Bulletin/Advisory Details

MS10-061
Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a publicly disclosed vulnerability in the Print Spooler service. The vulnerability could allow remote code execution if an attacker sends a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC. By default, printers are not shared on any currently supported Windows operating system. The security update addresses the vulnerability by correcting the manner in which the Printer Spooler service validates user permissions.

• Print Spooler Service Impersonation Vulnerability - CVE-2010-2729
  A remote code execution vulnerability exists in the Windows Print Spooler service that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected Windows XP system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. This is an elevation of privilege vulnerability on all other supported Microsoft Windows systems.

Analysis
A vulnerability exists within the Printer Spooler in Windows, which could allow an attacker to run remote arbitrary code with system level permissions. It does not completely enforce user permission settings that pertain to print spoolers. Attackers would be able to exploit this vulnerability by sending an RPC request to create a malicious file in a specific folder on a target system, which would then be automatically executed by the system. The vulnerability lies in the fact that the attacker's credentials are not properly validated prior to allowing them to create a file on the remote system.

Recommendations
Administrators should install this patch as soon as possible, since it has been publicly disclosed, as well as the fact it is currently being exploited in the wild. To mitigate without patches, block all ports associated with RPC at the external firewall level. In addition, disable printer sharing until patches have been applied.

MS10-062
Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in MPEG-4 codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by modifying the way that the MPEG-4 codec handles specially crafted media content.

• MPEG-4 Codec Vulnerability - CVE-2010-0818
  A remote code execution vulnerability exists in the way that the MPEG-4 codec handles supported format files. This vulnerability could allow code execution if a user opened a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  

Analysis
The vulnerability is exploited by opening a malicious video stream or file (eg: asf, wmv, and wma file types) that is parsed by the Windows MPEG-4 decoder. Any program that utilizes this decoder is vulnerable to exploitation through this Windows-based vulnerability. Upon successful exploitation, the attacker gains complete control of the system.

Recommendations
Administrators should install the patch as soon as possible. Until the patch is installed, restrict access to the MPEG-4 version 1 by removing the registry key HKEY_CLASSES_ROOT\CLSID\{82CCD3E0-F71A-11D0-9FE5-00609778EA66} and HKEY_CLASSES_ROOT\CLSID\{2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2}.

MS10-063
Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in the Unicode Scripts Processor. The vulnerability could allow remote code execution if a user viewed a specially crafted document or Web page with an application that supports embedded OpenType fonts. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the way that Windows parses specific characteristics of OpenType fonts.

• Uniscribe Font Parsing Engine Memory Corruption Vulnerability - CVE-2010-2738
  A remote code execution vulnerability exists in affected versions of Microsoft Windows and Microsoft Office. The vulnerability exists because Windows and Office incorrectly parse specific font types in such a way that could allow remote code execution. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.

Analysis
A vulnerability exists in the way the Unicode Scripts Processor processes OpenType fonts in Windows and third-party applications. Programs such as Microsoft Office and Web browsers can be exploited when they attempt to parse specially constructed content (eg: a document or web page). If successfully exploited, the attacker can run arbitrary code on the affected system as the logged-on user. Users with fewer user rights may not be as affected as users who are Administrators.

Recommendations
Administrators are urged to patch this immediately. Until this can be done, system administrators are urged to modify the ACL (Access Control List) on usp10.dll and disable support for parsing embedded fonts in Internet Explorer.

MS10-064
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened or previewed a specially crafted e-mail message using an affected version of Microsoft Outlook that is connected to an Exchange server with Online Mode. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update addresses the vulnerability by correcting the way that Microsoft Outlook parses content in a specially crafted e-mail message.

• Heap Based Buffer Overflow in Outlook Vulnerability - CVE-2010-2728
  A remote code execution vulnerability exists in the way that Microsoft Outlook parses content in a specially crafted e-mail message. This vulnerability exists only in configurations where Outlook connects to an Exchange Server in Online Mode. Configurations where Outlook connects to an Exchange Server in the Cached Exchange Mode are not affected. In addition, configurations where Outlook uses POP or IMAP mail servers only are not affected by this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
A heap-based buffer overflow vulnerability exists within Microsoft Outlook that could allow an attacker to execute remote arbitrary code on a victim's system, within the context of the current user. An attacker merely needs to craft a malicious email to a victim and convince them to either preview or open the email. At this point, the vulnerability would be exploited.

Recommendations
Administrators should patch this immediately, but until patches have been applied, emails should be read in plain-text to mitigate this vulnerability.

MS10-065
Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Information Services (IIS). The most severe of these vulnerabilities could allow remote code execution if a client sends a specially crafted HTTP request to the server. An attacker who successfully exploited this vulnerability could take complete control of an affected system. The security update addresses the vulnerabilities by modifying the way that IIS handles specially crafted HTTP requests.

• IIS Repeated Parameter Request Denial of Service Vulnerability - CVE-2010-1899
  A denial of service vulnerability exists in Internet Information Services (IIS) that could allow an attacker who successfully exploited this vulnerability to interrupt service, causing the server to become un-responsive. An attacker could exploit the vulnerability by sending specially crafted URL requests to active server pages on a Web site hosted by IIS.
• Request Header Buffer Overflow Vulnerability - CVE-2010-2730
  A remote code execution vulnerability exists in Internet Information Services (IIS) that an attacker could exploit by sending specially crafted HTTP requests to IIS servers with FastCGI enabled.
• Directory Authentication Bypass Vulnerability - CVE-2010-2731
  An elevation of privilege vulnerability exists in Internet Information Services (IIS). An attacker who successfully exploited this vulnerability could bypass the need to authenticate to access restricted resources.

Analysis
A malformed parameter request denial of service vulnerability exists in the way that IIS servers, with FastCGI enabled, handle request headers. An attacker can construct a specially formed HTTP request and gain control of servers with FastCGI enabled, allowing the attacker full access to the machine.

Recommendations
System Administrators are urged to install the patch as soon as possible. Until this is done, administrators should disable ASP on IIS servers.

MS10-066
Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. The security update addresses the vulnerability by correcting the way that the RPC client allocates memory prior to loading RPC responses passed by a remote server.

• RPC Memory Corruption Vulnerability - CVE-2010-2567
  An unauthenticated remote code execution vulnerability exists in the way that the Remote Procedure Call (RPC) client implementation allocates memory when parsing specially crafted RPC responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted RPC response to a client-initiated RPC request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
A memory corruption vulnerability exists in the RPC protocol, within Windows XP3 and Server 2003 SP2, which could allow an attacker to execute remote arbitrary code. This vulnerability could be exploited by an attacker that utilizes either their own server or a compromised server that handles RPC requests. When it receives an RPC request, it would send a malicious response, which would exploit the vulnerability on the client's system that sent the request. Any malicious code executed would run with the same rights as RPC client application.

Recommendations
Administrators should patch this as soon as possible. To mitigate without patches, block all ports associated with RPC at the external firewall level.

Description
This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. The security update addresses the vulnerability by changing the way that the WordPad Text Converters handle specially crafted files.

• WordPad Word 97 Text Converter Memory Corruption Vulnerability - CVE-2010-2563
  A remote code execution vulnerability exists in the way that Microsoft WordPad processes memory when parsing a specially crafted Word 97 document. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed structure.

Analysis
A vulnerability allowing an attacker to remotely execute code exists within WordPad. This attack exploits the way the WordPad text converter parses specific fields within a Word 97 document. A user would have to open a Word 97 document, either from an email or hosted on a Web page, in order for the attacker to gain control of the machine. Code execution is executed at the current level of the logged-in user.

Recommendations
System Administrators are urged apply the patch as soon as possible, however administrators can disable WordPad's access to the Word 97 text converter until the patch is applied.

Description
This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if an authenticated attacker sent specially crafted Lightweight Directory Access Protocol (LDAP) messages to a listening LSASS server. In order to successfully exploit this vulnerability, an attacker must have a member account within the target Windows domain. However, the attacker does not need to have a workstation joined to the Windows domain. The security update addresses the vulnerability by correcting the manner in which the Local Security Authority Subsystem Service (LSASS) handles certain LDAP messages.

• LSASS Heap Overflow Vulnerability - CVE-2010-0820
  An authenticated elevation of privilege vulnerability exists in Microsoft Windows due to the way that the Local Security Authority Subsystem Service (LSASS) improperly handles certain Lightweight Directory Access Protocol (LDAP) messages. The vulnerability exists in implementations of Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). An attacker must have previously authenticated with the LSASS server prior to exploiting this issue. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
A vulnerability exists within the Windows Local Security Authority Subsystem Service (LSASS), which could allow an attacker to elevate their privileges, but will most likely result in the machine failing to respond and eventually restarting. To successfully exploit the system, however, the attacker must have an authenticated session with the target server.

Recommendations
System administrators should patch this immediately, especially those users on a domain. For those not running systems on a domain, this is less critical.

Description
This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. The security update addresses the vulnerability by correcting the way that the Client/Server Runtime Subsystem (CSRSS) allocates memory when handling certain transactions.

• CSRSS Local Elevation of Privilege Vulnerability - CVE-2010-1891
  An elevation of privilege vulnerability exists in the Windows CSRSS due to the way that the CSRSS assigns memory for specific user transactions. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
A vulnerability exists in the Windows Client/Server Runtime Subsystem that allows an attacker to execute an elevation of privilege attack, but only on machines with Chinese, Japanese or Korean system locales. To exploit this issue, an attacker would have to log on to the system and run a specially constructed application that would execute remote arbitrary code.

Recommendations
System Administrators are urged to apply the patch lastly, however best practices should mitigate the opportunity for an attacker to gain access to the system and run programs.