eEye Digital Security eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Alert - eEye Security Bulletin
Microsoft Patch Disclosure - June 8, 2010
Overview
This month, Microsoft released 10 patches which repair a total of 34 vulnerabilities. Of these 10 patches, 6 address Remote Code Execution vulnerabilities, 3 address Elevation of Privilege vulnerabilities, and 1 addresses a Tampering vulnerability.

Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
Patch Precedence
Administrators are advised to patch MS10-032, MS10-033, MS10-034 and MS10-035 immediately to prevent exploitation by attackers. Next, administrators should patch MS10-036, MS10-038, MS10-039, MS10-040 and MS10-041 as soon as possible. Lastly, administrators should patch MS10-037 at their earliest convenience.

As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
Bulletin/Advisory Summary
Critical
MS10-033 - Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
MS10-034 - Cumulative Security Update of ActiveX Kill Bits (980195)
MS10-035 - Cumulative Security Update for Internet Explorer (982381)

Important
MS10-032 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
MS10-036 - Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
MS10-037 - Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
MS10-038 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
MS10-039 - Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
MS10-040 - Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
MS10-041 - Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
Bulletin/Advisory Details
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
http://www.microsoft.com/technet/security/Bulletin/MS10-033.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerabilities by modifying the way that Windows parses media files.
  • Media Decompression Vulnerability - CVE-2010-1879
    A remote code execution vulnerability exists in the way that Microsoft Windows handles media files. This vulnerability could allow remote code execution if a user opened a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MJPEG Media Decompression Vulnerability - CVE-2010-1880
    A remote code execution vulnerability exists in the way that Microsoft Windows handles media files. This vulnerability could allow remote code execution if a user opened a specially crafted file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Analysis
All supported versions of Windows are affected by this vulnerability. Attackers will try to convince users to open malicious media files or links to malicious media files and/or streams. Upon viewing these malicious media, the vulnerability would be exploited and the attacker would be able to control the system with the same rights as the current user. If the current user has administrator rights, the attacker will most likely install backdoors and other malicious programs, which would be used to further compromise the internal and/or external network.
Recommendations
Administrators are urged to roll out this patch as soon as possible to all Windows systems. Until the patch is rolled out, administrators should use CACLS to disable Quartz.dll, Asycfilt.dll, and Windows Media Encoder 9.
Cumulative Security Update of ActiveX Kill Bits (980195)
http://www.microsoft.com/technet/security/Bulletin/MS10-034.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update addresses two privately reported vulnerabilities for Microsoft software. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls. The security update addresses the vulnerabilities by setting kill bits so that the vulnerable controls do not run in Internet Explorer.
  • Microsoft Data Analyzer ActiveX Control Vulnerability - CVE-2010-0252
    A remote code execution vulnerability exists in the Microsoft Data Analyzer ActiveX Control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
  • Microsoft Internet Explorer 8 Developer Tools Vulnerability- CVE-2010-0811
    A remote code execution vulnerability exists in the Microsoft Internet Explorer 8 Developer Tools. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
Analysis
Attackers will target client machines since ActiveX vulnerabilities require user-interaction. Attackers will try to convince users to click a link to a malicious web page. When the page is viewed, the user's system would execute malicious code, exploiting the vulnerability, and giving the attacker the ability to control the system with the same rights as the current user. If the current user has Administrator privileges, the attacker would have gained complete control of the system. At this point, they could install malicious backdoor software, keyloggers, and other malware to be used in future attacks, launched from the compromised machine.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems or manually install the KillBit IDs into Windows Registry where applicable.
Cumulative Security Update for Internet Explorer (982381)
http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, HTML sanitization, and cached content.
  • Cross-Domain Information Disclosure Vulnerability - CVE-2010-0255
    An information disclosure vulnerability exists in the way that Internet Explorer caches data and incorrectly allows the cached content to be called, potentially bypassing Internet Explorer domain restriction. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view content from the local computer or a browser window in another domain or Internet Explorer zone.
  • toStaticHTML Information Disclosure Vulnerability - CVE-2010-1257
    An information disclosure vulnerability exists in the way that Internet Explorer handles content using specific strings when sanitizing HTML. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could inflict cross-site scripting on the user, allowing the attacker to execute script in the user's security context against a site that is using the toStaticHTML API.
  • Uninitialized Memory Corruption Vulnerability - CVE-2010-1259
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • HTML Element Memory Corruption Vulnerability - CVE-2010-1260
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted in the IE8 Developer Toolbar. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Uninitialized Memory Corruption Vulnerability - CVE-2010-1261
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted in the IE8 Developer Toolbar. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Memory Corruption Vulnerability - CVE-2010-1262
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
Primary targets will be Windows client machines, while secondary targets will be Windows server machines. Attackers will try to convince users to visit a specially crafted web page, which would exploit one of the vulnerabilities in Internet Explorer. This would give the attacker the same rights as the current user. If the current user has administrator rights, the attacker would be able to install malicious software, such as keyloggers and/or backdoor trojans. From this point, the attacker could use the compromised machine to attack more systems within or outside of the network.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems.
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
http://www.microsoft.com/technet/security/Bulletin/MS10-032.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font. The security update addresses the vulnerabilities by correcting object change and callback parameter validation, and by correcting the way that Windows provides outlines of TrueType fonts to usermode applications.
  • Win32k Improper Data Validation Vulnerability - CVE-2010-0484
    An elevation of privilege vulnerability exists because the Windows kernel-mode drivers do not properly validate changes in certain kernel objects. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Win32k Window Creation Vulnerability - CVE-2010-0485
    An elevation of privilege vulnerability exists because Windows kernel-mode drivers do not properly validate all parameters when creating a new window. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Win32k TrueType Font Parsing Vulnerability - CVE-2010-1255
    An elevation of privilege vulnerability exists due to the way that the operating system provides font-related information to applications. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
This patch affects all supported versions of Windows. Publically available proof of concepts are available for two of the CVEs. To exploit these vulnerabilities, attackers need to be able to log into a system. This can be done by exploiting vulnerabilities, such as those patched in MS10-33, MS10-34 and/or MS10-35. Once the attacker has the same rights as a valid user, they can use this to log into the target machine and exploit a vulnerability in how Windows displays TrueType fonts. This would elevate the attacker's privileges to that of system level, giving them kernel access. This would allow the attacker to install malicious software and attack further computers within or outside of the network.
Recommendations
Administrators should roll out this patch as soon as possible to vulnerable systems.
Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
http://www.microsoft.com/technet/security/Bulletin/MS10-036.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High

Description
This security update resolves a privately reported vulnerability in COM validation in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher, or PowerPoint file with an affected version of Microsoft Office. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message. The security update addresses the vulnerability by correcting the way that Microsoft Office validates COM objects to be instantiated.
  • COM Validation Vulnerability - CVE-2010-1263
    A remote code execution vulnerability exists in the way that affected Microsoft Office software validates COM object instantiation. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Analysis
Attackers will try to convince users to open a malicious Office file or open a link to a malicious Office file on an attacker controlled site. If the user opens this file, arbitrary code would be executed, giving the attacker the same privileges as the current user. If the user is an administrator, the attacker would likely install malicious software and use the compromised machine to launch more attacks through the internal and external network.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Note: there are documented issues regarding installation of this patch, available at http://support.microsoft.com/kb/983235.
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
http://www.microsoft.com/technet/security/Bulletin/MS10-037.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow elevation of privilege if a user views content rendered in a specially crafted CFF font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. The security update addresses the vulnerability by ensuring that the OpenType Compact Font Format (CFF) driver properly validates data.
  • OpenType CFF Font Driver Memory Corruption Vulnerability - CVE-2010-0819
    An elevation of privilege vulnerability exists in the Windows OpenType Compact Font Format (CFF) driver due to improper validation of certain data passed from user mode to kernel mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
This patch resolves a vulnerability in the way Windows processes OpenType font formats. The driver, in all supported versions of Windows, responsible for processing OpenType fonts, does not properly transfer data between user and kernel mode, which causes the vulnerability. Attackers would need to log into the system or utilize other vulnerabilities, such as those patched by MS10-033, MS10-034, and/or MS10-035, to gain the same access to a system as a currently logged on user. From that point, the attacker would run a special program to exploit the OpenType vulnerability. Once the vulnerability had been exploited, the attacker would have system level access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems.
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
http://www.microsoft.com/technet/security/Bulletin/MS10-038.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Critical

Description
This security update resolves fourteen privately reported vulnerabilities in Microsoft Office. The more severe vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by changing the way that Microsoft Office Excel parses specially crafted Excel files and by correcting the way that the Open XML File Format Converter for Mac installs.
  • Excel Record Parsing Memory Corruption Vulnerability - CVE-2010-0821
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel Object Stack Overflow Vulnerability - CVE-2010-0822
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel Memory Corruption Vulnerability - CVE-2010-0823
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel Record Memory Corruption Vulnerability - CVE-2010-0824
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel Record Memory Corruption Vulnerability - CVE-2010-1245
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel RTD Memory Corruption Vulnerability - CVE-2010-1246
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel Memory Corruption Vulnerability - CVE-2010-1247
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel HFPicture Memory Corruption Vulnerability - CVE-2010-1248
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel Memory Corruption Vulnerability - CVE-2010-1249
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel EDG Memory Corruption Vulnerability - CVE-2010-1250
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel Record Stack Corruption Vulnerability - CVE-2010-1251
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel String Variable Vulnerability - CVE-2010-1252
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Excel ADO Object Vulnerability - CVE-2010-1253
    A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Mac Office Open XML Permissions Vulnerability - CVE-2010-1254
    An elevation of privilege vulnerability exists in the way that the Open XML File Format Converter for Mac installs itself. During installation, the Open XML File Format Converter for Mac changes the file system ACLs on the /Applications folder in a way that reduces the security settings on the /Applications folder and allows all access to the files in this folder. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could replace the Open XML File Format Converter for Mac with a malicious executable. When an administrator later logs on and runs the Open XML File Format Converter for Mac, the attacker-provided code can be made to execute, allowing the attacker to take complete control over an affected system.
Analysis
This patch addresses fourteen vulnerabilities within Microsoft Excel that could allow remote code execution in the context of the local user. Attackers will use spear-phishing email tactics or email attachments to trick users into downloading malicious Excel documents. From here, attackers will compromise machines and install botnet Trojans or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.
Recommendations
Administrators should roll out this patch as soon as possible to vulnerable systems.
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
http://www.microsoft.com/technet/security/Bulletin/MS10-039.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves one publicly disclosed and two privately reported vulnerabilities in Microsoft SharePoint. The most severe vulnerability could allow elevation of privilege if an attacker convinced a user of a targeted SharePoint site to click on a specially crafted link. The security update addresses the vulnerabilities by modifying the way that Microsoft SharePoint validates input that is provided to an HTTP query, the way that toStaticHTML sanitizes HTML content in Microsoft SharePoint, and the way that Microsoft SharePoint handles specially crafted requests to the Help page.
  • Help.aspx XSS Vulnerability - CVE-2010-0817
    A cross-site scripting and spoofing vulnerability exists in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 that could allow an attacker to convince a user to run a malicious script. An attacker who successfully exploited the vulnerability could modify Web browser caches and intermediate proxy server caches. Additionally, an attacker could put spoofed content into those caches. An attacker may also be able to exploit the vulnerability to perform cross-site scripting attacks.
  • toStaticHTML Information Disclosure Vulnerability - CVE-2010-1257
    An information disclosure vulnerability exists in the way that the SharePoint toStaticHTML API sanitizes HTML, that could allow an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user.
  • Sharepoint Help Page Denial of Service Vulnerability - CVE-2010-1264
    A denial of service vulnerability exists in the way that Microsoft SharePoint handles specially crafted requests to the help page. An attacker could exploit the vulnerability by sending specially crafted packets to the targeted SharePoint server which could cause the Web server to become non-responsive until the associated application pool is restarted.
Analysis
Attackers exploiting this vulnerability will attempt to trick SharePoint clients to click on a malicious link that would be sent to the targeted user via email, instant messaging, or other social engineering methods. When a user clicks the link to the targeted SharePoint server, the vulnerability will be exploited, and potentially allow the attacker to gain privileges on the targeted SharePoint server at the same level as the targeted user. Alternatively attackers could also use this attack to trigger denial of service conditions against the SharePoint server via specially crafted HTTP requests.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Prior to deploying this patch, administrators can roll out IPS mechanisms or IP Address whitelists to prevent attackers from exploiting these vulnerabilities.
Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
http://www.microsoft.com/technet/security/Bulletin/MS10-040.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in Internet Information Services (IIS). The vulnerability could allow remote code execution if a user received a specially crafted HTTP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system. The security update addresses the vulnerability by correcting authentication validation.
  • IIS Authentication Memory Corruption Vulnerability - CVE-2010-1256
    A remote code execution vulnerability exists in Internet Information Services (IIS). The vulnerability is due to improper parsing of authentication information. An attacker who successfully exploited this vulnerability could execute code in the context of the Worker Process Identity (WPI).
Analysis
IIS 6, 7, and 7.5 servers with Microsoft Extended Protection for Authentication (KB973917) installed and enabled are vulnerable to a remote code execution vulnerability that could allow remote anonymous attackers to trigger a memory corruption in the context of the Worker Process Identity thread. Attackers can leverage this attack using HTTP or HTTPS connections to the vulnerable IIS server without any interaction from the server.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. In the mean time, enforce a whitelist of trusted clients or disable Microsoft Extended Protection for Authentication (KB973917) would mitigate against this vulnerability - however it will expose the vulnerable server to potential Man-in-the-Middle attacks and should only be considered if patching the vulnerable server is not an immediate option.
Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
http://www.microsoft.com/technet/security/Bulletin/MS10-041.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow data tampering of signed XML content without being detected. In custom applications, the security impact depends on how the signed content is used in the specific application. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability. The security update addresses the vulnerability by changing the way in which the XMLDsig recommendation has been implemented in the Microsoft .NET Framework.
  • XML Signature HMAC Truncation Authentication Bypass Vulnerability - CVE-2009-0217
    A data tampering vulnerability exists in the Microsoft .NET Framework that could allow an attacker to tamper with signed XML content without being detected. In custom applications, the security impact depends on the specific usage scenario. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability.
Analysis
XMLDsig is vulnerable to a publicly known cryptographic weakness in the process of signing of XML control messages and E03 Hash-based Message Authentication Code (HMAC) truncation handling. This could potentially allow attackers to hijack or subvert encryption in between two XMDsig endpoints in order to tamper or to intercept communication when it is not being used in conjunction with other secure protocols.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems particularly those running XMLDsig endpoints and signed XML content.
The eEye Advantage

Assessment
eEye Digital Security's customers can update their Retina scanner to detect systems vulnerable to these latest issues and verify that this month's Microsoft patches are installed. Updated vulnerability audits are automatically available to eEye Retina vulnerability assessment customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/June-2010.aspx

Protection
eEye's line of security modules protect from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations. Current protection customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required.

Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/VEF.
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2012 eEye Digital Security. All rights reserved.