This month Microsoft released two patches which repair a total of eight vulnerabilities. These patches address remote code execution vulnerabilities within Microsoft Movie Maker, Microsoft Producer 2003 Plug-in, and all versions of Microsoft Office Excel and Excel Viewer from XP/2002 through 2008.
Additionally, Microsoft issued a security advisory for a new zero-day vulnerability discovered in Internet Explorer 6 and Internet Explorer 7 that could allow remote code execution. Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
Of the two bulletins and one advisory released this month, administrators are advised to patch 981374 and MS10-017 immediately due to the common installation base of Internet Explorer 6, Internet Explorer 7, Microsoft Office and Microsoft Office Viewer. Administrators should then patch MS10-016 wherever necessary, as attackers can easily target users who have any of the Microsoft Movie Maker software preinstalled.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's
Vulnerability Expert Forum hosted by the eEye Security Research Team.
For more information on patch precedence, see the eEye Versa Newsletter article
Patch Tuesday Prioritization for a Large Enterprise.
981374 - Vulnerability in Internet Explorer Could Allow Remote Code Execution (981374)
MS10-016 - Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)
MS10-017 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)
Vulnerability in Internet Explorer Could Allow Remote Code Execution (981374)
http://www.microsoft.com/technet/security/advisory/981374.mspxMicrosoft Severity Rating: N/A
eEye Severity Rating: Critical
Description
Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.
Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.
- Microsoft Internet Explorer Use-After-Free Vulnerability - CVE-2010-0806
The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
Recommendations
Download eEye's Blink Professional and Blink Personal Endpoint Security solutions to protect from memory-corruption vulnerabilities generically without the need for any updates. Alternatively, users can upgrade to Internet Explorer 8 to mitigate against this vulnerability.
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)
http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update addresses a privately reported vulnerability in Windows Movie Maker and Microsoft Producer 2003. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker or Microsoft Producer project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The security update addresses the vulnerability by changing the way that Windows Movie Maker parses project files. There is no security update available for Microsoft Producer 2003 at this time.
- Movie Maker and Producer Buffer Overflow Vulnerability - CVE-2010-0265
A remote code execution vulnerability exists in the way that Windows Movie Maker and Microsoft Producer 2003 handle specially crafted project files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
This vulnerability is due to Windows Movie Maker and Microsoft Producer 2003 mishandling malformed project files (.MSWMM, .MSProducer, .MSProducerZ, .MSProducerBF extensions) when they are opened. This will lead to a memory corruption scenario that could potentially allow arbitrary code execution in the context of the current user. Attackers could use emails, social engineering tactics, and web sites that host malicious files in order to trick users into executing a malicious file that would compromise a system.
Recommendations
Block the vulnerable file formats (.MSWMM, .MSProducer, .MSProducerZ, .MSProducerBF extensions) at the email and web gateway from being downloaded. Disable file associations with the Microsoft Movie Maker file types and use CACLs to disable execution of Microsoft Producer wherever it is installed. Administrators should also patch this vulnerability wherever possible.
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)
http://www.microsoft.com/technet/security/bulletin/MS10-017.mspxMicrosoft Severity Rating: Important
eEye Severity Rating: Important
Description
This security update resolves seven privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The update addresses the vulnerabilities by changing the way that Microsoft Office Excel parses specially crafted Excel files.
- Microsoft Office Excel Record Memory Corruption Vulnerability - CVE-2010-0257
A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Microsoft Office Excel Sheet Object Type Confusion Vulnerability - CVE-2010-0258
A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Microsoft Office Excel MDXTUPLE Record Heap Overflow Vulnerability - CVE-2010-0260
A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Microsoft Office Excel MDXSET Record Heap Overflow Vulnerability - CVE-2010-0261
A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory Vulnerability - CVE-2010-0262
A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Microsoft Office Excel XLSX File Parsing Code Execution Vulnerability - CVE-2010-0263
A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability - CVE-2010-0264
A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis
This patch addresses seven vulnerabilities within Microsoft Excel that could allow remote code execution in the context of the current user. Attackers will likely focus on this vulnerability this Patch Tuesday, developing exploits which they will host on malicious websites. Attackers will then use spear-phishing email tactics or email attachments in order to trick users into downloading malicious Excel documents. From here, attackers will compromise machines and install botnet Trojans or other malware in order to maintain control over the machine and steal potentially sensitive information to be sold or used at a later time.
Recommendations
Administrators are urged to patch this vulnerability as soon as possible, as there is currently no effective alternate mitigation strategy that does not impair the functionality of Microsoft Office rendering and performance abilities.
The eEye Advantage
Assessment
eEye Digital Security's customers can update their Retina scanner to detect systems vulnerable to these latest issues and verify that this month's Microsoft patches are installed. Updated vulnerability audits are automatically available to eEye Retina vulnerability assessment customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/March-2010.aspx
Protection
eEye's line of security modules protect from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations. Current protection customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required.
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit
http://www.eeye.com/Company/News-and-Events/Vulnerability-Expert-Forum.aspx.