BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – August 2010

Posted August 10, 2010    Chris Silva

As everyone knows by now, this was a gigantic patch Tuesday with Microsoft delivering 14 security bulletins (in addition to the out-of-band bulletin from last week).  On top of that, Adobe patched Flash and ColdFusion.  It is once again going to be a long night for IT and security engineers everywhere.

One important thing to note is that MS10-054 (Vulnerabilities in SMB Server Could Allow Remote Code Execution) has public exploit code available AND affects Windows 2000.  As Windows 2000 is no longer supported, no patch is available (nor will one be made available unless Microsoft has a change of heart).  Be sure to block  ports 139 and 445 at the public-facing firewall for any of your legacy Windows 2000 systems. Alternatively you could use a Host Based Intrusion Prevention product to block the attack.

Here are our recommendations for the fourteen security updates. You can find our full write-up in newsletter format here.

CRITICAL

MS10-049 – Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

  • Analysis
    This patch addresses 1 remote code execution vulnerability and 1 spoofing vulnerability within the SChannel security package in Windows. Attackers will attempt to lure victims to view an attacker-controlled site, which will execute remote arbitrary code on the victim’s machine.
  • Recommendations
    Administrators are urged to patch all affected systems as soon as possible. There is currently no workaround for the remote code execution vulnerability described in this bulletin. Until patches are complete, a workaround for the spoofing vulnerability can be made. Require mutual authentication on IIS servers.

MS10-051 – Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

  • Analysis
    A memory corruption vulnerability exists in Microsoft XML Core Services, when handling malformed HTTP responses. Attackers could leverage this vulnerability by tricking a user into visiting a malicious website. This could ultimately lead to remote code execution on the target’s machine that would run at the same permissions as the current user.
  • Recommendations
    Administrators should roll out this patch as soon as possible. Until then, set a killbit on {F5078F35-C551-11D3-89B9-0000F81FE221} for Internet Explorer by setting its “Compatibility Flags” flag to dword:00000400.

MS10-052 – Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

  • Analysis
    A buffer overflow vulnerability, which could lead to remote code execution, exists in the MPEG Layer-3 Audio Decoder on Windows. This can be exploited by tricking a user to view a site that will automatically play a crafted MP3 file. Alternatively attackers could spread the MP3 across peer-to-peer networks, disguising it as something like a newly released track from a famous artist. Upon successful exploitation, the attacker would have gained control of the affected system with the same rights as the current user.
  • Recommendations
    Administrators should roll out the patch as soon as possible. Until then, disable the use of l3codecx.ax on affected systems. In addition, remove the ClassID, {38BE3000-DBF4-11D0-860E-00A024CFEF6D}, from affected systems.

MS10-053 – Cumulative Security Update for Internet Explorer (2183461)

  • Analysis
    Multiple memory corruption vulnerabilities exist in Internet Explorer, allowing attackers to exploit these vulnerabilities to execute remote code on a target’s system. In addition, an information disclosure vulnerability allows attackers to gain access to browser windows in other domains or trust zones. Publicly available information exists for these vulnerabilities, allowing attackers to easily craft successful exploits targeting issues addressed by MS10-053.
  • Recommendations
    Administrators should roll this patch out as soon as possible.

MS10-054 – Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

  • Analysis
    This bulletin addresses 1 remote code execution vulnerability and 2 denial of service vulnerabilities. The remote code execution vulnerability will be of particular interest attackers, since it does not require the attacker to be authenticated. All the attacker needs to do is send a malicious SMB request and they would successfully compromise that server, which would allow them to run arbitrary remote code at kernel-level privileges. As of this writing, public proof of concept code exists for this vulnerability; which is being used by attackers in efforts to compromise and disable vulnerable systems.
  • Recommendations
    Roll out the patch to affected systems as soon as possible. Until this is done, block ports 139 and 445 at the public-facing firewall. Please note this vulnerability will also affect Windows 2000 systems, and due to Windows 2000 being End Of Lifed; there is no expected patch release to provide mitigation for this vulnerability.

MS10-055 – Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

  • Analysis
    This bulletin addresses a remote code execution vulnerability within processing malformed media files encoded with Cinepack codecs. After exploiting this vulnerability, attackers will be able to execute remote code within the context of the currently logged on user.
  • Recommendations
    Administrators should push this patch to affected systems as soon as possible. Until this is possible, restrict access to iccvid.dll. In addition, modify the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 (or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 for 64 bit systems) to remove the vidc.cvid value.

MS10-056 – Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

  • Analysis
    This bulletin addresses 4 remote code execution vulnerabilities in Microsoft Office Word (versions) while parsing malformed word files (extensions). These vulnerabilities would allow an attacker to create a specially-crafted file that includes malformed records or malicious rich text data, which would exploit the vulnerability. When a user opens the file, the vulnerability would be exploited, granting the attacker the ability to execute code within the context of the current user.
  • Recommendations
    Administrators are urged to patch all affected systems as soon as possible.

MS10-060 – Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

  • Analysis
    This bulletin addresses 2 remote code execution vulnerabilities in Microsoft Silverlight, which allow the execution of unmanaged code, by an attacker. A user would be tricked into viewing an attacker-controlled site, which would host a malicious Silverlight application. Upon executing this application, the vulnerability on the victim’s system would be exploited, giving the attacker the ability to run arbitrary code within the context of the current user. Additionally, web servers that allow uploading and running of ASP.NET code would be vulnerable to the vulnerability patched in this bulletin. A user would upload the code to exploit this vulnerability as a web page and then view it as it is parsed by the target web hosting server.
  • Recommendations
    Administrators are urged to push this patch out to affected systems as soon as they are able.

IMPORTANT

MS10-047 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

  • Analysis
    This patch addresses 2 privilege elevation vulnerabilities and 1 denial of service vulnerability within the Microsoft Windows Kernel. Attackers will likely use the privilege elevation vulnerabilities to transform browser-based vulnerabilities, such as CVE-2010-2559 in MS10-053, which execute remote code at the current user’s level, into an attack that gains kernel-level privileges. This sort of combination will be a prime target for attackers.
  • Recommendations
    Currently, there are no workarounds for this bulletin. Administrators are strongly urged to update affected systems as soon as possible.

MS10-048 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

  • Analysis
    This patch addresses 4 privilege elevation vulnerabilities and 1 denial of service vulnerability within the Microsoft Windows Kernel. Similar to MS10-047, attackers will look for ways to gain user privileges on a target system and then exploit one or more of these vulnerabilities in the kernel. This would grant the attacker kernel-level access to the target machine. Attackers will be very interested in this kind of vulnerability, since it can be used to control all aspects of a system and launch further attacks at other computers.
  • Recommendations
    Currently, there are no workarounds for this bulletin. Administrators are strongly urged to update affected systems as soon as possible.

MS10-050 – Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

  • Analysis
    A remote code execution vulnerability exists in Windows Movie Maker in how it parses the project file formats. If an attacker were to convince a user to open an attacker-provided Movie Maker project file, the vulnerability would be exploited and the user’s system would become compromised, allowing the attacker to execute code at the same level as the currently logged on user.
  • Recommendations
    Administrators should patch affected systems at the soonest time after the critical patches have been applied. Until that can be done, administrators mitigate this threat by removing the .MSWMM file extension association in the registry. This can be done by deleting the HKEY_CLASSES_ROOT\.MSWMM key.

MS10-057 – Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

  • Analysis
    This bulletin addresses a remote code execution vulnerability that exists, due to how Microsoft Office Excel parses Excel files. If an attacker were to convince a user to open an Excel file hosted on a site or sent through a spoofed email, the vulnerability would be exploited on the victim’s system and would provide the attacker with the ability to execute remote arbitrary code on the victim’s machine, within the context of the current user.
  • Recommendations
    Administrators are urged to roll out this patch to affected systems as soon as possible.

MS10-058 – Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

  • Analysis
    A privilege elevation vulnerability exists in how Microsoft Windows processes TCP/IP stacks. An attacker would need to be able to log into a system and run a malicious program that exploits this vulnerability, which would give the attacker system-level access to the machine. Attackers would likely use these compromised servers as a launching point for further attacks.
  • Recommendations
    Administrators are urged to push this patch out to affected systems as soon as they are able.

MS10-059 – Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

  • Analysis
    A vulnerability exists in the Tracing Feature for Services in Microsoft Windows, which could allow for elevation of privileges. To successfully exploit this vulnerability, an attacker would need to log into the target machine, or gain access through the use of other means like browser exploits, and execute a malicious application. This would give an attacker complete control of the target system, from which they are likely to launch further attacks against other systems.
  • Recommendations
    Administrators are urged to push this patch out to affected systems as soon as they are able.

eEye Digital Security will be holding a vulnerability expert forum (VEF) Thursday August 12th at 11AM PDT. The vulnerability expert forum is a live webcast where the eEye research team will discuss these patches and additional security landscape topics. Marc Maiffret will be making a special guest appearance, so be sure to sign up in advance.

Tags:
, ,

Leave a Reply

Additional articles

gartner market guide image - aug 2014

Introducing the Gartner Market Guide for Privileged Account Management

Posted July 29, 2014    Chris Burd

Gartner recently released a new Market Guide for Privileged Account Management (PAM), and we’d like to share a complimentary copy with you. The report includes PAM market analysis and direction, vendor overviews, and recommendations for selecting PAM solutions for your environment. BeyondTrust is one of two representative vendors (out of 20) to address all solution…

Tags:
, , , , , , , ,
Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

Tags:
, , , , ,
PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

Tags:
, , ,