eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Your Company

Microsoft Patch Disclosure
November 9th, 2010

Overview
This month, Microsoft released 3 patches which repair a total of 11 vulnerabilities. Of these 3 patches, 2 address Remote Code Execution vulnerabilities and 1 addresses Elevation of Privilege vulnerabilities.

Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.

 Top Sidebar

Live Webinar:
Vulnerability Expert Forum

Presenter:
The eEye Research Team

Date/Time:
Wednesday November 10th at
11am PDT / 2pm EDT

Register Now >>

Bottom Sidebar

Patch Precedence
Administrators are advised to patch MS10-087 and MS10-088 immediately to prevent exploitation by attackers.
Administrators should patch patch MS10-089 at their earliest convenience.

As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team. Register Here >>

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.

Bulletin/Advisory Summary
 

Critical
MS10-087 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)
MS10-088 - Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)

Important
MS10-089 - Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

Bulletin/Advisory Details

MS10-087
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves one publicly disclosed vulnerability and four privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by modifying the way that Microsoft Office software parses files and by helping to ensure a vulnerable component of Microsoft Office uses a more appropriate and secure search order when loading libraries.

  • RTF Stack Buffer Overflow Vulnerability - CVE-2010-3333
    A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted Rich Text Format (RTF) data. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Office Art Drawing Records Vulnerability - CVE-2010-3334
    A remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Drawing Exception Handling Vulnerability - CVE-2010-3335
    A remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MSO Large SPID Read AV Vulnerability - CVE-2010-3336
    A remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Insecure Library Loading Vulnerability - CVE-2010-3337
    A remote code execution vulnerability exists in the way that Microsoft Office handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
Several vulnerabilities exist in the way Microsoft Office handles Office files; the most severe of which could allow for Remote Code Execution. To successfully exploit these vulnerabilities, an attacker would need to convince a user to open a specially crafted Office file or Rich Text Format file, which would be hosted on the attacker-controlled site. Successful exploitation would permit the attacker to execute code within the user's context. If a user had administrative privileges, the attacker could gain full control of the computer.

Recommendations
Apply patch as soon as possible. Until patches can be applied, avoid opening Microsoft Office files from untrusted or unknown sources and set all emails to be displayed as plain text rather than rich text format. Additionally, administrators my set a Microsoft Office File Block Policy to block all files from Office 2003 and earlier from unknown and untrusted sources.

MS10-088
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)
Microsoft Severity Rating: Important
eEye Severity Rating: High

Description
This security update resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by changing the way that Microsoft PowerPoint parses specially crafted PowerPoint files.

  • PowerPoint Parsing Buffer Overflow Vulnerability - CVE-2010-2572
    A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint 95 files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • PowerPoint Integer Underflow Causes Heap Corruption Vulnerability - CVE-2010-2573
    A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
There is a buffer overflow vulnerability and a heap corruption vulnerability in the way Microsoft PowerPoint handles PowerPoint files. An attacker would need to convince a user to open a specially crafted PowerPoint file in order to exploit this vulnerability, which could be hosted on an attacker-controlled site or sent via email or instant messenger. Once exploited, these vulnerabilities allow an attacker to execute code with the same privileges as the user. An attacker could gain full control of the computer if the user had administrative privileges.

Recommendations
Apply patch as soon as possible. Until patches can be applied, restrict the access to the pp7x32.ddl file for any user running PowerPoint 2002. Additionally, administrators my set a Microsoft Office File Block Policy to block all files from Office 2003 and earlier from unknown or untrusted sources.

MS10-089
Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves four privately reported vulnerabilities in Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow elevation of privilege if a user visits an affected Web site using a specially crafted URL. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. The security update addresses the vulnerabilities by modifying the way that UAG handles input and redirect verification.

  • UAG Redirection Spoofing Vulnerability - CVE-2010-2732
    A spoofing vulnerability exists in Forefront Unified Access Gateway (UAG). The vulnerability could allow spoofing or redirecting of traffic intended for the UAG server if a UAG user clicks a specially crafted link. An attacker could send a specially crafted URL to a user of the UAG server to redirect Web traffic to a malicious site with content similar to the original Web site. By doing so, the attacker could potentially acquire sensitive information, such as the user's credentials.
  • UAG XSS Allows EOP Vulnerability - CVE-2010-2733
    A cross-site scripting (XSS) vulnerability exists in Forefront Unified Access Gateway (UAG) that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the UAG server in the context of the targeted user.
  • XSS Issue on UAG Mobile Portal Website in Forefront Unified Access Gateway Vulnerability - CVE-2010-2734:
    A cross-site scripting (XSS) vulnerability exists in Forefront Unified Access Gateway (UAG) that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the UAG server in the context of the targeted user.
  • XSS in Signurl.asp Vulnerability - CVE-2010-3936
    A cross-site scripting (XSS) vulnerability exists in Forefront Unified Access Gateway (UAG) that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the UAG server in the context of the targeted user.

Analysis
There are 4 vulnerabilities within Microsoft Forefront Unified Access Gateway, the most severe of which is a spoofing vulnerability. This could be used by an attacker to convince a user that they are viewing a legitimate UAG page. The attacker could trick the user into providing credentials to the attacker, since the attacker's page would look like the UAG page they were attempting to visit. That could be used by the attacker to gain unauthorized access to the UAG.

Recommendations
Administrators are urged to patch this at their earliest convenience. There are no workarounds other than the patch provided by Microsoft.
Feedback
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to newsletter@eeye.com.

Disclaimer
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email newsletter@eeye.com for permission.
www.eeye.com | sales@eeye.com | 111 Theory, Suite 250, Irvine, CA 92617 | 866.339.3732

eEye Email Subscription Management >>

 

Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2012 eEye Digital Security. All rights reserved.