This month Microsoft released 13 patches which repair a total of 26 vulnerabilities. Of these 13 patches, 9 address Remote Code Execution vulnerabilities, 2 address Denial of Service (DoS) vulnerabilities, and 2 address Privilege Escalation vulnerabilities.
Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically without the need for any updates.
Out of the 13 advisories this month, administrators are advised to patch MS10-006, MS10-009, MS10-013, MS10-015, and MS09-012 immediately. Machines with Microsoft Office installed should also be patched for MS10-003 and MS10-004 as soon as possible. The remainder of the patches should be applied after environment testing, or to environments that have the specifically affected software deployed.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's
Vulnerability Expert Forum hosted by the eEye Security Research Team.
For more information on patch precedence, see the eEye Versa Newsletter article
Patch Tuesday Prioritization for a Large Enterprise.
MS10-006 - Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
MS10-007 - Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
MS10-008 - Cumulative Security Update of ActiveX Kill Bits (978262)
MS10-009 - Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
MS10-013 - Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
MS10-003 - Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
MS10-004 - Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
MS10-010 - Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
MS10-011 - Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
MS10-012 - Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
MS10-014 - Vulnerability in Kerberos Could Allow Denial of Service (977290)
MS10-015 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
MS10-005 - Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
http://www.microsoft.com/technet/security/Bulletin/MS10-006.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.
The security update addresses the vulnerabilities by correcting the manner in which the SMB client validates responses.
- SMB Client Pool Corruption Vulnerability - CVE-2010-0016
An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.
- SMB Client Race Condition Vulnerability - CVE-2010-0017
An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.
On Windows Vista and Windows Server 2008, this vulnerability could result in an elevation of privilege vulnerability due to the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB negotiate responses. An attacker who successfully exploited this vulnerability could run arbitrary code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to elevate privileges in this manner.
This vulnerability could also result in a denial of service. An attempt to exploit the vulnerability in this manner would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could cause the computer to stop responding until restarted.
Analysis
Attackers will attempt to trick users into initiating a connection to a malicious SMB server, which would allow the attacker to send a response packet that compromises the victim’s system. Attackers will primarily focus on Windows 2000, XP, Server 2003, 7, and Server 2008 R2, since those are vulnerable to remote execution of arbitrary code. Secondary targets will be systems running Windows Vista and Server 2008, since those allow for privilege escalation. Attackers will likely install more malicious backdoor programs and use the compromised systems to launch attacks against other internal or external systems.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all Windows systems, especially Windows 2000, XP, Server 2003, 7, and Server 2008 R2. Until these systems are patched, it is strongly advised that a white list of trusted SMB servers be applied to the firewall rule sets. Initiating SMB connections to untrusted internal and external SMB servers should be blocked.
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
http://www.microsoft.com/technet/security/bulletin/MS10-007.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves a privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler.
The security update addresses the vulnerability by correcting the way that the ShellExecute API validates input parameters.
- URL Validation Vulnerability - CVE-2010-0027
A remote code execution vulnerability exists in affected versions of Microsoft Windows. The vulnerability results from the incorrect validation of input sent to the ShellExecute API function. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Analysis
This is a patch to the local validation of URLs. This is the counterpart to the URL validation vulnerability in Internet Explorer, which was patched in MS10-002. For the current vulnerability, attackers would trick users into clicking a malicious link that would run a file on the local system. Upon successfully compromising a system, attackers will load botnet malware onto the machine and likely use them as attack points to target other machines on the network.
Recommendations
Administrators are urged to update all versions of Windows as soon as possible, starting with Windows 2000, XP, and Server 2003, and then continuing to update all other versions.
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update addresses a privately reported vulnerability for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2.
The security update addresses the vulnerability by setting a kill bit so that the vulnerable control does not run in Internet Explorer.
- Microsoft Data Analyzer ActiveX Control Vulnerability - CVE-2010-0252
A remote code execution vulnerability exists in the Microsoft Data Analyzer ActiveX Control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
Analysis
Attackers will attempt to trick users into clicking a link to a malicious web page. Upon viewing the page, the user's system would execute malicious code that would allow the attacker to gain control of the system with the same rights as the user who visited the malicious page. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all versions of Windows, starting with Windows 2000 and XP, followed by Vista and 7, followed by Server 2003, and then lastly Server 2008 and Server 2008 R2.
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
http://www.microsoft.com/technet/security/Bulletin/MS10-009.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link.
The security update addresses the vulnerabilities by changing the way Windows TCP/IP performs bounds checking and other packet handling operations.
- ICMPv6 Router Advertisement Vulnerability - CVE-2010-0239
A remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Router Advertisement packets. An anonymous attacker could exploit the vulnerability by sending specially crafted ICMPv6 Router Advertisement packets to a computer with IPv6 enabled. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Header MDL Fragmentation Vulnerability - CVE-2010-0240
A remote code execution vulnerability exists in the Windows TCP/IP stack due to the manner in which the TCP/IP stack handles specially crafted Encapsulating Security Payloads (ESP) over UDP datagram fragments when running a custom network driver. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- ICMPv6 Route Information Vulnerability - CVE-2010-0241
A remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Route Information packets. An anonymous attacker could exploit the vulnerability by sending specially crafted ICMPv6 Route Information packets to a computer with IPv6 enabled. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- TCP/IP Selective Acknowledgement Vulnerability - CVE-2010-0242
A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted TCP packets with a malformed selective acknowledgment (SACK) value. An attacker could exploit the vulnerability by sending the target system a small number of specially crafted packets causing the affected system to stop responding and automatically restart.
Analysis
An attacker, connected to the local network, has the potential to execute remote code on a target system by sending malicious TCP/IP packets to the target machine. Upon successfully compromising a system, attackers will likely load botnet malware onto the machine in order to use them as attack points to target other machines on the network.
Recommendations
Administrators should patch as soon as possible to mitigate against possible remote attacks.
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
http://www.microsoft.com/technet/security/bulletin/MS10-013.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves a privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The security update addresses the vulnerability by correcting the way that DirectShow opens AVI files.
- DirectShow Heap Overflow Vulnerability - CVE-2010-0250
A remote code execution vulnerability exists in the way that Microsoft DirectShow parses AVI media files. This vulnerability could allow remote code execution if a user opened a specially crafted AVI file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Analysis
An attacker would trick a user into viewing a malicious AVI file, which would allow for remote code execution by the attacker. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendations
Administrators are highly advised to roll out this update to all Windows systems. Until the patch has been completely deployed, it is advised to block access to AVI files originating from untrusted sources, such as untrusted websites or file servers.
Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
http://www.microsoft.com/technet/security/bulletin/MS10-003.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves a privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The update addresses the vulnerability by modifying the way that Microsoft Office opens files.
- MSO.DLL Buffer Overflow - CVE-2010-0243
A remote code execution vulnerability exists in the way Microsoft Office handles specially crafted Office files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Analysis
This vulnerability is triggered by opening malformed Microsoft Office document files and could allow a remote attacker to execute arbitrary code in the context of the current user. Attackers will likely exploit this vulnerability using targeted and drive-by web attacks in order to compromise client machines. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all vulnerable systems, especially internet-facing client machines with Microsoft Office XP SP3 or Microsoft Office 2004 for Mac installed.
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
http://www.microsoft.com/technet/security/Bulletin/MS10-004.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves six privately reported vulnerabilities in Microsoft Office PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The security update addresses the vulnerabilities by changing the way that Microsoft Office PowerPoint and Microsoft PowerPoint Viewer parse specially crafted PowerPoint files.
- PowerPoint File Path Handling Buffer Overflow Vulnerability - CVE-2010-0029
A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- PowerPoint LinkedSlideAtom Heap Overflow Vulnerability - CVE-2010-0030
A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- PowerPoint OEPlaceholderAtom 'placementId' Invalid Array Indexing Vulnerability - CVE-2010-0031
A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- PowerPoint OEPlaceholderAtom Use After Free Vulnerability - CVE-2010-0032
A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- PowerPoint Viewer TextBytesAtom Record Stack Overflow Vulnerability - CVE-2010-0033
A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint viewer handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Office PowerPoint Viewer TextCharsAtom Record Stack Overflow Vulnerability - CVE-2010-0034
A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint Viewer handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
This vulnerability is triggered by opening malformed Microsoft Office PowerPoint files and could allow a remote attacker to execute arbitrary code in the context of the current user. Attackers will likely exploit this vulnerability using targeted and drive-by web attacks in order to compromise client machines. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all vulnerable systems, especially internet-facing client machines with Microsoft Office PowerPoint 2002 SP3, Microsoft Office 2003 SP3, or Microsoft Office 2004 for Mac installed.
Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
http://www.microsoft.com/technet/security/bulletin/MS10-010.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
The security update addresses the vulnerability by correcting the way Hyper-V server validates encoding on machine instructions executed inside its guest virtual machines.
- Hyper-V Instruction Set Validation Vulnerability - CVE-2010-0026
A denial of service vulnerability exists in Hyper-V on Windows Server 2008 and Windows Server 2008 R2. The vulnerability is due to insufficient validation of specific sequences of machine instructions by Hyper-V. An attacker who successfully exploited this vulnerability could cause the affected Hyper-V system to stop responding. This would affect all virtual machines hosted by that system.
Analysis
This patch addresses a break out vulnerability within Microsoft Server 2008 Hyper-V that could allow arbitrary code to execute on the host machine in the context of the system kernel or ring0. Attackers, especially particular malware, can take advantage of this vulnerability in order to attempt to break out of a normally trusted virtual environment and compromise the host machine. Upon a successful exploitation, attackers would be able to install rootkit level malware and potentially bypass AV and other software based defenses due to arbitrary code executing at kernel levels.
Recommendations
Administrators who implement Hyper-V in their environment are advised to apply this patch after testing in their environment.
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
http://www.microsoft.com/technet/security/Bulletin/MS10-011.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves a privately reported vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not affected. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
The security update addresses the vulnerability by correcting the manner in which users' processes are terminated upon logout.
- CSRSS Local Privilege Elevation Vulnerability - CVE-2010-0023
An elevation of privilege vulnerability exists because the Windows Client/Server Run-time Subsystem (CSRSS) does not properly terminate user processes when a user logs out. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
An attacker who gains administrative credentials to a vulnerable system would be able to take total control of it by running arbitrary code with SYSTEM level privileges. In addition to an attacker gaining the ability to install the typical range of malware, backdoors and information stealing software, attackers will likely install SYSTEM level rootkits since this vulnerability can give them SYSTEM level privileges.
Recommendations
Currently there are no known mitigations for this vulnerability. eEye recommends this patch is tested and applied immediately into all vulnerable environments.
Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
http://www.microsoft.com/technet/security/Bulletin/MS10-012.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
The security update addresses these vulnerabilities by correcting the way that SMB validates SMB requests.
- SMB Pathname Overflow Vulnerability - CVE-2010-0020
An authenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attacker could exploit the vulnerability by sending a specially crafted network message to a system running the Server service as an authenticated user. While an attacker who successfully exploited this vulnerability could take complete control of the affected system, attempts to exploit this vulnerability will most probably result in a Denial of Service condition.
- SMB Memory Corruption Vulnerability - CVE-2010-0021
A denial of service vulnerability exists in the way that in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service.
- SMB Null Pointer Vulnerability - CVE-2010-0022
A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB (SMB) packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service. An attacker who successfully exploited this vulnerability could cause the computer to stop responding until restarted.
- SMB NTLM Authentication Lack of Entropy Vulnerability - CVE-2010-0231
An unauthenticated elevation of privilege vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles authentication attempts. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending large amounts of authentication requests to the SMB server. An attacker who successfully exploited this vulnerability could access the SMB service on the target user under the credentials of an authorized user.
Analysis
Multiple vulnerabilities within SMB could allow remote anonymous attackers or malicious users to trigger Denial of Service (DoS) conditions, execute arbitrary code, or potentially bypass security on a vulnerable machine. These attacks require no user interaction and can be conducted via automated means such as malware in order to attack or disrupt systems in a local environment. Attackers are likely to start focusing on developing exploits and attack systems with CVE-2010-0231 and CVE-2010-0020 initially, followed by the remaining 2 vulnerabilities.
Recommendations
Administrators are highly advised to roll out patches for MS10-012 immediately. During testing and prior to applying the patch, SMB connections should be limited to only trusted machines in order to limit attack vectors.
Vulnerability in Kerberos Could Allow Denial of Service (977290)
http://www.microsoft.com/technet/security/bulletin/MS10-014.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted.
This update addresses the vulnerability by correcting the way the Kerberos server deals with ticket renewal requests.
- Kerberos Null Pointer Dereference Vulnerability - CVE-2010-0035
A denial of service vulnerability exists in implementations of Kerberos. The vulnerability is due to improper handling of Ticket-Granting-Ticket renewal requests by a client on a remote, non-Windows realm in a mixed-mode Kerberos implementation. An attacker who successfully exploited this vulnerability could cause the affected Windows domain controller to stop responding.
Analysis
This vulnerability affects Windows Server 2000 SP4, Server 2003 SP2, Server 2008, and Server 2008 SP2. This attack is performed from within the local network by an authenticated user on a non-Windows machine within the Kerberos realm. By sending a specially crafted packet to the Kerberos domain, an attacker could cause a Denial of Service (DoS) until the domain controller is restarted.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems.
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
http://www.microsoft.com/technet/security/Bulletin/MS10-015.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.
The security update addresses the vulnerabilities by ensuring that the Windows Kernel handles exceptions properly.
- Windows Kernel Exception Handler Vulnerability - CVE-2010-0232
An elevation of privilege vulnerability exists in the Windows Kernel due to the way the kernel handles certain exceptions. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Windows Kernel Double Free Vulnerability - CVE-2010-0233
An elevation of privilege vulnerability exists in the Windows Kernel due to a double free condition. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
This patch addresses two vulnerabilities within Windows Kernel that could allow malicious applications to elevate their privileges and execute code at ring0 levels. One of these vulnerabilities has been made public and is currently being implemented by malware in order to install rootkits on vulnerable systems. Attackers will likely combine these vulnerabilities with any of the other vulnerabilities patched this month (such as the Office or DirectX vulnerabilities) in order to elevate their privileges and completely compromise a vulnerable machine. This vulnerability affects all versions of Microsoft Windows from Windows 3.1 thru Windows 7.
Recommendations
Since this is a kernel patch, administrators are advised to apply this patch after testing; however since attacks are in the wild, administrators should take this into consideration and make this patch a priority.
Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
http://www.microsoft.com/technet/security/bulletin/ms10-005.mspxMicrosoft Severity Rating: Moderate
eEye Severity Rating: Moderate
Description
This security update resolves a privately reported vulnerability in Microsoft Paint. The vulnerability could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The security update addresses the vulnerability by modifying the way that Microsoft Paint decodes JPEG image files.
- MS Paint Integer Overflow Vulnerability - CVE-2010-0028
A remote code execution vulnerability exists in the way that Microsoft Paint decodes JPEG images. The vulnerability could allow remote code execution if a user opens a specially crafted JPEG image file in Microsoft Paint. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Analysis
This vulnerability is triggered when a malicious JPEG file is opened in Microsoft Paint. Attackers would likely convince the user to download the malicious file and further convince the user to open it. This will run arbitrary code, compromising the system. Upon successfully compromising a system, if the user has administrative privileges, the attacker could control the system completely. The attacker could use the system to use the compromised system to attack other systems on the network. If the user has limited rights, the attacker could view confidential data that the user has access to, as well as access anything the local user has rights to access.
Recommendations
Administrators are urged to roll out this patch as they see fit to all Windows installations. Until administrators roll out the patch, it is highly advised that administrators use CACLS to block users from using Microsoft Paint.
The eEye Advantage
Assessment
eEye Digital Security's customers can update their Retina scanner to detect systems vulnerable to these latest issues and verify that this month's Microsoft patches are installed. Updated vulnerability audits are automatically available to eEye Retina vulnerability assessment customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/February-2010.aspx
Protection
eEye's line of security modules protect from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations. Current protection customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required.
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit
http://www.eeye.com/Company/News-and-Events/Vulnerability-Expert-Forum.aspx.