Sunday, December 26, 2010

2010: The Year of the Exploit

"If ignorant both of your enemy and yourself, you are certain to be in peril." - Sun Tzu 

Microsoft Patch Disclosure


Overview
This month, Microsoft released 17 patches which repair a total of 40 vulnerabilities. Of these 17 patches, 10 address Remote Code Execution vulnerabilities, 4 address Elevation of Privilege vulnerabilities, and 3 address Denial of Service.

eEye's Blink Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.

Patch Precedence
eEye advises administrators to patch MS10-090 and MS10-091, followed by MS10-092, MS10-093, MS10-094, MS10-095, MS10-096, MS10-097, MS10-098, MS10-099, MS10-100, MS10-101, MS10-102, MS10-103, MS10-104, and MS10-105, and then patch MS10-106. For those unable to deploy the patches in a timely fashion, see the mitigation sections below.

As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team. Register Here >>

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.


Bulletin/Advisory Summary

Critical
MS10-090 - Cumulative Security Update for Internet Explorer (2416400)
MS10-091 - Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)

Important
MS10-092 - Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)
MS10-093 - Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434)
MS10-094 - Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)
MS10-095 - Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)
MS10-096 - Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)
MS10-097 - Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)
MS10-098 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)
MS10-099 - Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591)
MS10-100 - Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962)
MS10-101 - Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)
MS10-102 - Vulnerability in Hyper-V Could Allow Denial of Service (2345316)
MS10-103 - Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970)
MS10-104 - Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)
MS10-105 - Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)

Moderate
MS10-106 - Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132)



Bulletin/Advisory Details

MS10-090
Cumulative Security Update for Internet Explorer (2416400)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves four privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory and script during certain processes.
             * HTML Object Memory Corruption Vulnerability - CVE-2010-3340
                A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
              * Cross-Domain Information Disclosure Vulnerability - CVE-2010-3342
              An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.
               * HTML Object Memory Corruption Vulnerability - CVE-2010-3343
                A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
               * HTML Element Memory Corruption Vulnerability - CVE-2010-3345
               A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
               * HTML Element Memory Corruption Vulnerability - CVE-2010-3346
               A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
               * Cross-Domain Information Disclosure Vulnerability - CVE-2010-3348
               An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.
                * Uninitialized Memory Corruption Vulnerability - CVE-2010-3962
               A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by convincing the user to open a malicious Word document. When a user closes the document, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses multiple vulnerabilities in Internet Explorer; 5 remote code execution vulnerabilities and 2 information disclosure vulnerabilities. To exploit the remote code execution vulnerabilities, an attacker would need to create a malicious web page and convince a user to view that web page. For four of the remote code execution vulnerabilities, exploitation would occur immediately.

Mitigations
Configure Internet Explorer to either disable Active Scripting entirely or prompt before executing Active Scripts. Block ActiveX scripting. Read emails in plain text. Disable mstime.dll by using the Access Control List. Finally, apply a custom CSS style sheet, by running the Fix-It tool at http://support.microsoft.com/kb/2458511.

MS10-091
Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves several privately reported vulnerabilities in the Windows Open Type Font (OTF) driver that could allow remote code execution. An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerabilities by correcting the way that the OpenType Font (OTF) driver indexes arrays when parsing OpenType fonts, resets pointers when freeing memory, and parses the CMAP table when rendering OpenType fonts.
                 * OpenType Font Index Vulnerability - CVE-2010-3956
                 A remote code execution vulnerability exists in the way that the OpenType Font (OTF) driver improperly parses specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
                  * OpenType Font Double Free Vulnerability - CVE-2010-3957
                  A remote code execution vulnerability exists in the way that the OpenType Font (OTF) driver improperly parses specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
                  * OpenType CMAP Table Vulnerability - CVE-2010-3959
                  A remote code execution vulnerability exists in the way that the OpenType Font (OTF) driver improperly parses specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses three remote code execution font parsing vulnerabilities within the OpenType Font (OTF) driver. These vulnerabilities are caused by improperly parsing OpenType Fonts. Attackers could use this vulnerability to gain the ability to execute malicious code with kernel privileges on a victim's machine. Attackers would simply need to host the malicious font on a network share and convince the user to open a document that used that font. Alternatively, the user could also view the malicious file's preview via Windows Explorer, by navigating to the malicious font's location within Windows Explorer.

Mitigations
Disable the ability for users to preview fonts in the Preview or Details Pane within Windows Explorer.

MS10-092
Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. The security update addresses the vulnerability by correcting the way Task Scheduler conducts integrity checks to validate that tasks run with the intended user privileges.
                     * Task Scheduler Vulnerability - CVE-2010-3338
                      An elevation of privilege vulnerability exists in the way that the Windows Task Scheduler improperly validates whether scheduled tasks run within the intended security context. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses an elevation of privilege vulnerability within the Windows Task Scheduler which could allow for an attacker to run arbitrary code with local system rights. The vulnerability is caused by the fact that the Task Scheduler does not always run tasks within the intended security context. The local attacker would likely use elevated privileges, gained by exploiting this vulnerability, to install malicious software and install backdoors to the compromised system.

Mitigations
Disable the Task Scheduler service within the Windows Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule by changing the Start value from 2 to 4.

MS10-093
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Movie Maker file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. The security update addresses the vulnerability by correcting the way Windows Movie Maker loads external libraries.
                      * Insecure Library Loading Vulnerability - CVE-2010-3967
                      A remote code execution vulnerability exists in the way that Windows Movie Maker handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This bulletin addresses an insecure DLL loading vulnerability within Windows Movie maker which could lead to remote code execution. Successful exploitation would lead to the attacker having gained the ability to execute remote arbitrary code within the context of the current user.

Mitigations
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.

MS10-094
Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in Windows Media Encoder. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Media Profile (.prx) file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. The security update addresses the vulnerability by correcting the way the Windows Media Encoder loads external libraries.
                         * Insecure Library Loading Vulnerability - CVE-2010-3965
                         A remote code execution vulnerability exists in the way that Microsoft Windows handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This bulletin addresses a remote code execution vulnerability in the way Windows Media Encoder loads DLLs. Successful exploitation would lead to the attacker having gained the ability to execute remote arbitrary code within the context of the current user.

Mitigations
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.

MS10-095
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file type such as .eml and .rss (Windows Live Mail) or .wpost (Microsoft Live Writer) located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. The security update addresses the vulnerability by correcting the manner in which the Windows BranchCache loads external libraries.
                          * BranchCache Insecure Library Loading Vulnerability - CVE-2010-3966
                          A remote code execution vulnerability exists in the way that Microsoft Windows opens specific files on platforms that do not support the BranchCache functionality. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This bulletin addresses a remote code execution vulnerability caused by the way Windows loads DLLs on systems where BranchCache functionality is unavailable. Successful exploitation would result in the attacker being able to execute arbitrary code within the context of the current user.

Mitigations
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.

MS10-096
Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in Windows Address Book. The vulnerability could allow remote code execution if a user opens a Windows Address Book file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. The security update addresses the vulnerability by correcting the manner in which the Windows Address Book loads external libraries.
                     * Insecure Library Loading Vulnerability - CVE-2010-3147
                      A remote code execution vulnerability exists in the way that Windows Address Book handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This bulletin addresses a remote code execution vulnerability caused by the way Windows Address Book loads DLLs. Successful exploitation would result in the attacker being able to execute arbitrary code within the context of the current user.

Mitigations
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.

MS10-097
Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in the Internet Connection Signup Wizard of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. The security update addresses the vulnerability by correcting the manner in which the Internet Connection Signup Wizard loads external libraries.
                 * Internet Connection Signup Wizard Insecure Library Loading Vulnerability - CVE-2010-3144
                A remote code execution vulnerability exists in the way that the Internet Connection Signup Wizard, a component of Microsoft Windows, handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This is a standard DLL Hijacking error that has been seen in the past with other applications. When opened, Internet Connection Signup Wizard will attempt to load one of its DLLs from a network or WebDAV share. An attacker could place a specially crafted DLL in a share that, when loaded, would execute arbitrary code with the same permissions as the user.

Mitigations
Disable loading DLLs from network network/WebDAV shares. Disable the WebClient Service. Block TCP 139/445 on external firewall.

MS10-098
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves one publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. The security update addresses the vulnerabilities by correcting the way the Windows kernel-mode drivers allocate memory, free objects that are no longer in use, manage kernel-mode driver objects, and validate input passed from user mode.
               * Win32k Buffer Overflow Vulnerability - CVE-2010-3939
               An elevation of privilege vulnerability exists in the way that Windows kernel-mode drivers improperly allocate memory when copying data from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
               * Win32k PFE Pointer Double Free Vulnerability - CVE-2010-3940
               An elevation of privilege vulnerability exists due to the way that the Windows kernel-mode drivers free objects that are no longer in use. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
               * Win32k Double Free Vulnerability - CVE-2010-3941
               An elevation of privilege vulnerability exists due to the way that the Windows kernel-mode drivers free objects that are no longer in use. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
               * Win32k WriteAV Vulnerability - CVE-2010-3942
               An elevation of privilege vulnerability exists in the way that Windows kernel-mode drivers improperly allocate memory when copying data from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
               * Win32k Cursor Linking Vulnerability- CVE-2010-3943
                An elevation of privilege vulnerability exists due to the way that Windows Kernel-mode drivers manage kernel-mode driver objects. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
                 * Win32k Memory Corruption Vulnerability - CVE-2010-3944
                 An elevation of privilege vulnerability exists in the way that the Windows kernel-mode drivers improperly validate input passed from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses multiple elevation of privilege vulnerabilities within Windows kernel drivers. They range from improper allocation of data sent from userland to the kernel, double free vulnerabilities, and improperly managing kernel driver objects. They all lead to the attacker gaining the ability to run arbitrary code with kernel privileges.

Mitigations
Five of the six vulnerabilities have no mitigation. For CVE-2010-3941, administrators can disable the NTVDM subsystem through gpedit.msc or by modifying the registry key DisallowedPolicyDefault, at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW, to 1.

MS10-099
Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update addresses a privately reported vulnerability in the Routing and Remote Access NDProxy component of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. The security update addresses the vulnerability by correcting the validation in the Routing and Remote Access component.
                 * Kernel NDProxy Buffer Overflow Vulnerability - CVE-2010-3963
                 An elevation of privilege vulnerability exists in the Routing and Remote Access NDProxy component of the Windows kernel due to improper validation of input passed from user mode to the kernel. The vulnerability could allow an attacker to run code with elevated privileges. A local attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses an elevation of privilege vulnerability within the Routing and Remote Access NDProxy portion of the kernel. This is caused by the improper validation of data sent from userland to the kernel. This could allow an attacker to execute arbitrary code with kernel rights on the compromised system.

Mitigations
No mitigations have been provided my Microsoft.

MS10-100
Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in the Consent User Interface (UI). The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application on an affected system. An attacker must have valid logon credentials and the SeImpersonatePrivilege and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. The security update addresses the vulnerability by correcting the manner in which the Consent UI processes values read from the registry.
                  * Consent UI Impersonation Vulnerability - CVE-2010-3961
                  An elevation of privilege vulnerability exists in the way that the Consent User Interface (UI) improperly processes special values read from the registry. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses an elevation of privilege vulnerability that occurs within the Consent User Interface in Windows. This occurs due to the improper validation of certain registry values, which would allow an attacker to run arbitrary code with elevated privileges.

Mitigations
No mitigations have been provided my Microsoft.

MS10-101
Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in the Netlogon RPC Service on affected versions of Windows Server that are configured to serve as domain controllers. The vulnerability could allow denial of service if an attacker sends a specially crafted RPC packet to the Netlogon RPC Service interface on an affected system. An attacker requires administrator privileges on a machine that is joined to the same domain as the affected domain controller in order to exploit this vulnerability. The security update addresses the vulnerability by correcting the validation of user-provided data in the Netlogon RPC Service interface.
              * Netlogon RPC Null dereference DOS Vulnerability - CVE-2010-2742
               A remote authenticated denial of service vulnerability exists in implementations of the Netlogon RPC Service on affected versions of Windows Server. An attacker who successfully exploited this vulnerability could cause affected versions of the Windows Server to restart.

Analysis
This bulletin addresses a remote authenticated denial of service vulnerability within the Netlogon RPC Service on certain versions of Windows Server. The attacker must be authenticated in order to successfully cause the DoS. Upon successful exploitation the attacker causes the server to restart.

Mitigations
No mitigations have been provided my Microsoft.

MS10-102
Vulnerability in Hyper-V Could Allow Denial of Service (2345316)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a specially crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to send specially crafted content from a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. The security update addresses the vulnerability by correcting the way that the Hyper-V server validates malformed packets sent to the VMBus inside its guest virtual machines.
              * Hyper-V VMBus Vulnerability - CVE-2010-3960
              A vulnerability exists in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V that could allow denial of service if a specifically crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Analysis
This bulletin addresses a denial of service vulnerability within the Hyper-V portion of Server 2008 and Server 2008 R2. This requires an attacker to be an authenticated user of one of the guest virtual machines running on the server. The attacker would need to send a malicious packet to VMBus which would exploit the vulnerability. This attack is not possible if the user is remotely authenticated or not unauthenticated at all.

Mitigations
No mitigations have been provided my Microsoft.

MS10-103
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves five privately reported vulnerabilities in Microsoft Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by correcting the way that Microsoft Publisher parses specially crafted Publisher files.
                  * Size Value Heap Corruption in pubconv.dll Vulnerability - CVE-2010-2569
                  A remote code execution vulnerability exists in the way that Microsoft Publisher parses Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
                   * Heap Overrun in pubconv.dll Vulnerability - CVE-2010-2570
                   A remote code execution vulnerability exists in the way that Microsoft Publisher parses Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
                    * Memory Corruption Due To Invalid Index Into Array in Pubconv.dll Vulnerability - CVE-2010-2571
                   A remote code execution vulnerability exists in the way that Microsoft Publisher opens Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
                   * Microsoft Publisher Memory Corruption Vulnerability - CVE-2010-3954
                   A remote code execution vulnerability exists in the way that Microsoft Publisher opens Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
                   * Array Indexing Memory Corruption Vulnerability - CVE-2010-3955
                   A remote code execution vulnerability exists in the way that Microsoft Publisher opens Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Analysis
This bulletin addresses multiple remote code execution vulnerabilities within Microsoft Office Publisher. The vulnerabilities are caused by improper parsing of publisher files. Successful exploitation results in giving the attacker the ability to execute arbitrary code within the context of the current user.

Mitigations
Four of the five vulnerabilities can be fixed by using CACLS to prevent use of pubconv.dll within the office10 suite. CVE-2010-3954 has no mitigation available.

MS10-104
Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a privately reported vulnerability in Microsoft SharePoint. The vulnerability could allow remote code execution in the security context of a guest user if an attacker sent a specially crafted SOAP request to the Document Conversions Launcher Service in a SharePoint server environment that is using the Document Conversions Load Balancer Service. By default, the Document Conversions Load Balancer Service and Document Conversions Launcher Service are not enabled in Microsoft Office SharePoint Server 2007. The update addresses the vulnerability by modifying the way that the Document Conversion Launcher Service validates specially crafted SOAP requests.
                   * Malformed Request Code Execution Vulnerability - CVE-2010-3964
                   A remote code execution vulnerability exists in the way that the Document Conversions Launcher Service validates SOAP requests before processing on a SharePoint server. An attacker who successfully exploited this vulnerability could run arbitrary code on an affected SharePoint server under the security context of a guest account.

Analysis
A remote code execution vulnerability exists within the Document Conversions Launcher Service which is caused by improperly validating SOAP requests prior to processing them on a SharePoint server. Successful exploitation would permit an attacker to execute remote arbitrary code on the SharePoint server, but only with guest user rights.

Mitigations
Stop and disable the dclauncher service. Block Office Document Conversions Launcher Service port, which is normally 8082.

MS10-105
Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves seven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by modifying the way that Microsoft Office parses certain image formats and validates data when rendering images.
                * CGM Image Converter Buffer Overrun Vulnerability - CVE-2010-3945
                 A remote code execution vulnerability exists in the way that Microsoft Office allocates buffer size when handling CGM image files. The vulnerability could allow remote code execution if a user opens an Office document containing a specially crafted CGM image. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
                * PICT Image Converter Integer Overflow Vulnerability - CVE-2010-3946
                A remote code execution vulnerability exists in the way that Microsoft Office allocates buffer size when handling PICT image files. The vulnerability could allow remote code execution if a user opens an Office document containing a specially crafted PICT image. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
                 * TIFF Image Converter Heap Overflow Vulnerability - CVE-2010-3947
                 A remote code execution vulnerability exists in the way that Microsoft Office parses specially crafted TIFF image files. The vulnerability could allow remote code execution if a user opens an Office document containing a specially crafted TIFF image. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
                      * TIFF Image Converter Buffer Overflow Vulnerability - CVE-2010-3949
                      A remote code execution vulnerability exists in the way that Microsoft Office parses specially crafted TIFF image files. The vulnerability could allow remote code execution if a user opens an Office document containing a specially crafted TIFF image. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
                       * TIFF Image Converter Memory Corruption Vulnerability - CVE-2010-3950
                       A remote code execution vulnerability exists in the way that Microsoft Office parses specially crafted TIFF image files. The vulnerability could allow remote code execution if a user opens an Office document containing a specially crafted TIFF image. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
                        * FlashPix Image Converter Buffer Overflow Vulnerability - CVE-2010-3951
                        A remote code execution vulnerability exists in the way that Microsoft Office parses specially crafted FlashPix image files. The vulnerability could allow remote code execution if a user opens an Office document containing a specially crafted FlashPix image. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
                       * FlashPix Image Converter Heap Corruption Vulnerability - CVE-2010-3952
                        A remote code execution vulnerability exists in the way that Microsoft Office parses specially crafted FlashPix image files. The vulnerability could allow remote code execution if a user opens an Office document containing a specially crafted FlashPix image. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
Multiple vulnerabilities exist within Microsoft Office due to improper parsing of TIFF images, FlashPix images, and improper buffer size allocation while parsing CGM and PICT images. Successful exploitation permits an attacker to execute remote arbitrary code with the same rights as the current user.

Mitigations
Use CACLS to deny all users' access to cgmimp32.flt, pictim32.flt, tiffim32.flt, mspcore.dll, and fpx32.flt.

MS10-106
Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132)
Microsoft Severity Rating: Moderate
eEye Severity Rating: Moderate

Description
This security update resolves a privately reported vulnerability in Microsoft Exchange Server. The vulnerability could allow denial of service if an authenticated attacker sent a specially crafted network message to a computer running the Exchange service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. The security update addresses the vulnerability by correcting the manner in which the Exchange Server store processes RPC requests.
                     * Exchange Server Infinite Loop Vulnerability - CVE-2010-3937
                     A denial of service vulnerability exists in the way that the Microsoft Exchange store processes specially crafted RPC calls. The vulnerable code path is only accessible to authenticated users. An authenticated attacker could exploit the vulnerability by sending a specially crafted network message to a computer running the Exchange service. An attacker who successfully exploited this vulnerability could cause the Exchange service to stop responding until manually restarted.

Analysis
This bulletin addresses a remote denial of service vulnerability within Microsoft Exchange caused by Exchanges' improper processing of certain RPC calls. Successful exploitation will cause Exchange to stop responding until it is manually restarted.

Mitigations
No mitigations have been provided my Microsoft.


Soure: http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Alert/December-2010#MS10-092
Thanks for Exploit of Year

No comments:

Post a Comment