First Patch Tuesday of 2010

We begin a new year and arrive at the first patch Tuesday of the decade. The news and spread of malware related to Adobe Reader continues to gain momentum and the information security community believes that this year will produce more exploits using Reader. I will include both the Microsoft and Adobe updates in these patch Tuesday posts, along with the severity level I feel they deserve based on the details.

Severity Levels

Microsoft has a rating system for bulletins which includes: Critical, Important, Moderate, and Low; Adobe follows this same rating scale. The severity levels I provide differ from Microsoft’s in that I ascertain real world scenarios. For example, MS will give an important rating when exploitation could result in compromise of availability, as in a denial of service. MS09-069 can result in a denial of service, however, the attacker must already be authenticated. For this reason I drop the severity to Low.

Microsoft Updates

A quiet patch Tuesday for Microsoft, only one bulletin exists for this month, which is marked critical only for the Windows 2000 operating system whose support is due to expire in July of this year.

---

Bulletin: MS10-001 – Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270) Recommended Action: Update Windows 2000 SP4.

My Severity Rating: Critical for Windows 2000, Low for Windows XP, Server 2003, Windows Vista, Server 2008 and Windows 7.

Information: An issue exists in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts. An attacker can send a malicious Word or Powerpoint document containing a specially crafted Embedded OpenType (EOT) font which the victim would have to open, allowing the attacker to gain remote code execution.

---

Note:

Microsoft announced in a blog post that the SMB bug which can crash Windows 7 and Server 2008 R2 will not be patched in January’s patch Tuesday. We have shown how this bug can cause a severe halt to the OS, however, Microsoft stated that they “are not aware of any active attacks using the exploit code” and are still working on an update.

---

Adobe Updates

Another busy month for Adobe. We’ve seen various malware circulating the internet using the vulnerabilities found in the Util.printd, Util.Printf, Collab.getIcon and Collab.collectEmailInfo functions. Today, an update is to be released patching the vulnerability in the Doc.media.newPlayer method in Adobe Reader which was exploited in December.

---

Bulletin: APSB10-02 Vulnerability in the Doc.media.newPlayer method in Adobe Reader 9.2 and Acrobat 9.2, and Adobe Reader 8.1.7 and Acrobat 8.1.7

Recommended Action: PDF’s currently are a popular vector for spreading malware and trojan downloaders. The recommended action is to update as soon as possible.

My Severity Rating: Critical.

Information: The update addresses the following issues:

• An unspecified memory corruption error in the Doc.media.newPlayer method can allow a remote attacker to execute arbitrary code on the system. CVE-2009-4324

• An array boundary issue in U3D support that could lead to code execution.

• A DLL-loading vulnerability in 3D that could allow arbitrary code execution.

• A memory corruption vulnerability that could lead to code execution.

• A script injection vulnerability by changing the Enhanced Security default.

• A null-pointer dereference vulnerability that could lead to denial of service.

• A buffer overflow vulnerability in the Download Manager that could lead to code execution.

• An integer overflow vulnerability in U3D support that could lead to code execution.

---

Related Posts:

• Security and IT Pros, I need your help
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• Regular or Decaf? Tool launched to combat COFEE
• Six Bulletins in Last Patch Tuesday of 2009

Filed Under: Security