BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – June 2010

Posted June 8, 2010    Chris Silva

Before we get into today’s details, apologies for the lack of an advanced notification post last Thursday – I was out of the office and good ghost writers are hard to find these days.

As for the security bulletins, Microsoft answered back with ten this month – gone is the hope of leaving at a reasonable time today. On top of that, it isn’t even dinner time and we are almost out of my current caffeinated beverage of choice, Heritage Dr. Pepper. It is going to be a long night for everyone.

Here are our recommendations for the ten security updates. You can find our full write-up in newsletter format here.

MS10-032 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)

  • Analysis
    This patch affects all supported versions of Windows. Publically available proof of concepts are available for two of the CVEs. To exploit these vulnerabilities, attackers need to be able to log into a system. This can be done by exploiting vulnerabilities, such as those patched in MS10-33, MS10-34 and/or MS10-35. Once the attacker has the same rights as a valid user, they can use this to log into the target machine and exploit a vulnerability in how Windows displays TrueType fonts. This would elevate the attacker’s privileges to that of system level, giving them kernel access. This would allow the attacker to install malicious software and attack further computers within or outside of the network.
  • Recommendations
    Administrators should roll out this patch as soon as possible to vulnerable systems.

MS10-033 – Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)

  • Analysis
    All supported versions of Windows are affected by this vulnerability. Attackers will try to convince users to open malicious media files or links to malicious media files and/or streams. Upon viewing these malicious media, the vulnerability would be exploited and the attacker would be able to control the system with the same rights as the current user. If the current user has administrator rights, the attacker will most likely install backdoors and other malicious programs, which would be used to further compromise the internal and/or external network.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to all Windows systems. Until the patch is rolled out, administrators should use CACLS to disable Quartz.dll, Asycfilt.dll, and Windows Media Encoder 9.

MS10-034 – Cumulative Security Update of ActiveX Kill Bits (980195)

  • Analysis
    Attackers will target client machines since ActiveX vulnerabilities require user-interaction. Attackers will try to convince users to click a link to a malicious web page. When the page is viewed, the user’s system would execute malicious code, exploiting the vulnerability, and giving the attacker the ability to control the system with the same rights as the current user. If the current user has Administrator privileges, the attacker would have gained complete control of the system. At this point, they could install malicious backdoor software, keyloggers, and other malware to be used in future attacks, launched from the compromised machine.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems or manually install the KillBit IDs into Windows Registry where applicable.

MS10-035 – Cumulative Security Update for Internet Explorer (982381)

  • Analysis
    Primary targets will be Windows client machines, while secondary targets will be Windows server machines. Attackers will try to convince users to visit a specially crafted web page, which would exploit one of the vulnerabilities in Internet Explorer. This would give the attacker the same rights as the current user. If the current user has administrator rights, the attacker would be able to install malicious software, such as keyloggers and/or backdoor Trojans. From this point, the attacker could use the compromised machine to attack more systems within or outside of the network.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems.

MS10-036 – Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)

  • Analysis
    Attackers will try to convince users to open a malicious Office file or open a link to a malicious Office file on an attacker controlled site. If the user opens this file, arbitrary code would be executed, giving the attacker the same privileges as the current user. If the user is an administrator, the attacker would likely install malicious software and use the compromised machine to launch more attacks through the internal and external network.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Note: there are documented issues regarding installation of this patch, available at http://support.microsoft.com/kb/983235.

MS10-037 – Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)

  • Analysis
    This patch resolves a vulnerability in the way Windows processes OpenType font formats. The driver, in all supported versions of Windows, responsible for processing OpenType fonts, does not properly transfer data between user and kernel mode, which causes the vulnerability. Attackers would need to log into the system or utilize other vulnerabilities, such as those patched by MS10-033, MS10-034, and/or MS10-035, to gain the same access to a system as a currently logged on user. From that point, the attacker would run a special program to exploit the OpenType vulnerability. Once the vulnerability had been exploited, the attacker would have system level access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems.

MS10-038 – Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)

  • Analysis
    This patch addresses fourteen vulnerabilities within Microsoft Excel that could allow remote code execution in the context of the local user. Attackers will use spear-phishing email tactics or email attachments to trick users into downloading malicious Excel documents. From here, attackers will compromise machines and install botnet Trojans or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.
  • Recommendations
    Administrators should roll out this patch as soon as possible to vulnerable systems.

MS10-039 – Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)

  • Analysis
    Attackers exploiting this vulnerability will attempt to trick SharePoint clients to click on a malicious link that would be sent to the targeted user via email, instant messaging, or other social engineering methods. When a user clicks the link to the targeted SharePoint server, the vulnerability will be exploited, and potentially allow the attacker to gain privileges on the targeted SharePoint server at the same level as the targeted user. Alternatively attackers could also use this attack to trigger denial of service conditions against the SharePoint server via specially crafted HTTP requests.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Prior to deploying this patch, administrators can roll out IPS mechanisms or IP Address whitelists to prevent attackers from exploiting these vulnerabilities.

MS10-040 – Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)

  • Analysis
    IIS 6, 7, and 7.5 servers with Microsoft Extended Protection for Authentication (KB973917) installed and enabled are vulnerable to a remote code execution vulnerability that could allow remote anonymous attackers to trigger a memory corruption in the context of the Worker Process Identity thread. Attackers can leverage this attack using HTTP or HTTPS connections to the vulnerable IIS server without any interaction from the server.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems. In the mean time, enforce a whitelist of trusted clients or disable Microsoft Extended Protection for Authentication (KB973917) would mitigate against this vulnerability – however it will expose the vulnerable server to potential Man-in-the-Middle attacks and should only be considered if patching the vulnerable server is not an immediate option.

MS10-041 – Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)

  • Analysis
    XMLDsig is vulnerable to a publicly known cryptographic weakness in the process of signing of XML control messages and E03 Hash-based Message Authentication Code (HMAC) truncation handling. This could potentially allow attackers to hijack or subvert encryption in between two XMDsig endpoints in order to tamper or to intercept communication when it is not being used in conjunction with other secure protocols.
  • Recommendations
    Administrators are urged to roll out this patch as soon as possible to vulnerable systems particularly those running XMLDsig endpoints and signed XML content.

eEye Digital Security will be holding a vulnerability expert forum (VEF) Wednesday June 9 at 11AM PDT. The vulnerability expert forum is a live webcast where the eEye research team will discuss these patches and additional security landscape topics. Be sure to sign up in advance.

Tags:
,

Leave a Reply

Additional articles

gartner market guide image - aug 2014

Introducing the Gartner Market Guide for Privileged Account Management

Posted July 29, 2014    Chris Burd

Gartner recently released a new Market Guide for Privileged Account Management (PAM), and we’d like to share a complimentary copy with you. The report includes PAM market analysis and direction, vendor overviews, and recommendations for selecting PAM solutions for your environment. BeyondTrust is one of two representative vendors (out of 20) to address all solution…

Tags:
, , , , , , , ,
Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

Tags:
, , , , ,
PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

Tags:
, , ,