Microsoft's July update is a small step for security updates, but a huge leap for enterprise security. Windows 2000 and Windows XP SP2 are being retired from official support today and will not receive security updates anymore. Our own internal statistics indicate that approximately 50 % of Windows XP machines are still on the SP2 level and external surveys put the number of organizations that still depend on SP2 at 77 %.
This month there are four bulletins, two for security flaws in Windows and two for Microsoft Office. We rank MS10-042 as the most urgent update: It covers Windows XP (both SP2 and SP3) and Windows 2003 and addresses the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed a quick turnaround time on this update.
Next on our list is MS10-045 because it undermines the security model of attachments in Microsoft Outlook. Microsoft classified the vulnerability only as "important", but it allows an attacker to camouflage malicious files as a safe file type. An example would be to pass off an executable as a simple text file. All versions of Outlook are affected, excluding the newest Outlook 2010. The second Microsoft Office update, MS10-044 is a vulnerability in a Microsoft Access ActiveX component, is ranked critical and should be treated as a priority as well.
Last on our list is MS10-043, a vulnerability in the CDD display driver for Windows 7 and Windows 2008R2. It is ranked critical, but there are a number of mitigating factors; it is only applicable to 64 bit versions and requires a fairly high display resolution. The priority of the update depends on your environment.
Microsoft's July update is small - four bulletins in total, two of them addressing security flaws in Windows and two for Microsoft Office. Both Windows bulletins have a maximum rating of critical and both address previously disclosed vulnerabilities. The first one is for Windows XP and 2003 and fixes the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed some impressive turnaround time on that patch. The second bulletin fixes a problem in the AERO display driver component for Windows 7 and Windows Server 2008 R2, which was disclosed publicly earlier in May.
The two remaining bulletins, one ranked critical and one important, are for Microsoft Office and all versions but the new Office 2010 are affected, including Office XP, Office 2003 and Office 2007.
July also marks the end of support for two important Microsoft Operating Systems, Windows XP SP2 and Windows 2000. Windows XP SP2 users are advised to upgrade to SP3, which will be supported throughout 2014. Windows 2000 users need to upgrade to a different version of the operating system altogether, as the entire Windows 2000 line is discontinued.
References:
Update:
Yesterday Adobe released its quarterly security update for Adobe Reader and Adobe Acrobat. Adobe anticipated the release by 2 weeks, because some of the vulnerabilities addressed are currently being exploited in the wild. The release fixes the zero-day vulnerability in the embedded Flash player that Adobe ships within the Reader product and addresses 15 other vulnerabilities.
The new Adobe Reader also improves the treatment for the high profile "Launch" vulnerability and introduces changes and default settings that neuter that attack.
All Adobe users should update immediately because exploits for the vulnerability have been reported by many industry sources.
References:
- The "Launch" vulnerability still seems to be attackable according to some recent blogposts by security researchers.
- Didier Stevens publishes a work-around for the new attack in this blog post
Yesterday Adobe released its quarterly security update for Adobe Reader and Adobe Acrobat. Adobe anticipated the release by 2 weeks, because some of the vulnerabilities addressed are currently being exploited in the wild. The release fixes the zero-day vulnerability in the embedded Flash player that Adobe ships within the Reader product and addresses 15 other vulnerabilities.
The new Adobe Reader also improves the treatment for the high profile "Launch" vulnerability and introduces changes and default settings that neuter that attack.
All Adobe users should update immediately because exploits for the vulnerability have been reported by many industry sources.
References:
- Adobe PSIRT blog entry
- Didier Stevens blog with screen shots of the launch vulnerability
Update:
Tavis' decision to use full disclosure for this vulnerability will certainly revive the discussions around full vs. responsible disclosure. Tavis provides some comments regarding that discussion and includes references to articles by Bruce Schneier exploring the matter.
We are working on testing the exploit and will update this post when new developments occur.
Updates:
- Microsoft warns of limited, targeted exploits in the wild.
- Windows 2003 Server not affected
- Secunia dissects the Hotfix (not the workaround)
Earlier today Tavis Ormandy released an
advisory disclosing a new vulnerability in Windows XP and Windows 2003.
The vulnerability is in the Windows Help and Support Center component and is accessed through the protocol handler "hcp://".
It can be triggered through all major browsers, but as Tavis points out it is easier to exploit under IE7. Tavis provides sample exploit code for both IE8 and IE7 in the advsiory.
As a work-around for the vulnerability, it is possible to de-register the HCP protocol on the target machine:
- From the Start Menu, select Run
- Type regedit then click OK (The registry editor program launches)
- Expand HKEY_CLASSES_ROOT and highlight the HCP key
- Right mouse click on the HCP key, and select Delete
Tavis' decision to use full disclosure for this vulnerability will certainly revive the discussions around full vs. responsible disclosure. Tavis provides some comments regarding that discussion and includes references to articles by Bruce Schneier exploring the matter.
We are working on testing the exploit and will update this post when new developments occur.
Updates:
Today Adobe a new version of their Flash player, which fixes the 0-day announced last Friday plus another 30 plus vulnerabilities. We recommend installing immediately.The release for the corresponding 0-day in Adobe Reader is expected on June 29.
If you run Internet Explorer plus another browser (Chrome, Firefox,Safari,Opera or acombination) you have to install updates for both IE and the others. Here are the driect download links:
If you run Internet Explorer plus another browser (Chrome, Firefox,Safari,Opera or acombination) you have to install updates for both IE and the others. Here are the driect download links:
June is a big month for Microsoft patches, there are 10 bulletins covering 34 vulnerabilities. Four bulletins address 0-day issues, the most significant being MS10-035, which fixes the 0-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI'S competition at CANSECWEST, not a 0-day but high profile as it bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. MS10-039 addresses a second 0-day, the vulnerability in SharePoint, described by Microsoft in KB983438. MS10-032 and MS10-041 are the additional updates that fix vulnerabilities that were previously disclosed.
The most critical bulletins this month are MS10-035 for Internet Explorer, MS10-033 for DirectShow, and MS10-038 for Excel in Microsoft Office. All versions of IE, including IE8 are affected by MS10-035. There are 6 vulnerabilities in the update, 2 critical and it has an overall exploitability index of 1, indicating that an exploit is expected within 30 days. MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE. Excel has 14 vulnerabilities covered by MS10-038, with 11 in Office XP and only 3 in more recent versions (2003,2007). These vulnerabilities can be used to trigger code execution when a malicious file is opened by the user. The new Office 2010, which is scheduled to be released later this month, is not affected by any of the vulnerabilities.
MS10-032 addresses a local escalation of privilege vulnerability. While it is not remotely exploitable through any Microsoft product, 3rd party applications could expose it and provide a remote attack possibility.
MS10-040 is a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.
In related news, Adobe which published an advisory for a critical 0-day vulnerability in Flash and Reader on Friday, announced that they will provide patches on June 10th and June 29th, respectively, 2 dates that IT administrators should track closely as exploits for the vulnerability are widely available.
References:
The most critical bulletins this month are MS10-035 for Internet Explorer, MS10-033 for DirectShow, and MS10-038 for Excel in Microsoft Office. All versions of IE, including IE8 are affected by MS10-035. There are 6 vulnerabilities in the update, 2 critical and it has an overall exploitability index of 1, indicating that an exploit is expected within 30 days. MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE. Excel has 14 vulnerabilities covered by MS10-038, with 11 in Office XP and only 3 in more recent versions (2003,2007). These vulnerabilities can be used to trigger code execution when a malicious file is opened by the user. The new Office 2010, which is scheduled to be released later this month, is not affected by any of the vulnerabilities.
MS10-032 addresses a local escalation of privilege vulnerability. While it is not remotely exploitable through any Microsoft product, 3rd party applications could expose it and provide a remote attack possibility.
MS10-040 is a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.
In related news, Adobe which published an advisory for a critical 0-day vulnerability in Flash and Reader on Friday, announced that they will provide patches on June 10th and June 29th, respectively, 2 dates that IT administrators should track closely as exploits for the vulnerability are widely available.
References:
On Friday Adobe announced a critical 0-day vulnerability for Adobe Flash that has been observed in active use in the wild. A successful exploit gives the attacker full control over the target machine, which can run Windows, Mac OS X, Linux and Solaris.
The vulnerability also affects Adobe Reader V9, that comes with an integrated Flash player, which is used to play Flash content embedded in PDF documents. Adobe Redare V8 is not affected.
Attack vectors are malicious websites and and infected PDF documents that can be received through e-mail or web download.
Although Adobe does not have a patch at the moment, users can evaluate Adobe's posted instructions for workarounds in the advisory itself.
References:
The vulnerability also affects Adobe Reader V9, that comes with an integrated Flash player, which is used to play Flash content embedded in PDF documents. Adobe Redare V8 is not affected.
Attack vectors are malicious websites and and infected PDF documents that can be received through e-mail or web download.
Although Adobe does not have a patch at the moment, users can evaluate Adobe's posted instructions for workarounds in the advisory itself.
References:
Microsoft released its June 2010 advance notification for next week's Patch Tuesday. We will see 10 security bulletins addressing a total of 34 vulnerabilities. Of the 10 bulletins, 3 are categorized as critical, allowing an attacker to take full control of the targeted machine, while the remaining 7 are ranked as important. The critical vulnerabilities affect all Windows OS versions (including Windows 7) and Internet Explorer, the important ones cover Windows and Office.
The June release is a large update and will keep system administrators busy, even if they have migrated to Windows 7 already (the end of life date for Windows XP SP2 is coming closer and Windows 7 is certainly one of the options to migrate to...)
Microsoft will also address 2 currently open vulnerabilities: in SharePoint (detailed in advisory KB983438) and an information leakage in Internet Explorer, explained in advisory KB980088
Some of the patches, including one of the critical ones require a machine reboot after installation.
References:
The June release is a large update and will keep system administrators busy, even if they have migrated to Windows 7 already (the end of life date for Windows XP SP2 is coming closer and Windows 7 is certainly one of the options to migrate to...)
Microsoft will also address 2 currently open vulnerabilities: in SharePoint (detailed in advisory KB983438) and an information leakage in Internet Explorer, explained in advisory KB980088
Some of the patches, including one of the critical ones require a machine reboot after installation.
References:
Download Laws 2.0
