This month, Microsoft released 4 patches which repair a total of 5 vulnerabilities. All 4 patches address Remote Code Execution vulnerabilities.
Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
MS10-42 and MS10-45 should be patched immediately. Administrators are advised to patch MS10-042 immediately, since it is publically known and is being exploited. MS10-045 needs to be patched immediately, since attackers will likely choose this in their attacks. Next, patch MS10-043 as soon as possible, since it is publicly known. Finally, patch MS10-044 after the other 3 bulletins have been addressed, since it is rated critical.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's
Vulnerability Expert Forum hosted by the eEye Security Research Team.
For more information on patch precedence, see the eEye Versa Newsletter article
Patch Tuesday Prioritization for a Large Enterprise.
MS10-042 - Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)
MS10-043 - Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)
MS10-044 - Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)
MS10-045 - Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)
Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)
http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message. The security update addresses the vulnerability by modifying the manner in which data is validated when passed to the Windows Help and Support Center.
- Help Center URL Validation Vulnerability - CVE-2010-1885
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Help and Support Center validates specially crafted URLs. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
A vulnerability exists in the Help and Support System of Windows, which could be exploited to give an attacker the ability to execute arbitrary remote code on a victim's system. To exploit this vulnerability, an attacker would need to convince a user to click a malicious link or visit a malicious web page. Once the user does either of these, if the user is running with Administrator privileges, the attacker would have gained complete control of the system.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until the patch is rolled out, administrators should disable the HCP protocol, by first backing up and then removing the HKEY_CLASSES_ROOT\HCP key from the registry.
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)
http://www.microsoft.com/technet/security/Bulletin/MS10-043.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. The security update addresses the vulnerability by correcting the manner in which the Canonical Display Driver parses information copied from user mode to kernel mode.
- Canonical Display Driver Integer Overflow Vulnerability - CVE-2009-3678
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Canonical Display Driver (cdd.dll) parses information copied from user mode to kernel mode. Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. An attacker who can successfully exploit this vulnerability for code execution could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
A vulnerability exists in the Canonical Display Driver, due to how the Windows graphics device interface parses images. If an attacker were able to host a malicious image and convince a user to view it, the user's system would stop responding and eventually restart. Code execution is possible, but due to address randomization, it is unlikely that an attacker could successfully execute arbitrary code.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until this is possible, vulnerable systems that are running the Windows Aero Theme should disable Aero and set the theme to a basic theme.
Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)
http://www.microsoft.com/technet/security/Bulletin/MS10-044.mspxMicrosoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by updating specific Access ActiveX controls and by modifying the way memory is accessed by Microsoft Office and by Internet Explorer when loading Access ActiveX controls.
- Access ActiveX Control Vulnerability- CVE-2010-0814
A remote code execution vulnerability exists in Access ActiveX controls due to the way that multiple ActiveX controls are loaded by Internet Explorer. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- ACCWIZ.dll Uninitialized Variable Vulnerability - CVE-2010-1881
A remote code execution vulnerability exists in the way that the FieldList ActiveX control is instantiated by Microsoft Office and Internet Explorer. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Analysis
Multiple vulnerabilities within Microsoft Access ActiveX controls that could be leveraged through a browser in order to compromise a system. In order for attackers to exploit this vulnerability they would need to trick a user into opening a malicious link or attachment that would reference the controls and trigger a memory corruption scenario. Attackers who were able to successfully exploit this attack would gain the same privileges as the currently logged in user.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until this is possible, certain COM objects should be prevented from running in Internet Explorer. Do this by setting Internet Explorer ActiveX kill bits for {53230327-172B-11D0-AD40-00A0C90DC8D9} and {53230322-172B-11d0-AD40-00A0C90DC8D9}.
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)
http://www.microsoft.com/technet/security/Bulletin/MS10-045.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Critical
Description
This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerability by modifying the way that Microsoft Office Outlook verifies attachments in a specially crafted e-mail message.
- Microsoft Outlook SMB Attachment Vulnerability - CVE-2010-0266
A remote code execution vulnerability exists in the way that Microsoft Office Outlook verifies attachments in a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
A vulnerability exists in all supported versions of Outlook through 2007, when parsing email attachments attached using the ATTACH_BY_REFERENCE portion of the PR_ATTACH_METHOD part of an email. An attacker would send a malicious email that would target this vulnerability in the attachment parsing, done by Outlook. If the victim opened the attachment, the vulnerability would be exploited giving the attacker the same access rights as the current user.
Recommendations
Administrators should roll out this patch as soon as possible to vulnerable systems. Until this is possible, stop and disable the WebClient service, using services.msc.
The eEye Advantage
Assessment
eEye Digital Security's customers can update their Retina scanner to detect systems vulnerable to these latest issues and verify that this month's Microsoft patches are installed. Updated vulnerability audits are automatically available to eEye Retina vulnerability assessment customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/July-2010.aspx
Protection
eEye's line of security modules protect from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations. Current protection customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required.
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit
http://www.eeye.com/VEF.