eEye Digital Security eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Your Company

Microsoft Patch Disclosure
August 10th, 2010

Overview
This month, Microsoft released 15 patches which repair a total of 35 vulnerabilities. Of these 15 patches, 11 address Remote Code Execution vulnerabilities and 4 address Elevation of Privilege vulnerabilities.

Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.

Top Sidebar

Attend our live Vulnerability Expert Forum tomorrow for a complete analysis of recent critical vulnerabilities

Presenter:
The eEye Research Team

Date/Time:
Wednesday August 11th at
11am PDT / 2pm EDT

Register Now >>

Bottom Sidebar

Patch Precedence
Administrators are advised to patch MS10-054, MS10-053, and MS10-056 immediately to prevent exploitation by attackers.
Next, administrators should patch MS10-049, 050, 051, 052, 055, 057, and 060 as soon as possible.
Lastly, administrators should patch MS10-047, 048, 058 and 059 at their earliest convenience.

As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.

Bulletin/Advisory Summary
 

Critical
MS10-046 - Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
MS10-049 - Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)
MS10-051 - Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
MS10-052 - Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)
MS10-053 - Cumulative Security Update for Internet Explorer (2183461)
MS10-054 - Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
MS10-055 - Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
MS10-056 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
MS10-060 - Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

Important

MS10-047 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)
MS10-048
- Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
MS10-050 - Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)
MS10-057 - Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)
MS10-058 - Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
MS10-059 - Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

Bulletin/Advisory Details

MS10-046
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting validation of shortcut icon references.

  • Shortcut Icon Loading Vulnerability - CVE-2010-2568
    A remote code execution vulnerability exists in affected versions of Microsoft Windows. The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the operating system displays the icon of a malicious shortcut file. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.

Analysis
A vulnerability exists in how Windows Shell processes LNK and PIF files. This could be exploited to give an attacker the ability to execute arbitrary remote code on a victim's system. To exploit this vulnerability, an attacker would need to attempt to convince a user to visit a malicious page controlled by the attacker. Alternative strategies have included exploiting the vulnerability through USB propagation. Stuxnet trojan used this technique successfully. The Windows shell would process a malicious icon embedded in a LNK/PIF file hosted on the site. This would exploit the vulnerability, giving the attacker privileges equal to the current user. If the user had Administrator privileges, the attacker would have gained complete control of the system.

Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until this patch is rolled out, administrators should 1) disable LNK and PIF files from being downloaded, 2) Set the value of the default value in HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler and HKEY_CLASSES_ROOT\piffile\shellex\IconHandler to empty, 3) block the WebClient service from running on client machines, and 4) block outbound SMB connections for when machines connect to systems outside of the network.

MS10-049
Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site. The security update addresses the vulnerabilities by implementing RFC 5746 and additional validation on SSL responses returned by a server.

  • TLS/SSL Renegotiation Vulnerability - CVE-2009-3555
    A spoofing vulnerability exists in the TLS/SSL protocol, implemented in the Microsoft Windows SChannel authentication component. An attacker who successfully exploited this vulnerability would be able to introduce information on a TLS/SSL protected connection, effectively sending traffic spoofing the authenticated client.
  • SChannel Malformed Certificate Request Remote Code Execution Vulnerability - CVE-2010-2566
    A remote code execution vulnerability exists in the way that SChannel on a client machine validates a certificate request message sent by the server. An attacker could host a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser and then convince a user to view the Web site. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site.

Analysis
This patch addresses 1 remote code execution vulnerability and 1 spoofing vulnerability within the SChannel security package in Windows. Attackers will attempt to lure victims to view an attacker-controlled site, which will execute remote arbitrary code on the victim's machine.

Recommendations
Administrators are urged to patch all affected systems as soon as possible. There is currently no workaround for the remote code execution vulnerability described in this bulletin. Until patches are complete, a workaround for the spoofing vulnerability can be made. Requires mutual authentication on IIS servers.

MS10-051
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. The security update addresses the vulnerability by ensuring that HTTP responses are handled correctly by MSXML.

  • Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption Vulnerability - CVE-2010-2561
    A remote code execution vulnerability exists in the way that Microsoft XML Core Services handles HTTP responses. The vulnerability could allow remote code execution if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
A memory corruption vulnerability exists in Microsoft XML Core Services, when handling malformed HTTP responses. Attackers could leverage this vulnerability by tricking a user into visiting a malicious website.  This could ultimately lead to remote code execution on the target's machine that would run at the same permissions as the current user.

Recommendations
Administrators should roll out this patch as soon as possible. Until then, set a killbit on {F5078F35-C551-11D3-89B9-0000F81FE221} for Internet Explorer by setting its "Compatibility Flags" flag to dword:00000400.

MS10-052
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the way that the Microsoft MPEG Layer-3 audio codecs handle the MPEG Layer-3 audio stream in specially crafted media files.

  • MPEG Layer-3 Audio Decoder Buffer Overflow Vulnerability - CVE-2010-1882
    user opened a specially crafted audio file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
A buffer overflow vulnerability, which could lead to remote code execution, exists in the MPEG Layer-3 Audio Decoder on Windows. This can be exploited by tricking a user to view a site that will automatically play a crafted MP3 file. Alternatively attackers could spread the MP3 across peer-to-peer networks, disguising it as something like a newly released track from a famous artist. Upon successful exploitation, the attacker would have gained control of the affected system with the same rights as the current user.

Recommendations
Administrators should roll out the patch as soon as possible. Until then, disable the use of l3codecx.ax on affected systems. In addition, remove the ClassID, {38BE3000-DBF4-11D0-860E-00A024CFEF6D}, from affected systems.

MS10-053
Cumulative Security Update for Internet Explorer (2183461)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves six privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerabilities by modifying the way that Internet Explorer enforces security checks and handles objects in memory.

  • Event Handler Cross-Domain Vulnerability - CVE-2010-1258
    An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to a browser window in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page and then interacts with the browser window using the mouse.
  • Uninitialized Memory Corruption Vulnerability - CVE-2010-2556
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Uninitialized Memory Corruption Vulnerability - CVE-2010-2557
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Race Condition Memory Corruption Vulnerability - CVE-2010-2558
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that may have been corrupted due to a race condition. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Uninitialized Memory Corruption Vulnerability - CVE-2010-2559
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • HTML Layout Memory Corruption Vulnerability - CVE-2010-2560
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
Multiple memory corruption vulnerabilities exist in Internet Explorer, allowing attackers to exploit these vulnerabilities to execute remote code on a target's system. In addition, an information disclosure vulnerability allows attackers to gain access to browser windows in other domains or trust zones. Publicly available information exists for these vulnerabilities, allowing attackers to easily craft successful exploits targeting issues addressed by MS10-053.
 

Recommendations
Administrators should roll this patch out as soon as possible.

MS10-054
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities. The security update addresses these vulnerabilities by correcting the way that SMB validates SMB requests.

  • SMB Pool Overflow Vulnerability - CVE-2010-2550
    An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service. An attacker who successfully exploited this vulnerability could take complete control of the system.
  • SMB Variable Validation Vulnerability - CVE-2010-2551
    A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service.
  • SMB Stack Exhaustion Vulnerability - CVE-2010-2552
    A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB compounded requests. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service.

Analysis
This bulletin addresses 1 remote code execution vulnerability and 2 denial of service vulnerabilities. The remote code execution vulnerability will be of particular interest attackers, since it does not require the attacker to be authenticated. All the attacker needs to do is send a malicious SMB request and they would successfully compromise that server, which would allow them to run arbitrary remote code at kernel-level privileges.  As of this writing, public proof of concept code exists for this vulnerability; which is being used by attackers in efforts to compromise and disable vulnerable systems.

Recommendations
Roll out the patch to affected systems as soon as possible. Until this is done, block ports 139 and 445 at the public-facing firewall.  Please note this vulnerability will also affect Windows 2000 systems, and due to Windows 2000 being End Of Lifed; there is no expected patch release to provide mitigation for this vulnerability. 

MS10-055
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Cinepak Codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the manner in which the Cinepak code decompresses media files.

  • Cinepak Codec Decompression Vulnerability - CVE-2010-2553
    A remote code execution vulnerability exists in the way the Cinepak codec handles supported format files. This vulnerability could allow code execution if a user opened a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This bulletin addresses a remote code execution vulnerability within processing malformed media files encoded with Cinepack codecs. After exploiting this vulnerability, attackers will be able to execute remote code within the context of the currently logged on user.

Recommendations
Administrators should push this patch to affected systems as soon as possible. Until this is possible, restrict access to iccvid.dll. In addition, modify the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 (or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 for 64 bit systems) to remove the vidc.cvid value.

MS10-056
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by modifying the way that Microsoft Office Word opens specially crafted Word files and by modifying the way that Word handles certain properties of rich text data.

  • Word Record Parsing Vulnerability - CVE-2010-1900
    A remote code execution vulnerability exists in the way that Microsoft Office Word handles malformed records inside a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Word RTF Parsing Engine Memory Corruption Vulnerability - CVE-2010-1901
    A remote code execution vulnerability exists in the way that Microsoft Office Word parses rich text data. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Word RTF Parsing Buffer Overflow Vulnerability - CVE-2010-1902
    A remote code execution vulnerability exists in the way that Microsoft Office Word parses certain rich text data. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Word HTML Linked Objects Memory Corruption Vulnerability - CVE-2010-1903
    A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This bulletin addresses 4 remote code execution vulnerabilities in Microsoft Office Word (versions) while parsing malformed word files (extensions). These vulnerabilities would allow an attacker to create a specially-crafted file that includes malformed records or malicious rich text data, which would exploit the vulnerability. When a user opens the file, the vulnerability would be exploited, granting the attacker the ability to execute code within the context of the current user.

Recommendations
Administrators are urged to patch all affected systems as soon as possible.

MS10-060
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario. The security update addresses the vulnerabilities by modifying the way that Microsoft Silverlight handles pointers ad Microsoft .NET CLR handles interfaces.

  • Microsoft Silverlight Memory Corruption Vulnerability - CVE-2010-0019
    A remote code execution vulnerability exists in the way that Microsoft Silverlight handles pointers. The vulnerability could allow remote code execution if a user visit a specially crafted Web site that contains Silverlight content.
  • Microsoft Silverlight and Microsoft .NET Framework CLR Virtual Method Delegate Vulnerability - CVE-2010-1898
    A remote code execution vulnerability exists in the Microsoft .NET Framework that can allow a specially crafted Microsoft .NET application or a specially crafted Silverlight application to access memory, leading to arbitrary unmanaged code execution.

Analysis
This bulletin addresses 2 remote code execution vulnerabilities in Microsoft Silverlight, which allow the execution of unmanaged code, by an attacker. A user would be tricked into viewing an attacker-controlled site, which would host a malicious Silverlight application. Upon executing this application, the vulnerability on the victim's system would be exploited, giving the attacker the ability to run arbitrary code within the context of the current user. Additionally, web servers that allow uploading and running of ASP.NET code would be vulnerable to the vulnerability patched in this bulletin. A user would upload the code to exploit this vulnerability as a web page and then view it as it is parsed by the target web hosting server.

Recommendations
Administrators are urged to push this patch out to affected systems as soon as they are able.

MS10-047
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. The security update addresses the vulnerabilities by correcting Windows kernel object initialization and validation of access control lists and by introducing additional runtime validation to the thread creation mechanism.

  • Windows Kernel Data Initialization Vulnerability - CVE-2010-1888
    An elevation of privilege vulnerability exists in the Windows Kernel due to the way the kernel deals with specific thread creation attempts. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Windows Kernel Double Free Vulnerability - CVE-2010-1889
    An elevation of privilege vulnerability exists in the Windows Kernel due to the way the kernel initializes objects while handling certain errors. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Windows Kernel Improper Validation Vulnerability - CVE-2010-1890
    A denial of service vulnerability exists in the way that the Windows kernel validates access control lists on kernel objects. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.

Analysis
This patch addresses 2 privilege elevation vulnerabilities and 1 denial of service vulnerability within the Microsoft Windows Kernel. Attackers will likely use the privilege elevation vulnerabilities to transform browser-based vulnerabilities, such as CVE-2010-2559 in MS10-053, which execute remote code at the current user's level, into an attack that gains kernel-level privileges. This sort of combination will be a prime target for attackers.

Recommendations
Currently, there are no workarounds for this bulletin. Administrators are strongly urged to update affected systems as soon as possible.

MS10-048
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves one publicly disclosed and four privately reported vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. The security update addresses the vulnerabilities by correcting the manner in which Windows kernel-mode drivers handle exceptions, allocate memory, and validate system call arguments, user-mode input, and new window callback parameters.

  • Win32k Bounds Checking Vulnerability - CVE-2010-1887
    A denial of service vulnerability exists in the Windows kernel-mode drivers due to the improper validation of an argument passed to a system call. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.
  • Win32k Exception Handling Vulnerability - CVE-2010-1894
    An elevation of privilege vulnerability exists due to the way the Windows kernel-mode drivers handle certain exceptions. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Win32k Pool Overflow Vulnerability - CVE-2010-1895
    An elevation of privilege vulnerability exists because the Windows kernel-mode drivers do not properly allocate memory when making a copy from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Win32k User Input Validation Vulnerability - CVE-2010-1896
    An elevation of privilege vulnerability exists in Windows kernel-mode drivers due to improper validation of input passed from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Win32k Window Creation Vulnerability - CVE-2010-1897
    An elevation of privilege vulnerability exists because Windows kernel-mode drivers do not properly validate all parameters when creating a new window. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This patch addresses 4 privilege elevation vulnerabilities and 1 denial of service vulnerability within the Microsoft Windows Kernel. Similar to MS10-047, attackers will look for ways to gain user privileges on a target system and then exploit one or more of these vulnerabilities in the kernel. This would grant the attacker kernel-level access to the target machine. Attackers will be very interested in this kind of vulnerability, since it can be used to control all aspects of a system and launch further attacks at other computers.

Recommendations
Currently, there are no workarounds for this bulletin. Administrators are strongly urged to update affected systems as soon as possible.

MS10-050
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by changing the way that Windows Movie Maker parses Movie Maker project files.

  • Movie Maker Memory Corruption Vulnerability - CVE-2010-2564
    A remote code execution vulnerability exists in the way that Windows Movie Maker handles specially crafted project files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
A remote code execution vulnerability exists in Windows Movie Maker in how it parses the project file formats. If an attacker were to convince a user to open an attacker-provided Movie Maker project file, the vulnerability would be exploited and the user's system would become compromised, allowing the attacker to execute code at the same level as the currently logged on user.

Recommendations
Administrators should patch affected systems at the soonest time after the critical patches have been applied. Until that can be done, administrators mitigate this threat by removing the .MSWMM file extension association in the registry. This can be done by deleting the HKEY_CLASSES_ROOT\.MSWMM key.

MS10-057
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerability by changing the way that Microsoft Office Excel parses specially crafted Excel files.

  • Excel Memory Corruption Vulnerability - CVE-2010-2562
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses a remote code execution vulnerability that exists, due to how Microsoft Office Excel parses Excel files. If an attacker were to convince a user to open an Excel file hosted on a site or sent through a spoofed email, the vulnerability would be exploited on the victim's system and would provide the attacker with the ability to execute remote arbitrary code on the victim's machine, within the context of the current user.

Recommendations
Administrators are urged to roll out this patch to affected systems as soon as possible.

MS10-058
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege due to an error in the processing of a specific input buffer. An attacker who is able to log on to the target system could exploit this vulnerability and run arbitrary code with system-level privileges. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerabilities by correcting the way in which the TCP/IP stack handles malformed IPv6 packets and data copied from user mode.

  • IPv6 Memory Corruption Vulnerability - CVE-2010-1892
    A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted IPv6 packets with a malformed extension header. An attacker could exploit the vulnerability by sending the target system a small number of specially crafted packets, causing the affected system to stop responding.
  • Integer Overflow in Windows Networking Vulnerability – CVE-2010-1893
    An elevation of privilege vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of a specific input buffer. An attacker who successfully exploited this vulnerability could run arbitrary code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
A privilege elevation vulnerability exists in how Microsoft Windows processes TCP/IP stacks. An attacker would need to be able to log into a system and run a malicious program that exploits this vulnerability, which would give the attacker system-level access to the machine. Attackers would likely use these compromised servers as a launching point for further attacks.

Recommendations
Administrators are urged to push this patch out to affected systems as soon as they are able.

MS10-059
Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Tracing Feature for Services. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. The security update addresses the vulnerabilities by correcting the manner in which tokens are obtained and the length of a string read from the registry is calculated.

  • Tracing Registry Key ACL Vulnerability - CVE-2010-2554
    An elevation of privilege vulnerability exists when Windows places incorrect access control lists (ACLs) on the registry keys for the Tracing Feature for Services. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Tracing Memory Corruption Vulnerability - CVE-2010-2555
    An elevation of privilege vulnerability exists due to the way that the Tracing Feature for Services allocates memory when processing specially crafted long strings from the registry. An attacker who successfully exploited this vulnerability could run arbitrary code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
A vulnerability exists in the Tracing Feature for Services in Microsoft Windows, which could allow for elevation of privileges. To successfully exploit this vulnerability, an attacker would need to log into the target machine, or gain access through the use of other means like browser exploits, and execute a malicious application. This would give an attacker complete control of the target system, from which they are likely to launch further attacks against other systems.

Recommendations
Administrators are urged to push this patch out to affected systems as soon as they are able.

Feedback
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to newsletter@eeye.com.

Disclaimer
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email newsletter@eeye.com for permission.
www.eeye.com | sales@eeye.com | 111 Theory, Suite 250, Irvine, CA 92617 | 866.339.3732
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2012 eEye Digital Security. All rights reserved.