eEye Digital Security eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Alert - eEye Security Bulletin
Microsoft Patch Disclosure - May 11, 2010
Overview
This month, Microsoft released two patches which repair a total of two vulnerabilities. Both of these patches address Remote Code Execution vulnerabilities.

Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.
Patch Precedence
Administrators are advised to patch MS10-030 and MS10-031 immediately to prevent exploitation by attackers, preferably after environment testing or to environments that have the specifically affected software deployed.

As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
Bulletin/Advisory Summary
Critical
MS10-030 - Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542)
MS10-031 - Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213)
Bulletin/Advisory Details
Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542)
http://www.microsoft.com/technet/security/Bulletin/MS10-030.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Outlook Express, Windows Mail, and Windows Live Mail. The vulnerability could allow remote code execution if a user visits a malicious e-mail server. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correctly validating e-mail server responses.
  • Outlook Express and Windows Mail Integer Overflow Vulnerability - CVE-2010-0816
    An unauthenticated remote code execution vulnerability exists in the way that Windows Mail Client handles specially crafted mail responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted response to a client initiating a connection to a server under his control using the common mail protocols POP3 and IMAP.
Analysis
An attacker, with a malicious mail server, can send malicious response packets to a client-initiated POP3 request. The malicious response packets could trigger an integer overflow which could possibly allow the execution of arbitrary code. Successful exploitation would give the attacker the same privileges as the currently logged on user. If the current user is logged on as an administrator, the attacker would have gained complete control of the system, potentially allowing them to install malicious software to control the computer. The attacker could use it to gain personal and/or private information and launch attacks against other computers throughout the network.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until this is done, users are recommended to use a web-based email interface, instead of a client-sided email application, such as Microsoft Outlook.
Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213)
http://www.microsoft.com/technet/security/Bulletin/MS10-031.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerability by modifying the way that Visual Basic for Applications searches for ActiveX Controls embedded in documents.
  • VBE6.DLL Stack Memory Corruption Vulnerability - CVE-2010-0815
    A remote code execution vulnerability exists in the way that Microsoft Visual Basic for Applications searches for ActiveX controls. This vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Analysis
Attackers will try to convince users to open malicious files, sent to them as either a complete document or a link to a document hosted on a malicious site, through spoofed emails, instant messages, or other electronic communication methods. Upon opening the malicious file, the vulnerability would be triggered. If successful, exploitation of the vulnerability would allow the attacker the same privileges as the current user. If the user has administrator rights, the attacker would have complete control of the computer and could install malicious software, such as Trojans and backdoors. These would be used to gather personal and/or private information and launch attacks on more computers throughout the network.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. In the mean time, administrators should restrict access to VBE6.dll. By doing this, embedded ActiveX controls will be prevented from running inside Microsoft Office documents.
The eEye Advantage

Assessment
eEye Digital Security's customers can update their Retina scanner to detect systems vulnerable to these latest issues and verify that this month's Microsoft patches are installed. Updated vulnerability audits are automatically available to eEye Retina vulnerability assessment customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/May-2010.aspx

Protection
eEye's line of security modules protect from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations. Current protection customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required.

Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/VEF.
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2012 eEye Digital Security. All rights reserved.