This month Microsoft released 6 bulletins which repair a total of 12 vulnerabilities. One of these vulnerabilities was a public zero-day (Internet Explorer CSS Memory Corruption – CVE-2009-3672) that has been used in the wild to compromise systems.
Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically.
Out of the 6 patches this month, three are client-side specific, and 3 are remote network vulnerabilities. Administrators should patch MS09-072, MS09-0071, and MS09-073 immediately. The remainder of the patches should be applied after environment testing, or to environments that have the specifically affected software deployed.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's
Vulnerability Expert Forum hosted by the eEye Security Research Team.
For more information on patch precedence, see the eEye Versa Newsletter article
Patch Tuesday Prioritization for a Large Enterprise.
MS09-071 - Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
MS09-072 - Cumulative Security Update for Internet Explorer (976325)
MS09-074 - Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
MS09-069 - Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
MS09-070 - Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
MS09-073 - Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
http://www.microsoft.com/technet/security/Bulletin/MS09-069.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a remote, authenticated attacker, while communicating through Internet Protocol security (IPsec), sends a specially crafted ISAKMP message to the Local Security Authority Subsystem Service (LSASS) on an affected system.
- Local Security Authority Subsystem Service Resource Exhaustion Vulnerability - CVE-2009-3675
A denial of service vulnerability exists in Microsoft Windows due to the way that the Local Security Authority Subsystem Service (LSASS) improperly handles specially crafted ISAKMP messages communicated through IPsec.
This vulnerability can only be exploited by an authenticated attacker using an Internet Protocol Security (IPsec) environment. Therefore, not all systems and environments are affected by this vulnerability. This vulnerability will likely only be exploited in targeted scenarios by logged in users or applications, such as disgruntled employees or via a malformed application. Administrators with IPsec environments should roll out this patch after testing to ensure network communication is not affected by the update.
Recommendations
For environments that do not require IPsec, administrators have the option of removing IPsec in order to mitigate this attack.
Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
http://www.microsoft.com/technet/security/Bulletin/MS09-070.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if an attacker sent a specially crafted HTTP request to an ADFS-enabled Web server. An attacker would need to be an authenticated user in order to exploit either of these vulnerabilities. The security update addresses the vulnerabilities by correcting the validation that ADFS-enabled Web servers apply to request headers submitted by a Web client.
- Single Sign On Spoofing in ADFS Vulnerability - CVE-2009-2508
A spoofing vulnerability in Active Directory Federation Services could allow an attacker to impersonate an authenticated user if the attacker has access to a workstation and Web browser recently used by the targeted user to access a Web site that offers single sign on.
- Remote Code Execution in ADFS Vulnerability - CVE-2009-2509
A remote code execution vulnerability exists in implementations of Active Directory Federation Services (ADFS). The vulnerability is due to incorrect validation of request headers when an authenticated user connects to an ADFS enabled Web server. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
This vulnerability can be exploited by remote authenticated attackers to trigger memory corruption or to impersonate another user and conceal their real identity. Attackers are likely to target these vulnerabilities in environments where they have already gained access to users' credentials (usually through a system compromise followed by keylogging software, Man In The Middle Attacks, or Phishing attacks).
Recommendations
Since these attacks require valid logon credentials, administrators are advised to monitor client machines for attackers launching network exploits from compromised machines.
Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
http://www.microsoft.com/technet/security/Bulletin/MS09-071.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if messages received by the Internet Authentication Service server are copied incorrectly into memory when handling PEAP authentication attempts. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. Servers using Internet Authentication Service are only affected when using PEAP with MS-CHAP v2 authentication. The security update addresses the vulnerabilities by correcting the way Internet Authentication Service validates authentication requests by PEAP clients.
- Internet Authentication Service Memory Corruption Vulnerability - CVE-2009-2505
A remote code execution vulnerability exists in implementations of Protected Extensible Authentication Protocol (PEAP) on the Internet Authentication Service. The vulnerability is due to incorrect copying into memory of messages received by the server when handling PEAP authentication attempts. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
- MS-CHAP Authentication Bypass Vulnerability - CVE-2009-3677
An elevation of privilege vulnerability exists in the Internet Authentication Service. An attacker could send a specially crafted Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) authentication request that could obtain access to network resources under the privileges of a specific, authorized user.
Two vulnerabilities within PEAP and Microsoft Internet Authentication Service could allow remote attackers to bypass authentication systems or execute arbitrary code at elevated privileges on a vulnerable system. These two attacks are the most critical network attacks addressed by Microsoft this month and should be patched immediately in environments which implement MS-CHAP and PEAP. Attackers are likely to focus on exploiting these vulnerabilities and use them alongside client side vulnerabilities to compromise servers in environments that they gain access to.
Recommendations
Administrators are urged to roll out this patch as soon as possible to ALL vulnerable systems. Alternatively, in environments which have the option of changing their authentication protocol, administrators can switch to a different protocol other than PEAP with MS-CHAP v2 on their Internet Authentication Service servers to mitigate this attack.
Microsoft Severity Rating: Critical
eEye Severity Rating: Highly Critical
Description
This security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. An ActiveX control built with Microsoft Active Template Library (ATL) headers could also allow remote code execution. The security update addresses these vulnerabilities by correcting the control and by modifying the way that Internet Explorer handles objects in memory.
- ATL COM Initialization Vulnerability - CVE-2009-2493
A remote code execution vulnerability exists in an ActiveX control built with vulnerable Microsoft Active Template Library (ATL) headers. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. Components and controls built using ATL could allow the instantiation of arbitrary objects that can bypass related security policy, such as kill bits within Internet Explorer. Therefore, this vulnerability could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.
- Uninitialized Memory Corruption Vulnerability - CVE-2009-3671
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- HTML Object Memory Corruption Vulnerability - CVE-2009-3672
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Uninitialized Memory Corruption Vulnerability - CVE-2009-3673
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Uninitialized Memory Corruption Vulnerability - CVE-2009-3674
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Five vulnerabilities within Microsoft Internet Explorer are addressed in this patch that could allow remote attackers to execute arbitrary code and compromise systems when users visit a malicious web page. This addresses the Microsoft zero-day CSS vulnerability (CVE-2009-3672) and 4 other similar vulnerabilities. These vulnerabilities could allow malicious individuals to conduct drive-by exploit attacks by injecting malicious iframes or SQL injections into servers that would then redirect browsers to malformed web pages that target these vulnerabilities.
Recommendations
Administrators are HIGHLY advised to roll out this patch immediately.
Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)
http://www.microsoft.com/technet/security/Bulletin/MS09-073.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Critical
Description
This security update resolves a privately reported vulnerability in Microsoft WordPad and Microsoft Office text converters. The vulnerability could allow remote code execution if a specially crafted Word 97 file is opened in WordPad or Microsoft Office Word. An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. The security update addresses the vulnerability by correcting the way WordPad and the Office Text Converters parse Word 97 documents.
- WordPad and Office Text converter Memory Corruption Vulnerability - CVE-2009-2506
A remote code execution vulnerability exists in the way that text converters in Microsoft WordPad and Microsoft Office Word process memory when a user opens a specially crafted Word 97 file.
This patch fixes a single vulnerability within Microsoft Office Excel XP, 2003, Microsoft Works 8.5 and WordPad. This vulnerability is triggered by opening malformed document files and could allow a remote attacker to execute arbitrary code in the context of the current user. Attackers will likely exploit this vulnerability using targeted and drive-by web attacks in order to compromise client machines. From here, machines will be loaded with botnet malware or used as attack points to target other machines on the network.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all vulnerable systems, especially internet-facing client machines with Microsoft Office XP or 2003 installed.
Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
http://www.microsoft.com/technet/security/Bulletin/MS09-074.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Important
Description
This security update resolves a privately reported vulnerability in Microsoft Office Project. The vulnerability could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update removes the vulnerability by modifying the way that Microsoft Office Project validates memory allocations when opening Project files from disk to memory.
- Project Memory Validation Vulnerability - CVE-2009-0102
A remote code execution vulnerability exists in the way that Microsoft Office Project handles specially crafted Project files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This patch addresses a single vulnerability within Microsoft Project. This vulnerability is triggered by opening a malformed Project Plan file (.MPP) and allows a remote attacker to execute arbitrary code in the context of the current user. Attackers will likely exploit this vulnerability using targeted and drive-by web attacks in order to compromise client machines. From here, machines will be loaded with botnet malware or used as attack points to target other machines on the network.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all vulnerable systems, especially internet-facing client machines with Microsoft Project 2000, 2002/XP and 2003 installed.
The eEye Advantage
Retina® Security Scanner
eEye Digital Security's Retina customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/December-2009.aspx
Blink® Endpoint Security
eEye's line of Blink with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required. Blink Professional, Blink Server and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at:
http://free-antivirus.eeye.com. Business users can download a trial version of Blink Professional at
http://www.eeye.com/Downloads/Trial-Software/Blink-Professional-Edition.aspx
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit
http://www.eeye.com/Company/News-and-Events/Vulnerability-Expert-Forum.aspx.