Time for this month's summary of the latest Microsoft Security updates …
13 advisories, with 26 vulnerabilities covered. This is the busiest February update ever.
Here's the breakdown:
MS10-003: Rated Important. Potential Remote Code Execution in Office XP and Office 2004 for Mac, covering 1 vulnerability: CVE-2010-0243 (Buffer Overflow in MSO.DLL). This one replaces the MS09-062 GDI patch from last October. Important to note that user interaction is required for this one. Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.
MS10-004: Rated Important. Potential Remote Code Execution in PowerPoint 2002, 2003, and Office 2004 for Mac, covering 6 vulnerabilities: CVE-2010-0029 (File Path Handling Buffer Overflow), CVE-2010-0030 (Heap Overflow), CVE-2010-0031 (Invalid Array Indexing), CVE-2010-0032 (Use After Free), CVE-2010-0033 (Viewer TextBytesAtom Record Stack Overflow), and CVE-2010-0034 (Viewer TextCharsAtom Record Stack Overflow). This one replaces MS09-017 from May of last year. Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.
MS10-005: Rated Moderate. Potential Remote Code Execution in Microsoft Paint, covering 1 vulnerability: CVE-2010-0028 (JPEG image decoding). This is my favourite vulnerability this month ... jpg decoding in paint?? Awesome. Microsoft rates it as Exploit Index: 2; Deployment Priority 3. I love that this is not the lowest priority update this month ... 2 others have a lower Exploit Index.
MS10-006: Rated Critical. Potential Remote Code Execution in all supported Windows versions, covering 2 vulnerabilities: CVE-2010-0016 (SMB Client Pool Corruption), and CVE-2010-0017 (Client Race Condition). This one allows unauthenticated attacks, however a client must initiate an SMB request. Microsoft rates it as Exploit Index: 1; and is one of five with a Deployment Priority of 1.
MS10-007: Rated Critical. Potential Remote Code Execution in Windows Shell Handler, affecting Windows 2000, XP, and Server 2003, covering 1 vulnerability: CVE-2010-0027 (URL Validation). Microsoft rates it as Exploit Index: 1; Deployment Priority 1.
MS10-008: Rated Critical. Cumulative ActiveX Kill Bits Update, "covering" 1 vulnerability: CVE-2010-0252 (Data Analyzer ActiveX Control). This one replaces the ActiveX Cumulative update MS09-055 from November of last year. Microsoft rates it as Deployment Priority: 1; Exploit Index is not applicable because ... hey, it's a cumulative update for ActiveX Kill Bits.
MS10-009: Rated Critical. Potential Remote Code Execution in Windows TCP/IP, covering 4 vulnerabilities: CVE-2010-0239 (ICMPv6 Router Advertisement), CVE-2010-0240 (Header MDL Fragmentation), CVE-2010-0241 (ICMPv6 Route Information), and CVE-2010-0242 (TCP/IP Selective Acknowledgement). This one affects Vista and Server 2008. Microsoft rates it as Exploit Index: 2; Deployment Priority 2, stating that the Remote Code Execution is not likely to see PoC in the near term. We'll be watching this one to see if they are correct.
MS10-010: Rated Important. Potential Denial of Service in Hyper-V on Server 2008 and Server 2008 R2, covering 1 vulnerability: CVE-2010-0026 (Instruction Set Validation). As predicted, this one is pushed to the bottom of Microsoft's severity list with Exploit Index: 3; Deployment Priority: 3. We'll be watching to see if attackers start dropping Hyper-V from guests hosted on 2008 and/or 2008 R2 machines. If so, expect the Security versus Availability debate to rear its ugly head (again).
MS10-011: Rated Important. Potential Elevation of Privilege in Windows Client/Server Runtime Subsystem on Windows 2000, XP, and Server 2003, covering 1 vulnerability: CVE-2010-0023 (CSRSS Local Privilege Elevation). The root of the issue is that user processes are not properly terminated on logout. Microsoft rates it as Exploit Index: 1; Deployment Priority 2.
MS10-012: Rated Important. Potential Remote Code Execution in SMB Server affecting all supported versions of Windows, covering 4 vulnerabilities: CVE-2010-0020 (Pathname Overflow), CVE-2010-0021 (Memory Corruption), CVE-2010-0022 (Null Pointer), CVE-2010-0031 (NTLM Auth Lack of Entropy). This is this month's SMB Server side issue. Microsoft rates it as Exploit Index: 1; Deployment Priority 2.
MS10-013: Rated Critical. Potential Remote Code Execution in DirectShow, covering 1 vulnerability: CVE-2010-0250 (Heap Overflow). Everyone will be talking about this one because people love DirectShow exposures. Be careful when viewing videos via Bing, I suppose ... user interaction is required and you don't want to be that guy/girl. Affecting all versions of Windows, Microsoft rates it as Exploit Index: 1; Deployment Priority: 1.
MS10-014: Rated Important. Potential Denial of Service in Kerberos affecting Windows 2000 Server, Server 2003, and Server 2008, covering 1 vulnerability: CVE-2010-0035 (Null Pointer Dereference). This one actually looks quite interesting, with clients on remote, non-Windows realms in a mixed-mode implementation able to cause Domain Controllers to stop responding. As with almost every DoS Microsoft has ever patched, this one is at the bottom of the severity list with the Hyper-V issue. Microsoft rates it as Exploit Index 3; Deployment Priority: 3.
MS10-015: Rated Important. Potential Elevation of Privilege in Windows Kernel affecting every supported Windows version except Windows 7 and Server 2008 R2, covering 2 vulnerabilities: CVE-2010-0232 (Exception Handler), and CVE-2010-0233 (Double Free). This is the good old 16 bit support issue that's apparently been shipping for about 17 years; discovered by Tavis Ormandy from Google. Disabling NTVDM will work around the Exception Handler issue; no workaround for the Double Free issue. Microsoft rates it as Exploit Index 1 (because it's already public); Deployment Priority: 1 (because it's already public). This is the only one this month that has public exploit code cited by Microsoft in their summary.
With most enterprises coming out of their year end production change freeze, Microsoft is putting out a mountain of updates this month. Similar to last October's monster update, this is going to be a busy one for everyone with every version of Windows affected. 32 bit Server platforms and Older workstation versions are hit hardest, with Windows 2000, XP, Server 2003, and Server 2008 R1 seeing 9, 8, 9, and 8 updates respectively (5, 5, 4, and 3 critical). Having said that, there is no Windows version with less than 5 updates this month.
Fortunately, the list of affected products is much smaller than October's update so it should be easier to test and roll out patches for these 26 vulnerabilities. In many cases, there are still unpatched vulnerabilities from October in larger enterprises. As the risk of vulnerabilities consistently rises over time, it is important to get this month's updates distributed so companies can continue to test lingering issues from last year and prepare for the IE and SMB issues that were not addressed by Microsoft this month.
NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect this vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft's update release.
For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts.
NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp
We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals about the Microsoft release.
As always, Happy patching!!