BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Microsoft Patch Tuesday – June 2010

Post by Chris Silva June 8, 2010

Before we get into today’s details, apologies for the lack of an advanced notification post last Thursday – I was out of the office and good ghost writers are hard to find these days.

As for the security bulletins, Microsoft answered back with ten this month – gone is the hope of leaving at a reasonable time today. On top of that, it isn’t even dinner time and we are almost out of my current caffeinated beverage of choice, Heritage Dr. Pepper. It is going to be a long night for everyone.

Here are our recommendations for the ten security updates. You can find our full write-up in newsletter format here.

MS10-032 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)

  • Analysis
    This patch affects all supported versions of Windows. Publically available proof of concepts are available for two of the CVEs. To exploit these vulnerabilities, attackers need to be able to log into a system. This can be done by exploiting vulnerabilities, such as those patched in MS10-33, MS10-34 and/or MS10-35. Once the attacker has the same rights as a valid user, they can use this to log into the target machine and exploit a vulnerability in how Windows displays TrueType fonts. This would elevate the attacker’s privileges to that of system level, giving them kernel access. This would allow the attacker to install malicious software and attack further computers within or outside of the network.
  • Recommendations
    Administrators should roll out this patch as soon as possible to vulnerable systems.

MS10-033 – Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)

  • Analysis
    All supported versions of Windows are affected by this vulnerability. Attackers will try to convince users to open malicious media files or links to malicious media files and/or streams. Upon viewing these malicious media, the vulnerability would be exploited and the attacker would be able to control the system with the same rights as the current user. If the current user has administrator rights, the attacker will most likely install backdoors and other malicious programs, which would be used to further compromise the internal and/or external network.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to all Windows systems. Until the patch is rolled out, administrators should use CACLS to disable Quartz.dll, Asycfilt.dll, and Windows Media Encoder 9.

MS10-034 – Cumulative Security Update of ActiveX Kill Bits (980195)

  • Analysis
    Attackers will target client machines since ActiveX vulnerabilities require user-interaction. Attackers will try to convince users to click a link to a malicious web page. When the page is viewed, the user’s system would execute malicious code, exploiting the vulnerability, and giving the attacker the ability to control the system with the same rights as the current user. If the current user has Administrator privileges, the attacker would have gained complete control of the system. At this point, they could install malicious backdoor software, keyloggers, and other malware to be used in future attacks, launched from the compromised machine.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems or manually install the KillBit IDs into Windows Registry where applicable.

MS10-035 – Cumulative Security Update for Internet Explorer (982381)

  • Analysis
    Primary targets will be Windows client machines, while secondary targets will be Windows server machines. Attackers will try to convince users to visit a specially crafted web page, which would exploit one of the vulnerabilities in Internet Explorer. This would give the attacker the same rights as the current user. If the current user has administrator rights, the attacker would be able to install malicious software, such as keyloggers and/or backdoor Trojans. From this point, the attacker could use the compromised machine to attack more systems within or outside of the network.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems.

MS10-036 – Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)

  • Analysis
    Attackers will try to convince users to open a malicious Office file or open a link to a malicious Office file on an attacker controlled site. If the user opens this file, arbitrary code would be executed, giving the attacker the same privileges as the current user. If the user is an administrator, the attacker would likely install malicious software and use the compromised machine to launch more attacks through the internal and external network.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Note: there are documented issues regarding installation of this patch, available at http://support.microsoft.com/kb/983235.

MS10-037 – Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)

  • Analysis
    This patch resolves a vulnerability in the way Windows processes OpenType font formats. The driver, in all supported versions of Windows, responsible for processing OpenType fonts, does not properly transfer data between user and kernel mode, which causes the vulnerability. Attackers would need to log into the system or utilize other vulnerabilities, such as those patched by MS10-033, MS10-034, and/or MS10-035, to gain the same access to a system as a currently logged on user. From that point, the attacker would run a special program to exploit the OpenType vulnerability. Once the vulnerability had been exploited, the attacker would have system level access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems.

MS10-038 – Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)

  • Analysis
    This patch addresses fourteen vulnerabilities within Microsoft Excel that could allow remote code execution in the context of the local user. Attackers will use spear-phishing email tactics or email attachments to trick users into downloading malicious Excel documents. From here, attackers will compromise machines and install botnet Trojans or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.
  • Recommendations
    Administrators should roll out this patch as soon as possible to vulnerable systems.

MS10-039 – Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)

  • Analysis
    Attackers exploiting this vulnerability will attempt to trick SharePoint clients to click on a malicious link that would be sent to the targeted user via email, instant messaging, or other social engineering methods. When a user clicks the link to the targeted SharePoint server, the vulnerability will be exploited, and potentially allow the attacker to gain privileges on the targeted SharePoint server at the same level as the targeted user. Alternatively attackers could also use this attack to trigger denial of service conditions against the SharePoint server via specially crafted HTTP requests.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Prior to deploying this patch, administrators can roll out IPS mechanisms or IP Address whitelists to prevent attackers from exploiting these vulnerabilities.

MS10-040 – Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)

  • Analysis
    IIS 6, 7, and 7.5 servers with Microsoft Extended Protection for Authentication (KB973917) installed and enabled are vulnerable to a remote code execution vulnerability that could allow remote anonymous attackers to trigger a memory corruption in the context of the Worker Process Identity thread. Attackers can leverage this attack using HTTP or HTTPS connections to the vulnerable IIS server without any interaction from the server.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems. In the mean time, enforce a whitelist of trusted clients or disable Microsoft Extended Protection for Authentication (KB973917) would mitigate against this vulnerability – however it will expose the vulnerable server to potential Man-in-the-Middle attacks and should only be considered if patching the vulnerable server is not an immediate option.

MS10-041 – Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)

  • Analysis
    XMLDsig is vulnerable to a publicly known cryptographic weakness in the process of signing of XML control messages and E03 Hash-based Message Authentication Code (HMAC) truncation handling. This could potentially allow attackers to hijack or subvert encryption in between two XMDsig endpoints in order to tamper or to intercept communication when it is not being used in conjunction with other secure protocols.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems particularly those running XMLDsig endpoints and signed XML content.

eEye Digital Security will be holding a vulnerability expert forum (VEF) Wednesday June 9 at 11AM PDT. The vulnerability expert forum is a live webcast where the eEye research team will discuss these patches and additional security landscape topics. Be sure to sign up in advance.

Tags:
,

Leave a Reply

Additional articles

insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,

Vulnerability Expert Forum Highlights: April 2014

We had a great turnout for last week’s April 2014 Vulnerability Expert Forum (VEF) webcast. BeyondTrust Research experts, Carter and DJ, provided in-depth knowledge about the latest vulnerabilities and their potential impacts on network environments. Below are highlights from the Forum, plus an on-demand video of the presentation. Latest critical vulnerabilities, vendor patches, and zero-day…

Post by Chris Burd April 16, 2014
Tags:
, , , , ,