formats. An anonymous attacker could exploit the vulnerability by modifying an existing signed cabinet file to point the unverified portions of the signature to malicious code, and then convincing a user to open or view the specially crafted cabinet file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
Attackers will try to trick users into opening a malicious signed portable executable or cabinet file. Upon opening the file, a vulnerable machine would be exploited and the attacker would have gained complete control of the system. This vulnerability affects all supported versions of Windows and can be used to execute code outside the context of the current user, so it will be a prime target for attackers. After the attacker has successfully compromised the system, the attacker will likely install malicious backdoor programs and use the compromised system to launch attacks against other internal or external systems.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all Windows systems. Until these systems are patched, it is strongly advised that users not attempt to use signed portable executable files or cabinet files from untrusted sources.
Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
http://www.microsoft.com/technet/security/Bulletin/MS10-020.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves one publicly disclosed and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server. The security update addresses the vulnerabilities by correcting the manner in which the SMB client handles SMB responses, allocates memory, and validates fields within the SMB response.
- SMB Client Incomplete Response Vulnerability - CVE-2009-3676
A denial of service vulnerability exists in the way that the Microsoft Server Message Block (SMB) client implementation handles specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could cause the computer to stop responding until restarted.
- SMB Client Memory Allocation Vulnerability - CVE-2010-0269
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block (SMB) client implementation allocates memory when parsing specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- SMB Client Transaction Vulnerability - CVE-2010-0270
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block (SMB) client implementation handles specially crafted SMB transaction responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.
- SMB Client Response Parsing Vulnerability - CVE-2010-0476
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block (SMB) client implementation parses specially crafted SMB transaction responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.
- SMB Client Message Size Vulnerability - CVE-2010-0477
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block (SMB) client implementation handles specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.
Analysis
The SMB protocol contains multiple vulnerabilities that could allow remote anonymous attackers to trigger a Denial of Service attack or execute arbitrary code, giving the attacker complete control of the system. These attacks require the user to initiate a connection to a malicious server, upon which the malicious server is given the opportunity to send a malicious response and compromise the system. Attackers are likely to focus on developing exploits for systems with the vulnerabilities described in CVE-2010-0269, CVE-2010-0270, CVE-2010-0476, and CVE-2010-0477, followed by CVE-2009-3676.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. In the mean time, enforce a whitelist of trusted SMB servers that users can access.
Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
http://www.microsoft.com/technet/security/Bulletin/MS10-025.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves a privately reported vulnerability in Windows Media Services running on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. On Microsoft Windows 2000 Server, Windows Media Services is an optional component and is not installed by default. The security update addresses the vulnerability by modifying the way that the Windows Media Unicast Service (nsum.exe) handles transport info network packets.
- Media Services Stack-based Buffer Overflow Vulnerability - CVE-2010-0478
A remote code execution vulnerability exists in Microsoft Windows 2000 Server Service Pack 4 running the optional Windows Media Services component due to the way the Windows Media Unicast Service handles specially crafted transport information packets. On Microsoft Windows 2000 Server Service Pack 4, Windows Media Services is an optional component and is not installed by default. Only Microsoft Windows 2000 Server systems that have enabled Windows Media Services are affected by this vulnerability.
Analysis
Attackers will send malicious transport information network packets to vulnerable systems, which include all Windows 2000 Servers SP4 and prior, running the optional Windows Media Services component. This will compromise the system, giving the attacker complete control of the machine. At that point, the attacker will likely install backdoor access programs and use the system to launch attacks against other internal and external machines.
Recommendations
Administrators are urged to apply the patch as soon as possible to all vulnerable Windows 2000 machines. Until this is complete, Administrators should block access to port 1755 on Windows 2000 servers running Windows media services.
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
http://www.microsoft.com/technet/security/Bulletin/MS10-026.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file containing an MPEG Layer-3 audio stream. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the way that the Microsoft MPEG Layer-3 audio codecs decode the MPEG Layer-3 audio stream in specially crafted AVI files.
- MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability - CVE-2010-0480
A remote code execution vulnerability exists in the way that Microsoft MPEG Layer-3 codecs handle AVI media files. This vulnerability could allow remote code execution if a user opened a specially crafted AVI file containing an MPEG Layer-3 audio stream. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Analysis
This remote code execution vulnerability is due to a flaw within Microsoft Audio codecs when they handle malformed AVI media files. Attackers could set up drive-by exploit websites that play an embedded Trojanized AVI file upon a visitor browsing to the malicious site. Once played, the malicious file would trigger a memory corruption scenario that allows attackers to execute arbitrary code on the vulnerable system. At this point, the attackers will likely install backdoor access programs and use the system to launch attacks against other internal and external machines.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all Windows systems, prior to distributing the patch administrators can disable access to "%windir%\system32\l3codeca.acm" and "%windir%\system32\l3codecx.ax" via using CACLS in order to prevent AVI files with embedded MP3 audio codecs from being played. (Note: this will cause some videos to not be displayed properly).
Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
http://www.microsoft.com/technet/security/Bulletin/MS10-027.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by modifying the way the Windows Media Player ActiveX control handles specially crafted media content hosted on a malicious Web site.
- Media Player Remote Code Execution Vulnerability - CVE-2010-0268
A remote code execution vulnerability exists in the Windows Media Player ActiveX control. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs or view, change, or delete data with full user rights.
Analysis
This remote code execution vulnerability is due to a flaw within Microsoft Windows Media ActiveX controls when they handle malformed script requests. Attackers could set up drive-by exploit websites that auto-exploit Internet Explorer visitors browsing to the malicious site. Once played, the malicious html page would trigger a memory corruption scenario that allows attackers to execute arbitrary code on the vulnerable system. At this point, the attackers will likely install backdoor access programs and use the system to launch attacks against other internal and external machines.
Recommendations
Until administrators apply this critical patch, they are advised to set the killbit flag to the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6BF52A52-394A-11d3-B153-00C04F79FAA6} and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6BF52A52-394A-11d3-B153-00C04F79FAA6}. This would disable the ActiveX components of Windows Media player from executing until administrators can apply the patch.
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
http://www.microsoft.com/technet/security/Bulletin/MS10-021.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. The security update addresses the vulnerabilities by correcting validations, the creation of symbolic links, the resolution of virtual registry key paths, and exceptions handling.
- Windows Kernel Null Pointer Vulnerability - CVE-2010-0234
A denial of service vulnerability exists in the Windows kernel due to the insufficient validation of registry keys passed to a Windows kernel system call. An attacker could exploit the vulnerability by running a specially crafted application, causing the system to become unresponsive and automatically restart.
- Windows Kernel Symbolic Link Value Vulnerability - CVE-2010-0235
A denial of service vulnerability exists in the Windows kernel due to the manner in which the kernel processes the values of symbolic links. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.
- Windows Kernel Memory Allocation Vulnerability - CVE-2010-0236
An elevation of privilege vulnerability exists in the Windows kernel due to the manner in which memory is allocated when extracting a symbolic link from a registry key. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Windows Kernel Symbolic Link Creation Vulnerability - CVE-2010-0237
An elevation of privilege vulnerability exists when the Windows kernel does not properly restrict symbolic link creation between untrusted and trusted registry hives. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Windows Kernel Registry Key Vulnerability - CVE-2010-0238
A denial of service vulnerability exists in the way that the Windows kernel validates registry keys. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.
- Windows Virtual Path Parsing Vulnerability - CVE-2010-0481
A denial of service vulnerability exists in the Windows kernel due to the way that the kernel resolves the real path for a registry key from its virtual path. An attacker could exploit the vulnerability by running a specially crafted application, causing the system to become unresponsive and automatically restart.
- Windows Kernel Malformed Image Vulnerability - CVE-2010-0482
A denial of service vulnerability exists in the Windows kernel due to the improper validation of specially crafted image files. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.
- Windows Kernel Exception Handler Vulnerability - CVE-2010-0810
A denial of service vulnerability exists in the Windows kernel due to the way that the kernel handles certain exceptions. An attacker could exploit the vulnerability by running a specially crafted application, causing the system to become unresponsive and automatically restart.
Analysis
This patch addresses 2 privilege elevation vulnerabilities and 6 local denial of service conditions within Microsoft Windows Kernel. Attackers could potentially leverage 2 of these vulnerabilities on systems in order to elevate their privileges to ring0 level, thus allowing full system compromises to occur. Attackers are likely to combine these vulnerabilities with other exploits in order to leverage browser based exploits into full blown rootkit installations. Alternatively attackers could also use the denial of service exploits in order to trigger a blue screen of death/bugcheck on the system, thus hindering workflow.
Recommendations
Apply the patch after testing in virtual environments or test environments in order to ensure the kernel patch does not trigger conflicts with mission critical software.
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
http://www.microsoft.com/technet/security/Bulletin/MS10-022.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves a publicly disclosed vulnerability in VBScript on Microsoft Windows that could allow remote code execution. This security update is rated Important for Microsoft Windows 2000, Windows XP, and Windows Server 2003. On Windows Server 2008, Windows Vista, Windows 7, and Windows Server 2008 R2, the vulnerable code is not exploitable; however, as the code is present, this update is provided as a defense-in-depth measure and has no severity rating. The security update addresses the vulnerability by modifying the way that the VBScript engine processes help files in protected mode.
- VBScript Help Keypress Vulnerability - CVE-2010-0483
A remote code execution vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, the Windows Help System would be started with a Windows Help File provided by the attacker. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.
Analysis
A remote code execution vulnerability exists within VBScript that could allow attackers to trick users into downloading a malicious HLP file. This attack was made public and was dubbed the "F1 Help Key" exploit, and attackers would leverage social engineering web pages in order to trick users into pressing the F1 key on a website thus triggering a download to a Trojanized HLP file stored on the attacker's server. Once ran, this malicious HLP file would compromise a system, typically installing additional malware, botnets, rootkits, or giving the attacker's remote access to the compromised machines.
Recommendations
Use CACLs to disable access to the Windows Help Subsystem ("%windir%\winhlp32.exe") until the patch can be applied.
Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
http://www.microsoft.com/technet/security/Bulletin/MS10-023.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerability by correcting the way that Microsoft Office Publisher opens specially crafted Publisher files
- Microsoft Office Publisher File Conversion TextBox Processing Buffer Overflow Vulnerability - CVE-2010-0479
A remote code execution vulnerability exists in the way that Microsoft Office Publisher opens Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file.
If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Analysis
A single vulnerability within Microsoft Office Publisher could allow remote attackers to trigger a memory corruption that potentially could be leveraged to execute arbitrary code on the system. Attackers will exploit this vulnerability by crafting a malformed Publisher file (.PUB) and email or use social engineering exploits to convince users to download and execute these files. Once ran, this malicious .PUB file would compromise a system, typically installing additional malware, botnets, rootkits, or giving the attacker's remote access to the compromised machines.
Recommendations
For users with Microsoft Office Publisher, until the patch is installed, do not download and view untrusted PUB files until the patch is applied.
Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
http://www.microsoft.com/technet/security/Bulletin/MS10-024.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service. The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service. By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 x64 Edition, or Windows XP Professional x64 Edition. The security update addresses the vulnerabilities by correcting the manner in which SMTP parses MX records and the manner in which SMTP allocates memory for interpreting SMTP command responses.
- SMTP Server MX Record Vulnerability - CVE-2010-0024
A denial of service vulnerability exists in the way that the Microsoft Windows Simple Mail Transfer Protocol (SMTP) component handles specially crafted DNS Mail Exchanger (MX) resource records. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the SMTP service. An attacker who successfully exploited this vulnerability could cause the SMTP service to stop responding until restarted.
- SMTP Memory Allocation Vulnerability - CVE-2010-0025
An information disclosure vulnerability exists in the Microsoft Windows Simple Mail Transfer Protocol (SMTP) component due to the manner in which the SMTP component handles memory allocation. An attacker could exploit the vulnerability by sending invalid commands, followed by the STARTTLS command, to an affected server. An attacker who successfully exploited this vulnerability could read random e-mail message fragments stored on the affected server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system.
Analysis
This patch addresses 2 remote vulnerabilities within Microsoft Exchange and SMTP that could allow remote attackers to trigger a persistent denial of service attack or gain access to sensitive email content on the vulnerable system. Attackers will use these vulnerabilities to disrupt mission critical servers or potentially steal sensitive information from targeted environments.
Recommendations
Apply the patch immediately to prevent attackers from exploiting either vulnerability against the vulnerable Exchange or SMTP servers.
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
http://www.microsoft.com/technet/security/Bulletin/MS10-028.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves two privately reported vulnerabilities in Microsoft Office Visio. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses these vulnerabilities by correcting the way that Microsoft Office Visio validates attributes and calculates indexes when opening specially crafted Visio files.
- Visio Attribute Validation Memory Corruption Vulnerability - CVE-2010-0254
A remote code execution vulnerability exists in the way that Microsoft Office Visio validates attributes when handling specially crafted Visio files.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
- Visio Index Calculation Memory Corruption Vulnerability - CVE-2010-0256
A remote code execution vulnerability exists in the way that Microsoft Office Visio calculates indexes when handling specially crafted Visio files.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Analysis
This patch addresses 2 vulnerabilities that allow remote attackers to execute arbitrary code within the context of the currently logged on user. Attackers will try to trick users into opening malicious Visio files. Upon opening this malicious file, the user's machine will become compromised. If the user has Administrator rights, the attacker would have complete control of the system and potentially use it as a base for future attacks against machines within and outside the user's network.
Recommendations
For users with Microsoft Office Visio, until the patch is installed, do not download and view untrusted Visio files until the patch is applied.
Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)
http://www.microsoft.com/technet/security/Bulletin/MS10-029.mspxMicrosoft Severity Rating: Moderate
eEye Severity Rating: Moderate
Description
This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Moderate for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Windows 7 and Windows Server 2008 R2 are not vulnerable because these operating systems include the feature deployed by this security update. This vulnerability could allow an attacker to spoof an IPv4 address so that it may bypass filtering devices that rely on the source IPv4 address. The security update addresses the vulnerability by changing the manner in which the Windows TCP/IP stack checks the source IPv6 address in a tunneled ISATAP packet.
- ISATAP IPv6 Source Address Spoofing Vulnerability - CVE-2010-0812
A spoofing vulnerability exists in the Microsoft Windows IPv6 stack due to the way that Windows checks the inner packet's IPv6 source address in a tunneled ISATAP packet. An attacker who successfully exploited this vulnerability could impersonate an address to bypass edge or host firewalls. Additionally, information could be disclosed when the targeted computer replies to the message using the source IPv6 address that the attacker specified.
Analysis
This patch addresses a vulnerability in the Windows IPv6 stack implementation that allows malicious users to impersonate another valid computer or user. This could then be used to bypass firewalls that only allow connections from certain systems and/or users.
Recommendations
Apply this update as soon as possible to affected systems. Until the patch is applied, block IPv6 communications through a firewall.
The eEye Advantage
Assessment
eEye Digital Security's customers can update their Retina scanner to detect systems vulnerable to these latest issues and verify that this month's Microsoft patches are installed. Updated vulnerability audits are automatically available to eEye Retina vulnerability assessment customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/April-2010.aspx
Protection
eEye's line of security modules protect from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations. Current protection customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required.
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit
http://www.eeye.com/Company/News-and-Events/Vulnerability-Expert-Forum.aspx.