Today, Microsoft released an out-of-band security bulletin regarding a cumulative security update for Internet Explorer, which addresses eight different vulnerabilities.
Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically without the need for any updates.
Due to the critical nature of this out-of-band patch from Microsoft, eEye Digital Security encourages everyone to attend the special out-of-band Vulnerability Expert Forum webinar. The Vulnerability Expert Forum is provided, without charge, as a service to the network security community.
Friday, January 22, 2010 @ 11:00 AM PST / 2:00 PM EST / 19:00 GMT
Register Here
The patch released today is for multiple remote code execution vulnerabilities and a security bypass vulnerability within all versions of Internet Explorer. At least one of these attacks has been used in the wild; the ‘Aurora’ exploit was reportedly used in the recent Google incident. All of these vulnerabilities could be leveraged by a remote attacker bypassing XSS filtering in order to exploit Internet Explorer after the user visits a malicious website, thus allowing the attacker to compromise the client computer by installing malware, rootkits, keyloggers etc.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's
Vulnerability Expert Forum hosted by the eEye Security Research Team.
For more information on patch precedence, see the eEye Versa Newsletter article
Patch Tuesday Prioritization for a Large Enterprise.
MS10-002 - Cumulative Security Update for Internet Explorer (978207)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.
- XSS Filter Script Handling Vulnerability - CVE-2009-4074
An XSS filter bypass vulnerability exists in the way that Internet Explorer 8 disables an HTML attribute in otherwise appropriately filtered HTTP response data. The vulnerability could allow initially disabled scripts to run in the wrong security context, leading to information disclosure.
- URL Validation Vulnerability - CVE-2010-0027
A remote code execution vulnerability exists in the way that Internet Explorer incorrectly validates input. An attacker could exploit the vulnerability by constructing a specially crafted URL. When a user clicks the URL, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Uninitialized Memory Corruption Vulnerability - CVE-2010-0244
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Uninitialized Memory Corruption Vulnerability - CVE-2010-0245
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Uninitialized Memory Corruption Vulnerability - CVE-2010-0246
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Uninitialized Memory Corruption Vulnerability - CVE-2010-0247
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- HTML Object Memory Corruption Vulnerability - CVE-2010-0248
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- HTML Object Memory Corruption Vulnerability - CVE-2010-0249
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
Attackers are likely to exploit this vulnerability using client side attacks by setting up malicious web servers and distributing trojanized links to these malicious websites. Attackers will focus on targets that are known to be using IE 6 and IE 7 machines, however after a while these attacks could become widespread, outgrowing their ‘targeted attack’ stage and becoming ‘widespread’ exploits . At this stage, attackers will implement these vulnerabilities into drive-by-attack kits and install these on compromised or malicious hosts in order to exploit large amounts of victims via XSS, IM links, Email links or other social engineering attacks. The XSS bypass vulnerability could potentially be combined with these attacks in order to aide attackers in delivering these exploits to machines.
Recommendations
Apply this patch immediately to all Windows systems.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/January-2010.aspx
Blink® Endpoint Security
eEye's line of Blink with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required. Blink Professional, Blink Server and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at:
http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at
http://www.eeye.com/blink/
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit
http://www.eeye.com/Company/News-and-Events/Vulnerability-Expert-Forum.aspx.