VERT Alert

April 13, 2010 5:00 PST

The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 11 new Microsoft Security Bulletins, covering 25 vulnerabilities. VERT is actively working on coverage for these issues in order to meet our 24-hour SLA. VERT is expecting to ship ASPL-345 on Wednesday, April 14th.

MS10-019

This is an interesting advisory because it has to do with content signing. The issue itself is that Authenticode checks can be downgraded from Authenticode v2 to Authenticode v1. Microsoft has pointed (on their Security Research & Defense blog¹) to this being high on the priority list due to the fact that an attacker could embed malicious content in an executable without invalidating the Authenticode-assured publisher.

MS10-020

The first important thing to note here is that these are issues in SMB client and not SMB server. While there are a number of code execution vulnerabilities in the bulletin, people may be interested to see that Laurent Gaffie’s Windows 7/2K8 R2 denial of service² is being patched this month. While this issue wasn’t serious, it’s always good to see vulnerabilities with public proof of concepts patched.  Also of note is the including of Defense in Depth measures for CVE-2010-0476 on Windows 7 and Windows 2008 R2. Microsoft Security Research and Defense has a blog post up related to this issue³.

MS10-021

This bulletin addresses a number of issues related to the Windows kernel, including a registry symlink issue that is addressed in more detail in a SRD blog post⁴. The bulk of the issues addressed by this bulletin are Denial of Service, however some of the older platforms are affected by elevation of privilege issues.

MS10-022

This bulletin fixes a single vulnerability in VBScript that requires the attacker convince the victim to press F1 while on a VBScript message box. Public exploit code is available for this vulnerability. It’s also important to note that while updates are available for all platforms, once again newer operating systems are not vulnerable and are instead receive this update as a Defense in Depth measure.

MS10-023

The first of two Office bulletins, this bulletin addresses a vulnerability affecting the Publisher file format. As always, remind your users to exercise caution and not open attachments from senders that they don’t recognize.

MS10-024

Two SMTP vulnerabilities are addressed in MS10-024. One of these is a denial of service, while the other allows for information disclosure. The more interesting tidbit here is that the denial of service doesn’t affect Exchange (according to the SRD blog posting) and the patch is being released only to add additional DNS protections.

MS10-025

The single vulnerability resolved by this bulletin affects only Windows 2000 and only when Windows Media Services is enabled (it is an optional component that isn’t enabled by default). This bulletin provides the only network-based remote code execution of the April bulletins.

MS10-026

This bulletin contains one of a couple of drive-by attack scenarios covered this month. In this case a malicious AVI containing an MP3 audio track. This update should be applied as soon as possible.

MS10-027

Another drive-by attack vulnerability exists with MS10-027, affecting users running Windows Media Player 9 on Windows 2000 and Windows XP. Other operating systems are not affected by this vulnerability.

MS10-028

The second Office bulletin, this bulletin addresses two vulnerabilities affecting the Visio file format. Both of these file format vulnerabilities could lead to code execution.

MS10-029

The final bulletin of the day covers a source address spoofing vulnerability in ISATAP when you wrap an IPv6 packet in an IPv4 packet. This could potentially lead to firewall bypass.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

The following table maps the ease of use of published exploits to the risk associated with the vulnerability.

All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.

¹http://blogs.technet.com/srd/archive/2010/04/12/assessing-the-risk-of-the-april-security-bulletins.aspx
² http://g-laurent.blogspot.com/2009_11_11_archive.html
³ http://blogs.technet.com/srd/archive/2010/04/12/smb-client-update-blog-post.aspx
⁴ http://blogs.technet.com/srd/archive/2010/04/12/registry-vulnerabilities-addressed-by-ms10-021.aspx