Microsoft Patch Tuesday

MICROSOFT PATCH DISCLOSURE - MARCH 30, 2010 UPDATE FROM EEYE

OVERVIEW

This month, Microsoft released an out-of-band patch which repairs a total of ten vulnerabilities. This patch addresses eight remote code execution vulnerabilities and two information disclosure vulnerabilities within Internet Explorer.

Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.

PATCH PRECEDENCE

Administrators are advised to apply this patch to affected systems immediately due to the common installation base of Internet Explorer 5.01 SP4, Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on all Microsoft Windows operating systems.

As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forumhosted by the eEye Security Research Team.

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.

BULLETIN/ADVISORY SUMMARY

CRITICAL

MS10-018 - Cumulative Security Update for Internet Explorer (980182)

BULLETIN/ADVISORY DETAILS

MS10-018

Cumulative Security Update for Internet Explorer (980182)
http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx

Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This security update resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses these vulnerabilities by modifying the way that Internet Explorer verifies the origin of scripts and handles objects in memory, content using encoding strings, and long URL.

  • Uninitialized Memory Corruption Vulnerability - CVE-2010-0267
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Post Encoding Information Disclosure Vulnerability - CVE-2010-0488
    An information disclosure vulnerability exists in the way that Internet Explorer handles content using specific encoding strings when submitting data. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view content from the local computer or another browser window in another domain or Internet Explorer zone.
  • Race Condition Memory Corruption Vulnerability - CVE-2010-0489
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that may have been corrupted due to a race condition. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Uninitialized Memory Corruption Vulnerability - CVE-2010-0490
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • HTML Object Memory Corruption Vulnerability - CVE-2010-0491
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • HTML Object Memory Corruption Vulnerability - CVE-2010-0492
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • HTML Element Cross-Domain Vulnerability - CVE-2010-0494
    An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to a browser window in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page and then drags the browser window across a second browser window.
  • Memory Corruption Vulnerability - CVE-2010-0805
    A remote code execution vulnerability exists in the way that Internet Explorer manages a long URL in certain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Uninitialized Memory Corruption Vulnerability - CVE-2010-0806
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • HTML Rendering Memory Corruption Vulnerability - CVE-2010-0807
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
Attackers are likely to attempt to convince users to visit a specially crafted malicious web page, which would allow the attacker to gain control of the victim's system with the same rights as the currently logged on user. Attackers will primarily focus on developing exploits for Windows 2000, XP, 2003, Vista and 7 due to the remote code execution risks pertaining to these operating systems. Secondary targets will be Windows Server 2008 and Windows Server 2008 R2 since default Server Core Installations are not vulnerable to remote code execution, but other default installation types remain vulnerable to remote code execution. In a successful exploitation scenario, attackers are likely to install malicious backdoor programs which would be used to control compromised systems for launching attacks against other internal and/or external systems.

Recommendations
Administrators are urged to roll out this patch as soon as possible to all Windows systems. Until these systems are patched, it is strongly advised to disable ActiveX controls in Office 2007 products in order to mitigate Office documents being used to embed malicious web content.

Posted on March 31, 2010 by Jonathan Green and tagged Microsoft Patch Tuesday.