February’s Patch Tuesday

Today is patch Tuesday for February 2010, and it marks a fairly busy patch cycle for Microsoft, who released thirteen updates today. In late January, there was an out-of-band release for two critical patches, in response to the high profile issue around the Internet Explorer Aurora exploit. This makes a total of fifteen total patches between since January’s patch Tuesday.

---

ID: MS10-006
Title: Vulnerabilities in SMB Client Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: The update addresses a pool corruption issue and a race condition issue with the Server Message Blocks (SMB) client. The SMB client is responsible for client requests to network file shares. An attacker can obtain remote execution by hosting and directing a user to a malicious SMB share.

Praetorian’s Recommendation: The attack requires the client to establish an SMB connection outbound. If you enforce proper egress rules on your firewall, blocking outbound SMB traffic, you are mitigating external threats and the update is less critical. If you allow all ports outbound, apply this patch across all Windows versions as soon as possible.

---

ID: MS10-007
Title: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A validation input bug exists in the ShellExecute API in Windows 2000, Windows XP, and Windows Server 2003. The vulnerability can allow attackers to execute code as the logged-in user.

Praetorian’s Recommendation: For Windows XP, Windows 2000, and Windows Server 2003, update as soon as possible as this vulnerability allows for remote code execution and there are no workarounds outside of the update. For Windows Vista, Windows 7, and Windows Server 2008, please see MS10-002.

---

ID: MS10-008
Title: Cumulative Security Update of ActiveX Kill Bit
Microsoft Severity: Critical

Summary: A vulnerability in the Data Analyzer Active-X Control can lead to remote execution. An attacker can host a malicious website to exploit the vulnerability and execute code with the privileges of the logged-in user. In addition, this update includes several kill bits (prevention of loading the ActiveX control) recommended by software vendors, such as Symantec, Google, and Facebook.

Praetorian’s Recommendation: Update Windows XP and Windows 2000 as soon as possible. Server platforms have tighter default browsing restrictions, but should still be updated during your next server patch cycle, especially in Terminal Server / Citrix environments. There is a registry setting available to prevent the browser from instantiating the COM object (known as setting the kill bit), but this requires entering the Class ID of the object, therefore the simpler approach of installing the update is recommended.

---

ID: MS10-009
Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: This update addresses several issues in Windows TCP/IP. Two of them a vulnerabilities in ICMPv6 which allow remote code execution, one is a vulnerability when using custom network drivers that support header MDL fragmentation, and lastly a denial of service vulnerability in TCP/IP due to mishandling malformed selective acknowledgement (SACK) packets. These vulnerabilities affect Windows Vista and Windows Server 2008 (R1 only).

Praetorian’s Recommendation: Microsoft calls this update critical due to the remote execution but there are many “ifs”. The ICMPv6 vulnerabilities can only be affected if you allow ICMPv6 traffic through your firewall and if your network infrastructure supports IPv6 or the tunneling of IPv6 over the IPv4 network. The incorrect handling of malformed SACK packets causes a denial of service. An attacker would have to host a service to accept the TCP connection, such as a website, and send the malformed SACK packet to the connecting client. With these caveats, the rating should be moderate or important. If you meet the requirements for the ICMPv6 vulnerabilities, then you should update as soon as possible.

---

ID: MS10-013
Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A vulnerability exists in the way that DirectShow parses AVI files. An attacker can lead a victim via phishing techniques or a malicious website to open a specially crafted AVI file. The attacker can gain remote execution with the same rights as the logged-in user.

Praetorian’s Recommendation: All versions of Windows are affected by this vulnerability and should be patched as soon as possible. Since it is less likely that AVI files would be played on server platforms, the workstations and terminal server / Citrix environments should be the priority.

---

ID: MS10-003
Title: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: A vulnerability exists in Office XP and Office 2004 for Mac which can lead to remote code execution. A victim would need to open a malicious Office file to be attacked.

Praetorian’s Recommendation: This is rated critical due to the remote code execution. Vulnerabilities like this remind us how important user awareness training is for firms. A victim would have to open an Office file that is sent via email by an attacker or hosted on a malicious site. In a browser, the user would be prompted if they want to open the Office file in cases where they are sent a link or redirected. User awareness is important in that users must be trained not to open attachments sent from unknown sources. The criticality of the update may depend on how diligent your users are in prompting IT support before opening suspicious content. Note that only Office XP and Office 2004 for Mac are affected.

---

ID: MS10-004
Title: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses six remote code execution vulnerabilities in PowerPoint versions included in Office XP, Office 2003, and Office 2004 for Mac.

Praetorian’s Recommendation: Similar to MS10-003, this is rated critical due to remote code execution. The victim would need to open a PowerPoint document with an affected version to be compromised. In environments where these versions are in use and users are likely to open PowerPoint files from unknown websites or emails, the recommendation is to patch as soon as possible.

---

ID: MS10-010
Title: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service
Microsoft Severity: Important

Summary: This update addresses a denial of service vulnerability in Hyper-V in Windows 2008 64-bit and Windows 2008 R2 Server versions. The denial of service affects the host operating system, which in turn would bring down any guests.

Praetorian’s Recommendation: The recommendation is to apply the patch during your next patch cycle. This vulnerability would be difficult to exploit in properly managed server environments and would require valid credentials to the Hyper-V server.

---

ID: MS10-011
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Microsoft Severity: Important
My Severity:

Summary: This update addresses a bug in CSRSS (Client/Server Run-time Subsystem) which leads to local privilege elevation.

Praetorian’s Recommendation: The potential with this vulnerability is for a user who has credentials and is logged in can gain kernel or system level privileges. The vulnerability can not be executed remotely. This update can be included in your normal patch cycle and is not deemed critical.

---

ID: MS10-012
Title: Vulnerabilities in SMB Server Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses four issues in the SMB protocol across all versions of Windows. The Pathname Overflow vulnerability can lead to remote code execution but requires authentication. The memory corruption and null pointer vulnerability can lead to denial of service, and the NTLM authentication lack of entropy can lead to unauthenticated elevation of privileges.

Praetorian’s Recommendation: Keeping patches up to date is important in any environment, but these SMB updates provide a very important reminder that egress firewall rules should be just as important to firms as ingress rules. The SMB protocol (port 445) as a best practice should be blocked inbound and outbound. Many of the recent SMB vulnerabilities affect the SMB client, which means the attacker will direct the victim to attampt a SMB client connection to a malicious server. This is not possible if your firewall blocks SMB outbound.

---

ID: MS10-014
Title: Vulnerability in Kerberos Could Allow Denial of Service
Microsoft Severity: Important
My Severity:

Summary: This update addresses a denial of service vulnerability due to improper handling of Ticket-Granting-Ticket renewal requests by a client on a remote, non-Windows realm in a mixed-mode Kerberos implementation. Only Windows Server operating systems (2000, 2003, 2008) are affected and only domain controllers.

Praetorian’s Recommendation: This vulnerability requires the client sending the malformed request to be on a remote and non-Windows kerberos realm, which is very a specific setup. If your environment has a non-Windows based kerberos realm, this update can be included as part of your regular patch cycle, and is not critical for immediate action.

---

ID: MS10-015
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Microsoft Severity:Important

Summary: This update addresses two issues in the Windows kernel affecting all version of Windows except Windows 7 64-bit and Windows Server R2. The vulnerability leads to elevation of privileges.

Praetorian’s Recommendation: A user must be authenticated to with valid logon credentials to exploit this vulnerability; a remote or anonymous exploit is not possible. This update can be included as part of your regular patch cycle, and is not critical for immediate action

---

ID: MS10-005
Title: Vulnerability in Microsoft Paint Could Allow Remote Code Execution
Microsoft Severity: Moderate

Summary: This update addresses a vulnerability in MS Paint which can lead to remote code execution. Windows 200, Windows XP, and Windows Server 2003 are affected. A malicious JPEG can be crafted to exploit this vulnerability.

Praetorian’s Recommendation: By default, Windows uses the Windows Picture and Fax Viewer when opening JPEG files. An attacker would need to convince the user to open the specific malicious JPEG file in Microsoft Paint.

---

Related Posts:

• March’s Patch Tuesday

Filed Under: Patch Management

Tags: ActiveX, Microsoft, patch tuesday, Remote Exploit