Today is patch Tuesday for February 2010, and it marks a fairly busy patch cycle for Microsoft, who released thirteen updates today. In late January, there was an out-of-band release for two critical patches, in response to the high profile issue around the Internet Explorer Aurora exploit. This makes a total of fifteen total patches between since January’s patch Tuesday.

ID: MS10-006
Title: Vulnerabilities in SMB Client Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: The update addresses a pool corruption issue and a race condition issue with the Server Message Blocks (SMB) client. The SMB client is responsible for client requests to network file shares. An attacker can obtain remote execution by hosting and directing a user to a malicious SMB share.

Praetorian’s Recommendation: The attack requires the client to establish an SMB connection outbound. If you enforce proper egress rules on your firewall, blocking outbound SMB traffic, you are mitigating external threats and the update is less critical. If you allow all ports outbound, apply this patch across all Windows versions as soon as possible.

ID: MS10-007
Title: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A validation input bug exists in the ShellExecute API in Windows 2000, Windows XP, and Windows Server 2003. The vulnerability can allow attackers to execute code as the logged-in user.

Praetorian’s Recommendation: For Windows XP, Windows 2000, and Windows Server 2003, update as soon as possible as this vulnerability allows for remote code execution and there are no workarounds outside of the update. For Windows Vista, Windows 7, and Windows Server 2008, please see MS10-002.

ID: MS10-008
Title: Cumulative Security Update of ActiveX Kill Bit
Microsoft Severity: Critical

Summary: A vulnerability in the Data Analyzer Active-X Control can lead to remote execution. An attacker can host a malicious website to exploit the vulnerability and execute code with the privileges of the logged-in user. In addition, this update includes several kill bits (prevention of loading the ActiveX control) recommended by software vendors, such as Symantec, Google, and Facebook.

Praetorian’s Recommendation: Update Windows XP and Windows 2000 as soon as possible. Server platforms have tighter default browsing restrictions, but should still be updated during your next server patch cycle, especially in Terminal Server / Citrix environments. There is a registry setting available to prevent the browser from instantiating the COM object (known as setting the kill bit), but this requires entering the Class ID of the object, therefore the simpler approach of installing the update is recommended.

ID: MS10-009
Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: This update addresses several issues in Windows TCP/IP. Two of them a vulnerabilities in ICMPv6 which allow remote code execution, one is a vulnerability when using custom network drivers that support header MDL fragmentation, and lastly a denial of service vulnerability in TCP/IP due to mishandling malformed selective acknowledgement (SACK) packets. These vulnerabilities affect Windows Vista and Windows Server 2008 (R1 only).

Praetorian’s Recommendation: Microsoft calls this update critical due to the remote execution but there are many “ifs”. The ICMPv6 vulnerabilities can only be affected if you allow ICMPv6 traffic through your firewall and if your network infrastructure supports IPv6 or the tunneling of IPv6 over the IPv4 network. The incorrect handling of malformed SACK packets causes a denial of service. An attacker would have to host a service to accept the TCP connection, such as a website, and send the malformed SACK packet to the connecting client. With these caveats, the rating should be moderate or important. If you meet the requirements for the ICMPv6 vulnerabilities, then you should update as soon as possible.

ID: MS10-013
Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A vulnerability exists in the way that DirectShow parses AVI files. An attacker can lead a victim via phishing techniques or a malicious website to open a specially crafted AVI file. The attacker can gain remote execution with the same rights as the logged-in user.

Praetorian’s Recommendation: All versions of Windows are affected by this vulnerability and should be patched as soon as possible. Since it is less likely that AVI files would be played on server platforms, the workstations and terminal server / Citrix environments should be the priority.

ID: MS10-003
Title: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: A vulnerability exists in Office XP and Office 2004 for Mac which can lead to remote code execution. A victim would need to open a malicious Office file to be attacked.

Praetorian’s Recommendation: This is rated critical due to the remote code execution. Vulnerabilities like this remind us how important user awareness training is for firms. A victim would have to open an Office file that is sent via email by an attacker or hosted on a malicious site. In a browser, the user would be prompted if they want to open the Office file in cases where they are sent a link or redirected. User awareness is important in that users must be trained not to open attachments sent from unknown sources. The criticality of the update may depend on how diligent your users are in prompting IT support before opening suspicious content. Note that only Office XP and Office 2004 for Mac are affected.

ID: MS10-004
Title: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses six remote code execution vulnerabilities in PowerPoint versions included in Office XP, Office 2003, and Office 2004 for Mac.

Praetorian’s Recommendation: Similar to MS10-003, this is rated critical due to remote code execution. The victim would need to open a PowerPoint document with an affected version to be compromised. In environments where these versions are in use and users are likely to open PowerPoint files from unknown websites or emails, the recommendation is to patch as soon as possible.

ID: MS10-010
Title: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service
Microsoft Severity: Important

Summary: This update addresses a denial of service vulnerability in Hyper-V in Windows 2008 64-bit and Windows 2008 R2 Server versions. The denial of service affects the host operating system, which in turn would bring down any guests.

Praetorian’s Recommendation: The recommendation is to apply the patch during your next patch cycle. This vulnerability would be difficult to exploit in properly managed server environments and would require valid credentials to the Hyper-V server.

ID: MS10-011
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Microsoft Severity: Important
My Severity:

Summary: This update addresses a bug in CSRSS (Client/Server Run-time Subsystem) which leads to local privilege elevation.

Praetorian’s Recommendation: The potential with this vulnerability is for a user who has credentials and is logged in can gain kernel or system level privileges. The vulnerability can not be executed remotely. This update can be included in your normal patch cycle and is not deemed critical.

ID: MS10-012
Title: Vulnerabilities in SMB Server Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses four issues in the SMB protocol across all versions of Windows. The Pathname Overflow vulnerability can lead to remote code execution but requires authentication. The memory corruption and null pointer vulnerability can lead to denial of service, and the NTLM authentication lack of entropy can lead to unauthenticated elevation of privileges.

Praetorian’s Recommendation: Keeping patches up to date is important in any environment, but these SMB updates provide a very important reminder that egress firewall rules should be just as important to firms as ingress rules. The SMB protocol (port 445) as a best practice should be blocked inbound and outbound. Many of the recent SMB vulnerabilities affect the SMB client, which means the attacker will direct the victim to attampt a SMB client connection to a malicious server. This is not possible if your firewall blocks SMB outbound.

ID: MS10-014
Title: Vulnerability in Kerberos Could Allow Denial of Service
Microsoft Severity: Important
My Severity:

Summary: This update addresses a denial of service vulnerability due to improper handling of Ticket-Granting-Ticket renewal requests by a client on a remote, non-Windows realm in a mixed-mode Kerberos implementation. Only Windows Server operating systems (2000, 2003, 2008) are affected and only domain controllers.

Praetorian’s Recommendation: This vulnerability requires the client sending the malformed request to be on a remote and non-Windows kerberos realm, which is very a specific setup. If your environment has a non-Windows based kerberos realm, this update can be included as part of your regular patch cycle, and is not critical for immediate action.

ID: MS10-015
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Microsoft Severity:Important

Summary: This update addresses two issues in the Windows kernel affecting all version of Windows except Windows 7 64-bit and Windows Server R2. The vulnerability leads to elevation of privileges.

Praetorian’s Recommendation: A user must be authenticated to with valid logon credentials to exploit this vulnerability; a remote or anonymous exploit is not possible. This update can be included as part of your regular patch cycle, and is not critical for immediate action

ID: MS10-005
Title: Vulnerability in Microsoft Paint Could Allow Remote Code Execution
Microsoft Severity: Moderate

Summary: This update addresses a vulnerability in MS Paint which can lead to remote code execution. Windows 200, Windows XP, and Windows Server 2003 are affected. A malicious JPEG can be crafted to exploit this vulnerability.

Praetorian’s Recommendation: By default, Windows uses the Windows Picture and Fax Viewer when opening JPEG files. An attacker would need to convince the user to open the specific malicious JPEG file in Microsoft Paint.

Related Posts:

• March’s Patch Tuesday

Background

The news hit the web at large on July 6th when Microsoft released advisory 972890. IBM ISS is reporting a first known exploit however on June 11th. The vulnerability, first reported by researchers Alex Wheeler and Ryan Smith (ISS employees at the time) was first reported to Microsoft in 2008, which has sparked criticism from at least one reporter covering the IT marketplace: eWeek’s Brian Prince. The problem would have been available since IE version 6, SP1.

Exploit Details

The exploit is described by MSRC Engineer Chengyun Chu as a “browse and get owned attack vector”. Once the user navigates to a web site purposely hosting the exploit, or a web site that has been compromised to host the exploit, no further user interaction is required. Examples in the wild (approximately 967 Chinese web sites according to Trend Micro) are reporting having used both .gif and .jpg files containing the exploit. The Trend Micro found web sites that redirect the users multiple times, eventually loading a .jpg file with the exploit, which upon being successful loads malware called WORM_KILLAV.AI. This malware, as it is named, terminates antivirus software processes and loads additional malicious code.

The exploit is based on an overflow condition that is created in the msvidctl.dll library when a crafted file is provided as input, causing a handler to be overwritten which then points to the exploit’s shell code, already loaded in the memory heap via heap spraying. The object that accepts the crafted input, BDATuner.MPEG2TuneRequest.1, is associated with CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF, and thus this is the primary CLSID for which a kill bit needs to be set. Microsoft however recommends setting the kill bit for all of the ActiveX Control Objects hosted by msvidctl.dll.

As security vendors such as Symantec, ISS, and others are aware of the problem, antivirus and IDS signatures are either available or forthcoming.

Work Around Details

Microsoft provides an automated Fix it which entails disabling attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry. This involves adding a DWORD value to 45 keys in the registry representing Class Identifiers that relate to Microsoft Video ActiveX Control. More information can be found in the [security advisory] (href=”http://www.microsoft.com/technet/security/advisory/972890.mspx).

To implement the workaround on a single computer, you can manually enter the DWORD value 1024 (0×00000400) for each of the 45 class IDs or launch this reg file with the values.

For an enterprise environment, you have two options to deploy this workaround to your workstations. First, through the use of a computer startup script, you can add the execution of a reg file with the values for computers to launch at startup. The second option is to add a custom ADM file to a group policy object which is applied to your workstations. Which option to choose depends on preference and your environment.

Computer Start-up Script

You may already have a group policy which has a computer startup script enabled. Add a line which executes this reg file. Computer startup script is suggested as the user side startup script runs in the user’s context, and they may not have permission to modify the keys necessary. You can find more information on configuring computer startup scripts here.

 Custom ADM File in Group Policy

The challenge with an ADM file for this particular workaround is that each class ID which needs to be modified is designated as a separate key in the registry rather than a value. So, instead of being able to create a single configuration entry in a group policy object which would modify every value, you have to have an option for each key. Fortunately, the leg work has been done in this example custom ADM file, which you can cut and paste into a larger file you may already have.

Save the file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

Once the ADM is added, and the filter option is cleared, you will see the configuration entries for the Microsoft Video ActiveX kill bit. Set them all to Enabled as shown:

gpedit

Once you link the policy to all your Windows XP and Windows Server 2003 computers, you will have implemented the workaround. 

Active X

ActiveX, while largely associated with Internet browsing, is not a program that runs inside the browser but rather a technology used throughout the Windows operating system. While only Windows XP and certain configurations of Windows Server 2003 are affected a similar control does exist in Windows Vista and Server 2008 that is not vulnerable.

Example Exploits

Both links provide example exploit code:

• http://www.rec-sec.com/2009/07/06/ms-directshow-msvidctl-exploit/
• http://www.csis.dk/en/news/news.asp?tekstID=799

References

• Microsoft Security Advisory (972890)
• Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
• Microsoft Security Research & Defense
• Another Unpatched Vulnerability is Being Massively Exploited via Internet Explorer

Vulnerability Cross Reference

• CVE-2008-0015
• Bugtraq ID: 35558
• US-CERT Cyber Security Alert: TA09-187A

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.