VERT Alert

March 09, 2010 1:15 PST

The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses two new Microsoft Security Bulletins, as well as two Microsoft Security Advisories. nCircle VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-340 on Wednesday, March 10th.

MS10-016	Movie Maker and Producer Buffer Overflow Vulnerability	CVE-2010-0265
MS10-017	Microsoft Office Excel Record Memory Corruption Vulnerability	CVE-2010-0257
	Microsoft Office Excel Sheet Object Type Confusion Vulnerability	CVE-2010-0258
	Microsoft Office Excel MDXTUPLE Record Heap Overflow Vulnerability	CVE-2010-0260
	Microsoft Office Excel MDXSET Record Heap Overflow Vulnerability	CVE-2010-0261
	Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory Vulnerability	CVE-2010-0262
	Microsoft Office Excel XLSX File Parsing Code Execution Vulnerability	CVE-2010-0263
	Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability	CVE-2010-0264

MS10-016

A single vulnerability in Movie Maker and Producer is patched in MS10-016. The specific issue is in the way that these two programs parse their related project files. The patch, however, applies only to Movie Maker as Producer is not being patched at this time. Microsoft has provided a Fix it for Producer to remove the file associations in KB975561¹.

MS10-017

The bulk of new CVEs this month come from MS10-017, 7 CVEs are being patched and there are a few interesting things to note. The first is that four of the CVEs are Excel 2007 only, and one of them specifically names the new XLSX file format as the target. This is the first time that we’re seeing the handling of XLSX files patched. Given that these files have been in use for over 3 years, this shows that Microsoft’s move to secure development is paying off. The other item of interest is that SharePoint Server 2007 is affected. This is because of Excel Services² which ships with SharePoint 2007 Enterprise and SharePoint 2007 for Internet Sites.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit			MS10-016			MS10-017
	Exposure	Local Availability	Local Access	Remote Availability	Remote Access	Local Privileged	Remote Privileged

In addition to the two bulletins released this month, there is a new security advisory, as well as an updated security advisory that are worth mentioning.

The updated advisory (973811³) has been modified to indicate that a new version of the update is available that allows for IIS to be opted-in to Extended Protection for Authentication. Extended Protection for Authentication allows for additional protections against credential forwarding as an added defense in depth measure.

The last item, the new security advisory (981374⁴) discusses new reports of a 0-day in Internet Explorer 6 and Internet Explorer 7. Other versions of Internet Explorer are not affected. Microsoft has provided several workarounds in the advisory, including setting an ACL on the iepeers.dll file.

Assessing Your Systems

Focus Query: App:"Internet Explorer 6" OR App:"Internet Explorer 7.0"

All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.

¹ http://support.microsoft.com/kb/975561
² http://office.microsoft.com/en-us/sharepointserver/ha101054761033.aspx
³ http://www.microsoft.com/technet/security/advisory/973811.mspx
⁴ http://www.microsoft.com/technet/security/advisory/981374.mspx