Recently in Patch Tuesday Category
A busy week - in addition to Microsoft August's Patch Tuesday which delivers a record setting 15 bulletins covering 35 vulnerabilities, Adobe has just released a Flash update and will be releasing a patch for a Adobe Reader 0-day vulnerability published a few weeks ago at Black Hat security conference.To help with this challenging patch workload, we have ranked the Microsoft bulletins into three distinct groups of updates, which can be addressed on different schedules.
IT admins should first tackle the updates that represent the biggest attack potential: end-users and internet browsing are at the subject of six bulletins, all of them of critical severity and four of them with an exploitability rating of "1", indicating that working exploits are expected within 30 days. MS10-053 has six direct fixes for Internet Explorer, while the ZDI submitted MS10-055 and MS10-052 address issues in media-plugins: MS10-055 for the Cinepak codec and MS10-052 for the MP3 file format. MS10-060 patches a critical .NET framework issue that can be exploited through web browsing/Silverlight and MS10-051 addresses a vulnerability in the Internet Explorer MSXML ActiveX component. MS10-049 deals with a client side vulnerability of the HTTPS protocol that can be triggered by a malicious HTTPS site. This and the previous MSXML ActiveX component are the bulletins in the group that are rated "2" on the exploitability scale (= harder to exploit). All of these updates should be applied as soon as possible.
A second group of updates has its focus on file format vulnerabilities. The most critical is MS10-056, a vulnerability in the RTF format in Microsoft Word 2007 and older. An attacker can craft a malicious file that triggers a remote code execution when opened by Word on the target computer. Users of Outlook 2007 installations need to pay special attention, since the preview pane in Outlook is configured by default to use Word to render the RTF format. This makes Outlook 2007 susceptible to an attack that does not even require the opening of the e-mail. Apply this update as quickly as possible. MS10-057 and MS10-050 provide fixes for Excel 2003 and earlier and Windows Movie Maker (a default component in Windows XP) file format vulnerabilities. Both have an exploitability rating of "1" and should be addressed as soon as possible.
MS10-058 deals with an interesting vulnerability. It is a located in the new TCP/IP stack for IPv6 under Vista, Windows 7 and 2008R2. While we believe that currently very few publicly facing network infrastructures have IPv6 enabled, this bulletin is important for them, because it is remotely attackable and few mitigations exist. It is a reminder that new OS components and applications are apt to introduce new attack vectors into networks. MS10-054 is a vulnerability in the SMB protocol; it requires read access to a share as well as attacker-controlled data on the target machine. The exploit here will most likely manifest itself as a local escalation of privilege attack.
The remainder of the August updates all address local flaws of the Windows Operating system family and are rated important as the attacker needs to be present on the target system to make use of them. MS10-047 is a Windows Kernel flaw, MS10-048 a flaw in the win32k.sys driver and MS10-059 fixes a problem in the tracing component of Windows.
Last week Microsoft released a bulletin for the 0-day flaw using the LNK filetype. If you have not done so yet, apply MS10-046 together with the first group of patches as desktop systems are at the highest risk of attack using the LNK vulnerability.
References:
IT admins should first tackle the updates that represent the biggest attack potential: end-users and internet browsing are at the subject of six bulletins, all of them of critical severity and four of them with an exploitability rating of "1", indicating that working exploits are expected within 30 days. MS10-053 has six direct fixes for Internet Explorer, while the ZDI submitted MS10-055 and MS10-052 address issues in media-plugins: MS10-055 for the Cinepak codec and MS10-052 for the MP3 file format. MS10-060 patches a critical .NET framework issue that can be exploited through web browsing/Silverlight and MS10-051 addresses a vulnerability in the Internet Explorer MSXML ActiveX component. MS10-049 deals with a client side vulnerability of the HTTPS protocol that can be triggered by a malicious HTTPS site. This and the previous MSXML ActiveX component are the bulletins in the group that are rated "2" on the exploitability scale (= harder to exploit). All of these updates should be applied as soon as possible.
A second group of updates has its focus on file format vulnerabilities. The most critical is MS10-056, a vulnerability in the RTF format in Microsoft Word 2007 and older. An attacker can craft a malicious file that triggers a remote code execution when opened by Word on the target computer. Users of Outlook 2007 installations need to pay special attention, since the preview pane in Outlook is configured by default to use Word to render the RTF format. This makes Outlook 2007 susceptible to an attack that does not even require the opening of the e-mail. Apply this update as quickly as possible. MS10-057 and MS10-050 provide fixes for Excel 2003 and earlier and Windows Movie Maker (a default component in Windows XP) file format vulnerabilities. Both have an exploitability rating of "1" and should be addressed as soon as possible.
MS10-058 deals with an interesting vulnerability. It is a located in the new TCP/IP stack for IPv6 under Vista, Windows 7 and 2008R2. While we believe that currently very few publicly facing network infrastructures have IPv6 enabled, this bulletin is important for them, because it is remotely attackable and few mitigations exist. It is a reminder that new OS components and applications are apt to introduce new attack vectors into networks. MS10-054 is a vulnerability in the SMB protocol; it requires read access to a share as well as attacker-controlled data on the target machine. The exploit here will most likely manifest itself as a local escalation of privilege attack.
The remainder of the August updates all address local flaws of the Windows Operating system family and are rated important as the attacker needs to be present on the target system to make use of them. MS10-047 is a Windows Kernel flaw, MS10-048 a flaw in the win32k.sys driver and MS10-059 fixes a problem in the tracing component of Windows.
Last week Microsoft released a bulletin for the 0-day flaw using the LNK filetype. If you have not done so yet, apply MS10-046 together with the first group of patches as desktop systems are at the highest risk of attack using the LNK vulnerability.
References:
Adobe announced that they will publish an out-of-band update APSB10-17 for a 0-day vulnerability published during Charlie Miller's BlackHat talk.
Charlie Miller's BlackHat paper is a result of a collaboration with Prof. Dawn Song from UC Berkeley and a continuation of his fuzzing efforts first revealed at the CanSecWest conference. At the time the tools he used were CrashWrangler and !exploitable, but it seems that BitBlaze, the tool from Prof. Song's research group provides much better insight into exploitable application crashes.
Charlie Miller's BlackHat paper is a result of a collaboration with Prof. Dawn Song from UC Berkeley and a continuation of his fuzzing efforts first revealed at the CanSecWest conference. At the time the tools he used were CrashWrangler and !exploitable, but it seems that BitBlaze, the tool from Prof. Song's research group provides much better insight into exploitable application crashes.
This August is bringing a record setting number of updates from Microsoft. In addition to last week's LNK update, there will be another 14 bulletins addressing 34 vulnerabilities, that IT admins will have to take care of in the weeks after Patch Tuesday. Including the LNK update,9 bulletins have a rating of critical and affect all version of the Windows OS, Internet Explorer, Silverlight and Microsoft Office.
Windows 7 and 2008 R2 have a smaller number of critical vulnerabilities than Windows XP and 2003 in function of their improved security architecture, but are still affected by 2 critical vulnerabilities each.
Internet Explorer, Office and Silverlight updates apply across the board on all Windows versions. They are a examples of the this increasingly used type of flaw, where attackers and malware go through the installed applications rather than through the core operating system.
Windows XP SP2 users do not have any patches supplied to them, even though the 5 critical vulnerabilities for XP SP3 most likely apply to their discontinued version of the OS as well. Windows XP SP2 users should upgrade to SP3 as quickly as possible.
Windows 7 and 2008 R2 have a smaller number of critical vulnerabilities than Windows XP and 2003 in function of their improved security architecture, but are still affected by 2 critical vulnerabilities each.
Internet Explorer, Office and Silverlight updates apply across the board on all Windows versions. They are a examples of the this increasingly used type of flaw, where attackers and malware go through the installed applications rather than through the core operating system.
Windows XP SP2 users do not have any patches supplied to them, even though the 5 critical vulnerabilities for XP SP3 most likely apply to their discontinued version of the OS as well. Windows XP SP2 users should upgrade to SP3 as quickly as possible.
Microsoft released an update today that addresses the LNK vulnerability. The update is rated as critical and applies to all currently supported Windows Operating systems.
We recommend applying the update as quickly as possible. Attacks using this 0-day vulnerability have been increasing.
The recently discontinued Windows 2000 and Windows XP SP2 are not covered by the patch. Users of these Windows 2000 and XP SP2 need to work on an upgrade strategy for these operating systems, as over time without patch support they will become increasingly susceptible to attacks from malware
We recommend applying the update as quickly as possible. Attacks using this 0-day vulnerability have been increasing.
The recently discontinued Windows 2000 and Windows XP SP2 are not covered by the patch. Users of these Windows 2000 and XP SP2 need to work on an upgrade strategy for these operating systems, as over time without patch support they will become increasingly susceptible to attacks from malware
Microsoft will issue an out-of-band update next Monday, August 2nd. The update will address the critical LNK vulnerability that applies to all versions of the Windows Operating system, from Windows XP SP3 to Windows 7.
Microsoft's decision to issue this upgrade before the normal Patch Tuesday on August 10 is due to reports of increasing number of attacks that use the LNK flaw.
Windows 2000 and XP SP2 users will not be covered and are now in a predicament that will become increasingly urgent. Attacks will continue to become more prevalent and their defensive options are limited. Microsoft's work-around in Advisory KB2286198 has a serious impact on the usability of the system as desktop icons are all replaced by standard generic representations and navigation is hampered. The best option for XP SP2 users is to upgrade to SP3 as soon as possible, Windows 2000 users need to migrate to a new OS alltogether.
Primary attack vectors for the LNK vulnerability are USB sticks and shared drives, ahe attack depends on a specially crafted LNK file and a custom DLL to function. Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction. Nevertheless disabling SMB and WebDAV protocols in the outbound ruleset of internet facing firewalls is a measure that provides additional protection against the remote attack vector.
Microsoft's decision to issue this upgrade before the normal Patch Tuesday on August 10 is due to reports of increasing number of attacks that use the LNK flaw.
Windows 2000 and XP SP2 users will not be covered and are now in a predicament that will become increasingly urgent. Attacks will continue to become more prevalent and their defensive options are limited. Microsoft's work-around in Advisory KB2286198 has a serious impact on the usability of the system as desktop icons are all replaced by standard generic representations and navigation is hampered. The best option for XP SP2 users is to upgrade to SP3 as soon as possible, Windows 2000 users need to migrate to a new OS alltogether.
Primary attack vectors for the LNK vulnerability are USB sticks and shared drives, ahe attack depends on a specially crafted LNK file and a custom DLL to function. Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction. Nevertheless disabling SMB and WebDAV protocols in the outbound ruleset of internet facing firewalls is a measure that provides additional protection against the remote attack vector.
Update
Businessweek has an article about the SCADA connection of this flaw, Siemens has issued an advisory and update for the software components that are being attacked by some strains of the malware.
Original
Just three days after July's Patch Tuesday, Microsoft issued an advisory for an issue affecting all current Windows Operating Systems. The flaw is located in Windows Shell and can be used to execute arbitrary code on vulnerable systems. According to the advisory, Microsoft is aware of targeted attacks in the wild exploiting the issue. Brian Krebs reports that Russian AV company VirusBlokAda detected the attack while analyzing a new malware sample.
Businessweek has an article about the SCADA connection of this flaw, Siemens has issued an advisory and update for the software components that are being attacked by some strains of the malware.
Original
Just three days after July's Patch Tuesday, Microsoft issued an advisory for an issue affecting all current Windows Operating Systems. The flaw is located in Windows Shell and can be used to execute arbitrary code on vulnerable systems. According to the advisory, Microsoft is aware of targeted attacks in the wild exploiting the issue. Brian Krebs reports that Russian AV company VirusBlokAda detected the attack while analyzing a new malware sample.
The advisory lists workarounds that can be implemented by editing the registry. They change the way certain icons are visualized, so there is a visible impact on the desktop of the user.
The advisory does not list Windows XP SP2, or Windows 2000 for that matter, as being affected, because Microsoft just ended support for both Operating Systems last Tuesday. However we assume the attack works against both of them and attackers will surely take advantage of this security hole. We recommend upgrading your existing Windows XP SP2 installations to SP3 as soon as possible to be able to install the security update for this issue once Microsoft publishes it. Windows 2000 users face a bigger hurdle and they need to upgrade to an entirely new Operating System.
Microsoft's July update is a small step for security updates, but a huge leap for enterprise security. Windows 2000 and Windows XP SP2 are being retired from official support today and will not receive security updates anymore. Our own internal statistics indicate that approximately 50 % of Windows XP machines are still on the SP2 level and external surveys put the number of organizations that still depend on SP2 at 77 %.
This month there are four bulletins, two for security flaws in Windows and two for Microsoft Office. We rank MS10-042 as the most urgent update: It covers Windows XP (both SP2 and SP3) and Windows 2003 and addresses the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed a quick turnaround time on this update.
Next on our list is MS10-045 because it undermines the security model of attachments in Microsoft Outlook. Microsoft classified the vulnerability only as "important", but it allows an attacker to camouflage malicious files as a safe file type. An example would be to pass off an executable as a simple text file. All versions of Outlook are affected, excluding the newest Outlook 2010. The second Microsoft Office update, MS10-044 is a vulnerability in a Microsoft Access ActiveX component, is ranked critical and should be treated as a priority as well.
Last on our list is MS10-043, a vulnerability in the CDD display driver for Windows 7 and Windows 2008R2. It is ranked critical, but there are a number of mitigating factors; it is only applicable to 64 bit versions and requires a fairly high display resolution. The priority of the update depends on your environment.
June is a big month for Microsoft patches, there are 10 bulletins covering 34 vulnerabilities. Four bulletins address 0-day issues, the most significant being MS10-035, which fixes the 0-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI'S competition at CANSECWEST, not a 0-day but high profile as it bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. MS10-039 addresses a second 0-day, the vulnerability in SharePoint, described by Microsoft in KB983438. MS10-032 and MS10-041 are the additional updates that fix vulnerabilities that were previously disclosed.
The most critical bulletins this month are MS10-035 for Internet Explorer, MS10-033 for DirectShow, and MS10-038 for Excel in Microsoft Office. All versions of IE, including IE8 are affected by MS10-035. There are 6 vulnerabilities in the update, 2 critical and it has an overall exploitability index of 1, indicating that an exploit is expected within 30 days. MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE. Excel has 14 vulnerabilities covered by MS10-038, with 11 in Office XP and only 3 in more recent versions (2003,2007). These vulnerabilities can be used to trigger code execution when a malicious file is opened by the user. The new Office 2010, which is scheduled to be released later this month, is not affected by any of the vulnerabilities.
MS10-032 addresses a local escalation of privilege vulnerability. While it is not remotely exploitable through any Microsoft product, 3rd party applications could expose it and provide a remote attack possibility.
MS10-040 is a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.
In related news, Adobe which published an advisory for a critical 0-day vulnerability in Flash and Reader on Friday, announced that they will provide patches on June 10th and June 29th, respectively, 2 dates that IT administrators should track closely as exploits for the vulnerability are widely available.
References:
The most critical bulletins this month are MS10-035 for Internet Explorer, MS10-033 for DirectShow, and MS10-038 for Excel in Microsoft Office. All versions of IE, including IE8 are affected by MS10-035. There are 6 vulnerabilities in the update, 2 critical and it has an overall exploitability index of 1, indicating that an exploit is expected within 30 days. MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE. Excel has 14 vulnerabilities covered by MS10-038, with 11 in Office XP and only 3 in more recent versions (2003,2007). These vulnerabilities can be used to trigger code execution when a malicious file is opened by the user. The new Office 2010, which is scheduled to be released later this month, is not affected by any of the vulnerabilities.
MS10-032 addresses a local escalation of privilege vulnerability. While it is not remotely exploitable through any Microsoft product, 3rd party applications could expose it and provide a remote attack possibility.
MS10-040 is a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.
In related news, Adobe which published an advisory for a critical 0-day vulnerability in Flash and Reader on Friday, announced that they will provide patches on June 10th and June 29th, respectively, 2 dates that IT administrators should track closely as exploits for the vulnerability are widely available.
References:
Microsoft released its June 2010 advance notification for next week's Patch Tuesday. We will see 10 security bulletins addressing a total of 34 vulnerabilities. Of the 10 bulletins, 3 are categorized as critical, allowing an attacker to take full control of the targeted machine, while the remaining 7 are ranked as important. The critical vulnerabilities affect all Windows OS versions (including Windows 7) and Internet Explorer, the important ones cover Windows and Office.
The June release is a large update and will keep system administrators busy, even if they have migrated to Windows 7 already (the end of life date for Windows XP SP2 is coming closer and Windows 7 is certainly one of the options to migrate to...)
Microsoft will also address 2 currently open vulnerabilities: in SharePoint (detailed in advisory KB983438) and an information leakage in Internet Explorer, explained in advisory KB980088
Some of the patches, including one of the critical ones require a machine reboot after installation.
References:
The June release is a large update and will keep system administrators busy, even if they have migrated to Windows 7 already (the end of life date for Windows XP SP2 is coming closer and Windows 7 is certainly one of the options to migrate to...)
Microsoft will also address 2 currently open vulnerabilities: in SharePoint (detailed in advisory KB983438) and an information leakage in Internet Explorer, explained in advisory KB980088
Some of the patches, including one of the critical ones require a machine reboot after installation.
References:
Microsoft's release for May 2010 contains 2 Bulletins (MS10-030 and MS10-031) fixing 2 vulnerabilities, one of its low impact releases. MS10-031 is for Microsoft Office and addresses a remote code execution vulnerability present in all versions, Office XP, 2003 and 2007. Its exploitability index is 2, so exploit code within the next 30 days is unlikely. Microsoft's blog post at the SRD goes into further detail on the difficulties in writing a working exploit. While the bulletin only carries a severity of "important", we consider it to be the more urgent of today's release.
The second bulletin MS10-030 fixes a vulnerability in Windows Outlook Express and Windows Mail, both mail clients for the POP/IMAP protocols. The vulnerability allows remote code execution and is classified as "critical". Successful exploitation however is unlikely (exploitability index = 2) as it requires extensive user involvement including setting up an e-mail account on a malicious server. We don't see Outlook Express/Windows Mail being used in the enterprise but smaller businesses could be affected.
Microsoft did not address the recent SharePoint vulnerability (KB983438). We recommend looking into the advisory and implementing the suggested work-around which restricts the access to the Help functionality in SharePoint.
The second bulletin MS10-030 fixes a vulnerability in Windows Outlook Express and Windows Mail, both mail clients for the POP/IMAP protocols. The vulnerability allows remote code execution and is classified as "critical". Successful exploitation however is unlikely (exploitability index = 2) as it requires extensive user involvement including setting up an e-mail account on a malicious server. We don't see Outlook Express/Windows Mail being used in the enterprise but smaller businesses could be affected.
Microsoft did not address the recent SharePoint vulnerability (KB983438). We recommend looking into the advisory and implementing the suggested work-around which restricts the access to the Help functionality in SharePoint.
Following the large April update Microsoft will have only 2 Bulletins to release in May. One of the bulletins is for Windows and is rated "critical" for all members of the family but Windows 7 and 2008R2. On the Win7/2008R2 combo it is rated "important", continuing the consistently better showing of Microsoft's newer OSs. The second bulletin is for Office, where all versions are affected and it is rated "important", however it is rated "critical" for Visual Basic for Applications and its SDK. .
Microsoft will not address the recent SharePoint vulnerability (KB983438) and recommends applying into the work-arounds shown in the advisory, restricting the access to the Help functionality in SharePoint.
Last month's bulletins have been seen a fair amount of discussion. Microsoft reissued MS10-025 on April 27 after the initial patch was found to be ineffective. The bulletin only applies to Windows 2000 and is rated "critical", so if it affects your installation please check whether you have applied the latest version. As support for Windows 2000 (and XP SP2) is being discontinued in the summer, IT admins that still run either of these Operating Systems should be working on a replacement strategy. Earlier this week Core Security published 2 advisories concerning MS10-024 and MS10-028, showing that they contained fixes for vulnerabilities not listed in the bulletins. While the inclusion of internally found vulnerabilities is considered normal, Core suggests that the severity for MS10-024 should be upgraded.
Microsoft will not address the recent SharePoint vulnerability (KB983438) and recommends applying into the work-arounds shown in the advisory, restricting the access to the Help functionality in SharePoint.
Last month's bulletins have been seen a fair amount of discussion. Microsoft reissued MS10-025 on April 27 after the initial patch was found to be ineffective. The bulletin only applies to Windows 2000 and is rated "critical", so if it affects your installation please check whether you have applied the latest version. As support for Windows 2000 (and XP SP2) is being discontinued in the summer, IT admins that still run either of these Operating Systems should be working on a replacement strategy. Earlier this week Core Security published 2 advisories concerning MS10-024 and MS10-028, showing that they contained fixes for vulnerabilities not listed in the bulletins. While the inclusion of internally found vulnerabilities is considered normal, Core suggests that the severity for MS10-024 should be upgraded.
Last week Qualys was at Infosecurity Europe meeting customers and demoing the new QualysGuard Malware Detection service. We also gave a presentation on integrating Vulnerability and Patch data, which you can download from here.
Microsoft's patch release for April contains 11 bulletins covering 25 vulnerabilities. The bulletins address a wide array of operating systems and software packages, IT administrators with a good inventory of their installed base will have an easier time evaluating which machines need patches.
Microsoft patches 2 open 0-day vulnerabilities - MS10-020 for the SMBv2 Denial of Service vulnerability, only present on Windows 7 and Windows Server 2008 (KB977544) and MS10-022 for the F1 attack through Internet Explorer (KB981169). MS10-020 fixes other SMB vulnerabilities as well and is a critical update for all platforms.
The most critical bulletins this month are MS10-026, MS10-027 and MS10-019. MS10-026 addresses a DirectShow vulnerability that can be exploited through visualizing a media file which can lead to remote code execution. MS10-027 is a Windows Media Player Active X control vulnerability which can lead to similar results. Both are relatively easy to exploit and have a low exploitability index, however Windows 7 users are not affected by either of the vulnerabilities. MS10-019 addresses a flaw in the Windows Authenticode algorithm involved during the installation process of new software. The flaw allows for a downgrade from the current v2 Authenticode algorithm to the deprecated v1 algorithm. If an attacker follows this downgrade with an attack on v1 (a sophisticated multi-stage attack), he could pass off malicious install packages as legitimately signed by major manufacturers. This vulnerability has a exploit rating of difficult, meaning that even advanced attackers will take a while to come up with the necessary exploit code - still we recommend patching this during the normal cycle for all machines.
MS10-025 is a critical Windows Media Services vulnerability but only affects Windows 2000. Windows 2000 Server will have its extended Support retired in mid-July of this year and will then cease to receive security updates. Organizations that still use Windows 2000 need to evaluate a migration strategy.
The remaining bulletins are ranked as important and moderate - MS10-028 is a file format attack against Visio, which can result in remote code execution. MS10-023 is a similar attack against Microsoft Publisher. As these software packages are not widely installed a good inventory will be helpful in evaluating the exposure. MS10-021 is an interesting side effect created by registry linking. MS10-024 is a Denial of Service vulnerability in the SMTP server of Windows 2003-64bit only and MS10-029 an IPv6/IPv4 packet envelope vulnerability that can lead to information disclosure.
This is a big release for Microsoft, addressing a wide selection of software. IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.
In addition Adobe released their quarterly patches for Adobe Reader and Acrobat on Windows, Mac OS X and Unix. The update is critical and fixes multiple 15 vulnerabilities with a maximum exposure of "remote code execution".
References:
Microsoft patches 2 open 0-day vulnerabilities - MS10-020 for the SMBv2 Denial of Service vulnerability, only present on Windows 7 and Windows Server 2008 (KB977544) and MS10-022 for the F1 attack through Internet Explorer (KB981169). MS10-020 fixes other SMB vulnerabilities as well and is a critical update for all platforms.
The most critical bulletins this month are MS10-026, MS10-027 and MS10-019. MS10-026 addresses a DirectShow vulnerability that can be exploited through visualizing a media file which can lead to remote code execution. MS10-027 is a Windows Media Player Active X control vulnerability which can lead to similar results. Both are relatively easy to exploit and have a low exploitability index, however Windows 7 users are not affected by either of the vulnerabilities. MS10-019 addresses a flaw in the Windows Authenticode algorithm involved during the installation process of new software. The flaw allows for a downgrade from the current v2 Authenticode algorithm to the deprecated v1 algorithm. If an attacker follows this downgrade with an attack on v1 (a sophisticated multi-stage attack), he could pass off malicious install packages as legitimately signed by major manufacturers. This vulnerability has a exploit rating of difficult, meaning that even advanced attackers will take a while to come up with the necessary exploit code - still we recommend patching this during the normal cycle for all machines.
MS10-025 is a critical Windows Media Services vulnerability but only affects Windows 2000. Windows 2000 Server will have its extended Support retired in mid-July of this year and will then cease to receive security updates. Organizations that still use Windows 2000 need to evaluate a migration strategy.
The remaining bulletins are ranked as important and moderate - MS10-028 is a file format attack against Visio, which can result in remote code execution. MS10-023 is a similar attack against Microsoft Publisher. As these software packages are not widely installed a good inventory will be helpful in evaluating the exposure. MS10-021 is an interesting side effect created by registry linking. MS10-024 is a Denial of Service vulnerability in the SMTP server of Windows 2003-64bit only and MS10-029 an IPv6/IPv4 packet envelope vulnerability that can lead to information disclosure.
This is a big release for Microsoft, addressing a wide selection of software. IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.
In addition Adobe released their quarterly patches for Adobe Reader and Acrobat on Windows, Mac OS X and Unix. The update is critical and fixes multiple 15 vulnerabilities with a maximum exposure of "remote code execution".
References:
- SRD Blog post by Jonathan Ness/Andrew Roths @ MSRC Engineering with more details
- MSRC Blog post with Exploitability Index
- Information on the new Adobe updater
Today Microsoft released their advance notification for next week's Patch Tuesday. There will be 11 security bulletins (5 critical) affecting a range of Windows operating system components as well as Microsoft Office and Microsoft Exchange. This is a fairly large update and will keep system administrators busy.
Of particular interest is that Microsoft will fix 2 open 0-day vulnerabilities - the F1 attack through the Internet Explorer KB981169 and the SMBv2 Denial of Service vulnerability, only present on Windows 7 and Windows Server 2008 KB977544.
The 5 critical bulletins affect Windows 2000, XP, Vista, 2003, 2008 and Windows 7. An attacker can use these vulnerabilities to remotely execute code on the victim's machine and they should be addressed as quickly as possible.
An additional 5 security bulletins are rated as important and apply to Microsoft Office, Microsoft Exchange and Windows. If left un-patched, an attacker could execute code, cause a denial of service or obtain elevated privileges on the victim's machine. The remaining security bulletin is rated as Important.
Most of the patches require a machine reboot after installation.
Similar to past Patch Tuesdays, Windows 7 has less critical updates to install than the older operating systems versions, an indication that the newer version of Windows are more robust and secure out of the box.
In addition to the Microsoft patches, administrators will also have to pay attention to the security fixes coming out from Adobe for the Reader and Acrobat products. The Adobe update is rated as critical and a successful exploit will allow the attacker to take control of the target machine.
Of particular interest is that Microsoft will fix 2 open 0-day vulnerabilities - the F1 attack through the Internet Explorer KB981169 and the SMBv2 Denial of Service vulnerability, only present on Windows 7 and Windows Server 2008 KB977544.
The 5 critical bulletins affect Windows 2000, XP, Vista, 2003, 2008 and Windows 7. An attacker can use these vulnerabilities to remotely execute code on the victim's machine and they should be addressed as quickly as possible.
An additional 5 security bulletins are rated as important and apply to Microsoft Office, Microsoft Exchange and Windows. If left un-patched, an attacker could execute code, cause a denial of service or obtain elevated privileges on the victim's machine. The remaining security bulletin is rated as Important.
Most of the patches require a machine reboot after installation.
Similar to past Patch Tuesdays, Windows 7 has less critical updates to install than the older operating systems versions, an indication that the newer version of Windows are more robust and secure out of the box.
In addition to the Microsoft patches, administrators will also have to pay attention to the security fixes coming out from Adobe for the Reader and Acrobat products. The Adobe update is rated as critical and a successful exploit will allow the attacker to take control of the target machine.
Microsoft will release MS10-018 a patch for the critical Internet Explorer 0-day vulnerability KB981374 out of band tomorrow, on March 30th. Microsoft's decision to accelerate the release rather than waiting until next Patch Tuesday on April 13th is an indication that attacks against the "iepeers" vulnerability are on the rise.
Similar to what happened with the last IE 0-day patch MS10-002, Microsoft is including fixes for 9 other vulnerabilities, so the patch is critical for ALL versions of IE
If you are still using IE6 or IE7, patch immediately. But even if you are on IE8 you should patch as quickly as possible, as attackers will start reverse engineering the flaws addressed and preparing corresponding exploits within the week.
Kudos to Microsoft for their quick turn-around on this vulnerability.
Similar to what happened with the last IE 0-day patch MS10-002, Microsoft is including fixes for 9 other vulnerabilities, so the patch is critical for ALL versions of IE
If you are still using IE6 or IE7, patch immediately. But even if you are on IE8 you should patch as quickly as possible, as attackers will start reverse engineering the flaws addressed and preparing corresponding exploits within the week.
Kudos to Microsoft for their quick turn-around on this vulnerability.
Contrary to what we expected last week, the Microsoft March Security announcements have a little surprise in it.
The standard bulletins cover Windows Movie Maker/Producer and Office:
No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.
References:
The standard bulletins cover Windows Movie Maker/Producer and Office:
- MS10-016 - possible code execution in Windows Movie Maker - ranked important: an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions. While Windows 7 does not ship with a vulnerable version, a user could have downloaded and installed the 2.6 version, which is affected. The bulletin does not provide a patch for the also affected Windows Producer, a little used multimedia add-on to Powerpoint.
- MS10-017 - possible code execution in Microsoft Excel - ranked important as well. This bulletin covers 7 vulnerabilities, all of them file format based. All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server.
No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.
References:
After the massive February update Microsoft will only release 2 Bulletins next week. Both are rated as "important," a medium criticality rating for Microsoft. The first bulletin is for the Windows Operating System affecting the only desktop platforms XP, Vista and Windows 7. The second Bulletin is for Microsoft Office and applies to all versions on Windows (Office XP, 2003 and 2007) and Mac OS X (Office 2004 and 2008), plus SharePoint and the Excel Viewer.
The lower criticality ratings allow IT admins more time to address these March bulletins. It is likely that the Office vulnerabilities should be handled first, as file format vulnerabilities in general have been on the rise in the last year and end users frequently trust open office format files such as Excel due to their business oriented, serious nature.
Microsoft issued earlier this week an advisory KB981169 for a clever attack through Internet Explorer. It requires the end user to press F1 in a pop-up box, so the main defense is make your users aware of the existence of the flaw and instruct them to get in touch with IT should this happen.
Stay tuned for our detailed analysis on next Tuesday.
References:
The lower criticality ratings allow IT admins more time to address these March bulletins. It is likely that the Office vulnerabilities should be handled first, as file format vulnerabilities in general have been on the rise in the last year and end users frequently trust open office format files such as Excel due to their business oriented, serious nature.
Microsoft issued earlier this week an advisory KB981169 for a clever attack through Internet Explorer. It requires the end user to press F1 in a pop-up box, so the main defense is make your users aware of the existence of the flaw and instruct them to get in touch with IT should this happen.
Stay tuned for our detailed analysis on next Tuesday.
References:
Microsoft's February 2010 Patch Tuesday was slated to be the biggest release for Microsoft fixes in the last two years - 14 bulletins addressing 34 vulnerabilities. But the Google/CN Internet Explorer 0-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays.
There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.
Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.
MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.
MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.
Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.
References:
There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.
Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.
MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.
MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.
Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.
References:
Yesterday Adobe Systems updated its Reader product to fix a total of eight vulnerabilities. Out of the eight vulnerabilities, six allow remote code execution and are critical. One of the flaws addressed was CVE-2009-4324, the 0-day vulnerability which has had exploits in the wild since December 14 2009, roughly a month ago. This vulnerability is exploited by including malicious code in a PDF document and triggered by executing an embedded JavaScript program. The PDF can be delivered through e-mail or downloaded from a website, making it a fairly easy attack to execute. Interestingly enough it seems that this particular flaw was used in against Adobe itself as pointed out by Elinor Mills at CNET.
Adobe has introduced two interesting security tools in the last two releases of the Reader product - one is an integrated update mechanism that will eventually default to automatic and silent updates. This mechanism is currently in beta and being tested with part of the installed base. The second tool is a internal blacklist that allows hackers to disable specific JavaScript functions. Adobe recently provided guidance on how to mitigate the December 0-day by using this tool. Both tools are in their initial stages but look very promising.
The fixed versions are now Reader v9.3 and v8.2 . What is important for Adobe Reader v7 users to know is that v7 is now out of support (as of 12/28/2009 - see: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86) and is not being updated anymore with Security fixes. However, it is impacted by the December 0-day. IT administrators should take inventory of their v7 users and upgrade them to the current standard of v9.
References:
Adobe has introduced two interesting security tools in the last two releases of the Reader product - one is an integrated update mechanism that will eventually default to automatic and silent updates. This mechanism is currently in beta and being tested with part of the installed base. The second tool is a internal blacklist that allows hackers to disable specific JavaScript functions. Adobe recently provided guidance on how to mitigate the December 0-day by using this tool. Both tools are in their initial stages but look very promising.
The fixed versions are now Reader v9.3 and v8.2 . What is important for Adobe Reader v7 users to know is that v7 is now out of support (as of 12/28/2009 - see: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86) and is not being updated anymore with Security fixes. However, it is impacted by the December 0-day. IT administrators should take inventory of their v7 users and upgrade them to the current standard of v9.
References:
Download Laws 2.0
