BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – November 2010

Posted November 10, 2010    Chris Silva

Finally a reprieve from the barrage of Microsoft Patches. This month, Microsoft only released 3 security bulletins, patching a total of 11 vulnerabilities. Good news for IT server admins, as the patches only affected Microsoft Office and Microsoft Forefront Unified Access Gateway. This means that most of you won’t need to reboot your servers this week.

It should be noted that late last week Adobe released an out-of-band patch for Reader, Acrobat and AIR. This was for a zero-day vulnerability (CVE-2010-2884) that was initially patched in Flash on September 20th. Even with this patch, Adobe currently has several additional zero-day vulnerabilities within Reader and Shockwave. Check out our Zero-Day Tracker for more details.

Again, eEye Digital Security will be hosting the vulnerability expert forum (VEF) on Wednesday, November 10th at 11AM PST. The vulnerability expert forum is a live webcast where the eEye research team will discuss these patches and additional security landscape topics. Be sure to sign up in advance.  As there are only three Microsoft bulletins to cover, we should have a fair amount of time to review the security landscape and answer any questions that you might have.

Here are our recommendations for the three security updates. You can find our full write-up in newsletter format here. Retina Network Security Scanner customers can view the list of audits associated with these bulletins.

CRITICAL

MS10-087 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)

  • Analysis
    Several vulnerabilities exist in the way Microsoft Office handles Office files; the most severe of which could allow for Remote Code Execution. To successfully exploit these vulnerabilities, an attacker would need to convince a user to open a specially crafted Office file or Rich Text Format file, which would be hosted on the attacker-controlled site. Successful exploitation would permit the attacker to execute code within the user’s context. If a user had administrative privileges, the attacker could gain full control of the computer.
  • Recommendations
    Apply patch as soon as possible. Until patches can be applied, avoid opening Microsoft Office files from untrusted or unknown sources and set all emails to be displayed as plain text rather than rich text format. Additionally, administrators my set a Microsoft Office File Block Policy to block all files from Office 2003 and earlier from unknown and untrusted sources.

MS10-088 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)

  • Analysis
    There is a buffer overflow vulnerability and a heap corruption vulnerability in the way Microsoft PowerPoint handles PowerPoint files. An attacker would need to convince a user to open a specially crafted PowerPoint file in order to exploit this vulnerability, which could be hosted on an attacker-controlled site or sent via email or instant messenger. Once exploited, these vulnerabilities allow an attacker to execute code with the same privileges as the user. An attacker could gain full control of the computer if the user had administrative privileges.
  • Recommendations
    Apply patch as soon as possible. Until patches can be applied, restrict the access to the pp7x32.ddl file for any user running PowerPoint 2002. Additionally, administrators my set a Microsoft Office File Block Policy to block all files from Office 2003 and earlier from unknown or untrusted sources.

IMPORTANT

MS10-089 – Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

  • Analysis
    There are 4 vulnerabilities within Microsoft Forefront Unified Access Gateway, the most severe of which is a spoofing vulnerability. This could be used by an attacker to convince a user that they are viewing a legitimate UAG page. The attacker could trick the user into providing credentials to the attacker, since the attacker’s page would look like the UAG page they were attempting to visit. That could be used by the attacker to gain unauthorized access to the UAG.
  • Recommendations
    Administrators are urged to patch this at their earliest convenience. There are no workarounds other than the patch provided by Microsoft.

Leave a Reply

Additional articles

Are Your Data Security Efforts Focused in the Right Area?

Posted January 28, 2015    Scott Lang

Vormetric Data Security recently released an insider threat report, with research conducted by HarrisPoll and analyzed by Ovum. Based on the survey responses, it is apparent that there is still a great deal of insecurity over data. However, the results also show that there may be misplaced investments to address those insecurities. I will explain…

Tags:
ghost

GHOST Vulnerability…Scary Indeed

Posted January 28, 2015    BeyondTrust Research Team

A vulnerability discovered by Qualys security researchers has surfaced within the GNU C Library that affects virtually all Linux operating systems. The vulnerability lies within the various gethostbyname*() functions and, as such, has been dubbed “GHOST.” GHOST is particularly nasty considering remote, arbitrary code execution can be achieved. In an effort to avoid taxing DNS lookups, glibc developers introduced…

Tags:
,
dave-shackleford-headshot

Your New Years Resolution: Controlling Privileged Users

Posted January 27, 2015    Dave Shackleford

Is 2015 the year you get a better handle on security? The news last year was grim – so much so, in fact, that many in the information security community despaired a bit. Really, the end-of-the-year infosec cocktail parties were a bit glum. OK, let’s be honest, infosec cocktail parties are usually not that wild…

Tags:
, , ,