VERT Alert

August 10, 2010 5:00 PST

The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses fourteen new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-362 on Wednesday, August 11th.

MS10-047
 Windows Kernel Data Initialization Vulnerability
CVE-2010-1888
Windows Kernel Double Free Vulnerability
CVE-2010-1889
Windows Kernel Improper Validation Vulnerability
CVE-2010-1890
MS10-048
 Win32k Bounds Checking Vulnerability
CVE-2010-1887
Win32k Exception Handling Vulnerability
CVE-2010-1894
Win32k Pool Overflow Vulnerability
CVE-2010-1895
Win32k User Input Validation Vulnerability
CVE-2010-1896
Win2K Window Creation Vulnerability
CVE-2010-1897
MS10-049
 TLS/SSL Renegotiation Vulnerability
CVE-2009-3555
SChannel Malformed Certificate Request Remote Code Execution Vulnerability
CVE-2010-2566
MS10-050
 Movie Maker Memory Corruption Vulnerability
CVE-2010-2564
MS10-051
 Msxml2.XMLHTTP.3.0 Response Handling  Memory Corruption Vulnerability
CVE-2010-2561
MS10-052
 MPEG Layer-3 Audio Decoder Buffer Overflow Vulnerability
CVE-2010-1882
MS10-053
 Event Handler Cross-Domain Vulnerability
CVE-2010-1258
Uninitialized Memory Corruption Vulnerability (I)
CVE-2010-2556
Uninitialized Memory Corruption Vulnerability (II)
CVE-2010-2557
Race Condition Memory Corruption Vulnerability
CVE-2010-2558
Uninitialized Memory Corruption Vulnerability (III)
CVE-2010-2559
HTML Layout Memory Corruption Vulnerability
CVE-2010-2560
MS10-054
 SMB Pool Overflow Vulnerability
CVE-2010-2550
SMB Variable Validation Vulnerability
CVE-2010-2551
SMB Stack Exhaustion Vulnerability
CVE-2010-2552
MS10-055
 Cinepak Codec Decompression Vulnerability
CVE-2010-2553
MS10-056
 Word Record Parsing Vulnerability
CVE-2010-1900
Word RTF Parsing Engine Memory Corruption Vulnerability
CVE-2010-1901
Word RTF Parsing Buffer Overflow Vulnerability
CVE-2010-1902
Word HTML Linked Objects Memory Corruption Vulnerability
CVE-2010-1903
MS10-057
 Excel Memory Corruption Vulnerability
CVE-2010-2562
MS10-058
 IPv6 Memory Corruption Vulnerability
CVE-2010-1892
Integer Overflow in Windows Networking Vulnerability
CVE-2010-1893
MS10-059
 Tracing Registry Key ACL Vulnerability
CVE-2010-2554
Tracing Memory Corruption Vulnerability
CVE-2010-2555
MS10-060
 Microsoft Silverlight Memory Corruption Vulnerability
CVE-2010-0019
Microsoft Silverlight and Microsoft .NET Framework CLR Virtual Method Delegate Vulnerability
CVE-2010-1898


MS10-047

This bulletin covers three CVEs affecting the Windows Kernel. While two of the CVEs could result in elevation of privilege, the CVE affecting Windows 7 is denial of service only. This patch replaces MS10-021.

MS10-048

This bulletin covers 5 CVEs affecting Win32K.sys. This patch replaces MS10-032 and will likely be replaced in the future when a patch comes out for the recent CreateDIBPalette vulnerability. All supported operating systems are affected by at least two of the CVEs referenced in MS10-048, while XP and 2003 are affected by all 5. Microsoft Security Research & Defense has released a blog post1 on this update.

MS10-049

This advisory is rather interesting because it contains a fix to CVE-2009-3555 which garnered quite a bit of press last year.  A number of vendors worked together to resolve this issue and create a new RFC2 for the TLS Renegotiation Indication Extension. Microsoft has released a blog post3 regarding this CVE.  The second CVE in MS10-049 describes a vulnerability that could allow code execution to occur when validating client certificate requests sent by the server. Microsoft SR&D has also released a blog post4 on this CVE.

MS10-050

MS10-050 describes a single vulnerability affecting Windows Movie Maker on Windows XP and Vista. The vulnerability lies in the parsing of Movie Maker Project Files (.mswmm). This patch replaces MS10-016.

MS10-051

This bulletin covers a single CVE affecting Microsoft XML Core Services 3.0 and is a replacement for MS08-069. The vulnerability exists due how HTTP responses are handled and successful exploitation of this vulnerability could lead to code execution.

MS10-052

MS10-052 describes a single CVE affecting the MPEG Layer-3 Codec. A vulnerability exists in the DirectShow MP3 filter that could allow a specially crafted MPEG Layer-3 (.mp3) file to execute code in the context of the local user.

MS10-053

This bulletin describes 6 CVEs affecting Internet Explorer 6, 7 and 8. While Microsoft has prioritized this advisory as critical, they’ve stated on the SR&D blog that the exploitability index is only 1 for IE6 and that IE7 and IE8 will be difficult to develop reliable exploits for. IE6 users should give serious thought to upgrading to a newer version of IE. This bulletin replaces the last IE cumulative update (MS10-035).

MS10-054

This bulletin describes three CVEs affecting all versions of Windows, and replaces MS10-012. Microsoft SR&D has provided additional details on this bulletin on their blog5.  The newer Windows operating systems do not allow unauthenticated access by default, and, as a result, are not rated Critical like Windows XP.

MS 10-055

This advisory patches an exploit in Cinepack Codec (used to support AVI playback) which can result in remote code execution when a specially crafted media file is either opened locally, or streamed remotely via a website or by a third party application. When this exploit is successful, the attacker gains the privileges of the local user, potentially allowing for the installation of programs, file deletion, file modification, and creation of additional user accounts. Users with fewer local system permissions are potentially less affected than users with full administrative permissions.

MS10-056

This advisory addresses four vulnerabilities, including both remote code execution for specially crafted RTF e-mail documents if opened or previewed, and specifically crafted word documents containing malformed records if opened with all versions of Word Viewer, Office Compatibility Pack, Works9, Open XML File Format Converter for Mac, Office 2004 and 2008 for Mac, Office XP, Word 2002, and Word 2003. Successful exploitation will result is the attacker gaining the same permissions as the local user allowing for file creation, deletion, and modification, as well as potentially the creation of additional users. Users with fewer local system permissions are potentially less affected than users with full administrative permissions.

MS10-057

This advisory addresses a vulnerability in Office which allows for remote code execution when a specially crafted excel file is opened. Successful exploitation will result is the attacker gaining the same permissions as the local user, allowing for file creation, deletion, and modification, as well as potentially the creation of additional users. Users with fewer local system permissions are potentially less affected than users with full administrative permissions.

MS10-058

This advisory addresses both a denial of service vulnerability, and an integer overflow vulnerability in the TCP/IP stack of Windows Vista, Server 2008, Windows 7, and Server 2008 R2 via a specially crafted IPv6 Packet which contains a malformed extension header. Successful exploitation of the denial of service vulnerability can cause a system to stop responding, while successful exploitation of the integer overflow vulnerability allows for code execution with system level privileges, allowing for file creation, deletion, modification, and the creation of additional users.

MS10-059

This advisory addresses two vulnerabilities in the Tracing Feature for Services. Both of these allow for privilege escalation via a specially crafted application. The Tracing Registry Key ACL Vulnerability allows for remote code execution, and thus for file creation, deletion, modification as well as the creation of additional users. The Tracing Registry Key ACL Vulnerability allows for the execution of arbitrary code, and thus file creation, deletion, modification as well as the creation of additional users. Public Advisories with details of this vulnerability are available.

MS10-060

This advisory addresses two vulnerabilities in .NET Framework and Silverlight, which can result in remote code execution should a user view a specially crafted webpage using a browser that supports XAML Browser Applications or Silverlight applications. Alternatively a specially crafted .NET application can be used as an attack vector. Users with fewer local system permissions are potentially less affected than users with full administrative permissions.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
MS10-049
MS10-048
MS10-059
Difficult
Extremely Difficult
No Known Exploit
MS10-050
MS10-051
MS10-052
MS10-053
MS10-055
MS10-056
MS10-057
MS10-058
MS10-060
MS10-047
MS10-054
Exposure
Local Availability
Local
Access
Remote Availability
Remote Access
Local Privileged
Remote Privileged

 

All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.

1http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-048-an-explanation-of-the-defense-in-depth-fixes.aspx
2http://tools.ietf.org/html/rfc5746
3http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-049-an-inside-look-at-cve-2009-3555-the-tls-renegotiation-vulnerability.aspx
4http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-049-a-remote-code-execution-vulnerability-in-schannel-cve-2010-2566.aspx
5http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-054-exploitability-details-for-the-smb-server-update.aspx