• August 11th, 2010
  • Comments Off

August Patch Tuesday Roundup

Posted by Suzanne Dickson in General, Patch Tuesday, Security Best Practices, Vulnerabilities

Microsoft’s patch this month, which consists of 14 bulletins that address 34 vulnerabilities, is the largest since October 2009.   With the massive amount of work that lies ahead, it may help to prioritize your work.  

Josh Abraham, Rapid7 Security Researcher, recommends that you pay particular attention to MS10-054. This vulnerability in the SMB protocol “is potentially the most dangerous vulnerability as it allows unauthenticated attackers to execute arbitrary codes on remote machines.”  Abraham notes further that, “if MS10-054 is weaponized, it would primarily be useful against XP SP3, since the other versions of Windows were not rated as critical for this bulletin.  This means that an attacker would be able to exploit workstations on an internal network in the most common situation.”

Here is the breakdown of the bulletins that have a high potential for exploits:

046 – Critical – Exploit in the wild

Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

047 – Important

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

048 – Important

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

050 – Important

Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

052 – Critical

Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

053 – Critical

Cumulative Security Update for Internet Explorer (2183461)

055 – Critical

Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

056 – Critical

Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

057 – Important

Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

058 – Important

Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

059 – Important

Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)

060 – Critical

Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

NeXpose Community Edition, the free version of NeXpose, has coverage within 24 hours of the release. NeXpose Community Edition will enable you to detect these and every other Microsoft vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release.

For larger environments, we invite you to download NeXpose Enterprise. Get it here.


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 19th, 2010
  • Comments Off

July Patch Tuesday Roundup

Posted by Suzanne Dickson in Patch Tuesday, Security Best Practices, Vulnerabilities

The highlight of Microsoft’s security bulletins is the fix for Microsoft’s online help vulnerability (MS10-042) identified by Google security researcher, Tavis Ormandy, which could allow an attacker to take control of a computer by luring a computer user to a malicious Web site.

Also as Microsoft’s July security bulletins also address vulnerabilities in Windows XP, Josh Abraham, Rapid7 Security Researcher recommends that “customers should keep in-mind that Windows XP SP2 is now end-of-life. Therefore, organizations should be verifying (if they have not done so already) that all of their systems have already been migrated to SP3. One area to double check is third-party vendor devices which may need to be replaced and/or upgraded by the vendor”

Here’s a quick take on Microsoft’s four security bulletins addressing five vulnerabilities in Office and Windows:

MS10-042  (1 vulnerability)
Help Center URL Validation Vulnerability
Rated: Critical
CVE-2010-1885
Exploit already in the wild. (Note: There is a Metasploit module for this vulnerability.)

This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful,
a user must click a link listed within an e-mail message.

MS10-044  (2 vulnerabilities)
Rated: Critical

This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or views a Web page that instantiates Access ActiveX controls.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Access ActiveX control vulnerability
CVE-2010-0814
Exploit – 1 (exploit code likely)

A remote code execution vulnerability exists in Access ActiveX controls due to the way that multiple ActiveX controls are loaded by Internet Explorer.  An attacker who successfully exploits this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

ACCWIZ.dll Uninitialized Variable vulnerability
CVE-2010-1881
Exploit – 1 (exploit code likely)

A remote code execution vulnerability exists in the way that the FieldList ActiveX control is instantiated by Microsoft Office and Internet Explorer.  An attacker who successfully exploits this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with         administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS10-043 (1 vulnerability)
Rated: Critical
Canonical Display Driver Integer Overflow
CVE-2009-3678
Exploit -2 (Inconsistent exploit likely)

This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll).  Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much    more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

MS10-045 (1 vulnerability)
Rated: Important
Microsoft Outlook SMB Attachment Vulnerability
CVE-2010-0266
Exploit – 1 exploit code likely

This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook.  An attacker who successfully
exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Tags:
Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • June 08th, 2010
  • Comments Off

Time for the June 2010 summary of the upcoming Microsoft Security Updates….

Posted by Suzanne Dickson in General, Patch Tuesday

As summer comes upon us in the Northern hemisphere, June is again one of the heavier months for Microsoft. For 2009, it was 10 Advisories, covering 31 Vulnerabilities. For June 2010, Microsoft has announced 10 Advisories, with 34 Vulnerabilities covered.

For Windows, 2 Critical and 4 Important are listed. For Office, 2 rated as Important. Another Important Advisory affects both Windows and Office. And the last Advisory is Critical and affects Internet Explorer.

6 Advisories may lead to Remote Code Execution, 3 may lead to Privilege Escalation and one may lead to Tampering. 2 require a restart and the other 8 may require a restart.

Josh Abraham, one of our Security Researchers here at Rapid7 commented: “There was a huge amount of vulnerabilities listed for Office today! One of the bulletins had 16 vulnerabilities. It is important to keep in-mind the perspective of the attacker when prioritizing the remediation efforts. The exploitability of the vulnerabilities is very high so customers should watch out for exploits in the near future.”

“Another month with KillBits and Media vulnerabilities! Both of these should be at the top of the list for remediation. The interesting thing about the Kill bits issue is that it was not included in the exploitability rankings, but it affects IE8 developer tools, Microsoft Data Analyzer and a few Third-Parties.”

Josh also slipped MS10-035 a bit farther down his patch list. “I think people should be patching the media decompression vulnerability first,” he said, referring to MS10-033. “I’d put the IE update directly following that.”

MS10-033 contains fixes for two vulnerabilities, both critical, that affect every supported operating system in Microsoft’s portfolio, including the newest, Windows 7. Microsoft said that DirectX, the Windows media runtime, the encoder and a COM component all contain bugs. “This is more of the usual,” said Abraham, talking about MS10-033, “where attackers can leverage client software using drive-by downloads.”

Here’s a breakdown:

MS10-033: Rated Critical. Potential Remote Code Execution in Windows covering 2 vulnerabilities – CVE-2010-1879 (Media Decompression Vulnerability) and CVE-2010-1880 (MJPEG Media Decompression Vulnerability).

MS10-034: Rated Critical. Potential Remote Code Execution in Windows (ActiveX Kill Bits vulnerability)

MS10-035: Rated Critical. Potential Remote Code Execution in Windows and IE covering 4 vulnerabilities – CVE-2010-1259 (Uninitialized Memory Corruption Vulnerability), CVE-2010-1262 (Memory Corruption Vulnerability), CVE-2010-0255 (Cross-Domain Information Disclosure Vulnerability) and CVE-2010-1257 (toStaticHTML Information Disclosure Vulnerability)

MS10-032: Rated Important. Potential Elevation of Privilege in Windows covering 3 vulnerabilities – CVE-2010-0485 (Win32k Window Creation Vulnerability) and CVE-2010-0484 (Win32k Improper Data Validation Vulnerability) and CVE-2010-1255 (Win32k TrueType Font Parsing Vulnerability).

MS10-036: Rated Important. Potential Remote Code Execution in Office covering 1 vulnerability – CVE-2010-1263 (COM Validation Vulnerability).

MS10-037: Rated Important. Potential Elevation of Privilege in Windows covering 1 vulnerability – CVE-2010-0819 (OpenType CFF Font Driver Memory Corruption Vulnerability).

MS10-038: Rated Important. Potential Remote Code Execution in Office covering 14 vulnerabilities – CVE-2010-0822 (Excel Object Stack Overflow Vulnerability), CVE-2010-0824 (Excel Record Memory Corruption Vulnerability), CVE-2010-1245 (Excel Record Memory Corruption Vulnerability), CVE-2010-1246 (Excel RTD Memory Corruption Vulnerability), CVE-2010-1247 (Excel Memory Corruption Vulnerability), CVE-2010-1248 (Excel HFPicture Memory Corruption Vulnerability), CVE-2010-1249 (Excel Memory Corruption Vulnerability), CVE-2010-1250 (Excel EDG Memory Corruption Vulnerability), CVE-2010-1253 (Excel ADO Object Vulnerability), CVE-2010-1254 (Mac Office Open XML Permissions Vulnerability), CVE-2010-0821 (Excel Record Parsing Memory Corruption Vulnerability), CVE-2010-0823 (Excel Memory Corruption Vulnerability), CVE-2010-1251 (Excel Record Stack Corruption Vulnerability) and CVE-2010-1252 (Excel String Variable Vulnerability).

MS10-039: Rated Important. Potential Elevation of Privilege in Office and Server Software covering 3 vulnerabilities – CVE-2010-0817 (Help.aspx XSS Vulnerability), CVE-2010-1257 (toStaticHTML Information Disclosure Vulnerability) and CVE-2010-1264 (SharePoint Help Page Denial of Service Vulnerability).

MS10-040: Rated Important. Potential Remote Code Execution in Windows covering 1 vulnerability – CVE-2010-1256 (IIS Authentication Memory Corruption Vulnerability).

MS10-041: Rated Important. Potential for Tampering in Windows and .NET Framework covering 1 vulnerability – CVE-2010-0217 (XML Signature HMAC Truncation Authentication Bypass Vulnerability).

If you have automatic updates turned on then you will get these updates on Tuesday when they are released.  Otherwise make sure you run Windows Update to get them sometime Tuesday afternoon.

As always, Happy Patching!


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • May 14th, 2010
  • Comments Off

May Patch Tuesday Roundup

Posted by Suzanne Dickson in Patch Tuesday

Time for the May 2010 summary of the upcoming Microsoft Security Updates….

2 Advisories, with 2 Vulnerabilities covered. Both are rated as Critical.

The first one covering Outlook Express, Microsoft Mail, and Microsoft Live Mail on all Windows Operating Systems (sans Server Core and Server Core for Windows Server 2008 R2) and the second covering Microsoft Visual Basic for Applications.

Both Vulnerabilities allow for Remote Code Execution.

Heres a breakdown:

MS10-030 – Mail Server Integer Overflow Vulnerability: The Outlook Express, Microsoft Mail, and Microsoft Live Mail on all Windows Operating System vulnerability, is ranked Critical for ALL Windows Operating Systems except Windows 7 and Windows Server 2008 R2 which are both ranked as Important. This covers vulnerability CVE-2010-0816. While rated Critical, many customers may not be affected by this vulnerability. There are currently 2 attack vectors/scenarios: the first and most likely vector involves a Man in the Middle (MITM) attack and the second, a less likely attack vector involves a Malicious Mail server.

MS10-030 has a Microsoft Exploitability Index Assessment of 2 (Inconsistent exploit code likely).

MS10-031 – VBE6 Single-Byte Stack Overflow: The MS Visual Basic for Applications vulnerability is ranked as Critical for Microsoft Office and  Visual Basic for Applications. This covers vulnerability CVE-2010-0815. There are several of ways that this vulnerability could be remotely exploited, however, they require specific properties of the program to be true. Microsoft has determined that while such properties may be possible, they are unlikely to be found in practice. Microsoft has further determined in their analysis that “consistent exploit code resulting in arbitrary code execution is not likely to be released within the next 30 days.”

MS10-031 has a Microsoft Exploitability Index Assessment of 2 (Inconsistent exploit code likely).
Interesting to note however, is the missing patch for a serious cross-site scripting flaw in SharePoint that could allow privilege escalation. See Microsoft Security Advisory (983438).

NeXpose Community Edition, the free version of NeXpose, has coverage within 24 hours of the release. NeXpose Community Edition will enable you to detect these and every other Microsoft vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release.

For larger environments, we invite you to download NeXpose Enterprise. Get it here.


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment