Microsoft Patch Tuesday - February 2010

A QUICK RE-CAP OF JANUARY 2010 PATCHES

As far as patching goes December didn't have much going on compared to the patch-happy month of January. Microsoft's patch Tuesday had a single patch (MS10-001), along with both Adobe and Oracle piggybacking on patch Tuesday with critical patch updates of their own. Adobe addressing security vulnerabilities with Reader, Acrobat, Shockwave, and Illustrator. Adobe is in development of a new updater that will give the availability of silent/background updates. Now this could be a good (better user experience and patch adaptation) and bad thing (IT admins need to know and manage which updates are installed and when); there will be more to follow in our blog post in the near future. Microsoft also issued an out of band update later in the month (MS10-002). Firefox released 3.6 adding new features. Apple released a mega security update rolling out multiple patches. Wireshark (network protocol analyzer) came out with a few security updates making the latest version 1.2.6. Nmap (open-source network mapper for network exploration and security auditing) announced its stable release of 5.20 since 5.00 in July 2009 with more than 150 significant improvements including 30+ new Nmap scripting engine scripts, enhanced performance and reduced memory consumption, protocol-specific payloads for more effective UDP scanning, a completely rewritten traceroute engine, and massive OS and version detection DB update (10,000+ signatures).

MICROSOFT OUT-OF-BAND JANUARY PATCH - MS10-002

-MS10-002 - Internet Explorer (IE) Vulnerabilities (978207) | CRITICAL | Remote Code Execution | Requires Restart | "Microsoft Windows

It was said that Microsoft has known about some of these vulnerabilities for quite some time. None the less, this was such an important update that Microsoft had to release this Out-of-Band patch outside of it's normal patch Tuesday every second Tuesday of the month.  This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. Fixes eight vulnerabilities in all versions of Internet Explorer (IE). One of the vulnerabilities involves IE8 with XSS protection flaw (Cross-site scripting attack). The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate.  This bulletin also includes a patch for the "Aurora exploit" thought to be used by Chinese attackers to compromise systems at Google, Adobe, and several other large companies.

FEBRUARY 2010 PATCHES

Last week was Microsoft's Patch Tuesday for February. For those using automatic updates on your systems you are probably all up to date with the latest updates and patches. However, there are two privilege escalation exploit patches (MS-10-011 and MS-10-015) and several remote code execution impacts (remote exploit) patches posted so it is a good idea to check and not just rely on the system itself. Remote code execution allows for an attacker to gain control of an infected machine.

Affected products include the Microsoft Windows Operating System, and Microsoft Office. Operating systems that are affected includes by these vulnerabilities include: Windows 2000, 32-bit and 64-bit versions of XP, Server 2003, Vista, Server 2008, Windows 7, and Server 2008 R2. Vulnerability is critical on Windows 2000. Other operating systems have a lower risk.

Along with the following patches there is an updated version of Microsoft Windows Malicious Software Removal Tool on Windows Update, WSUS, and Microsoft Download Center. http://www.microsoft.com/downloads/en/default.aspx. This tool is available for both 32-bit and 64-bit versions of Windows 2000, Windows 7, Server 2003, Vista, and XP.

There have been many conflicting reports of the MS10-015 (privilege escalation patch) that has been giving systems BSoD (Blue-Screen Of Death) system errors. Perhaps Microsoft rolled this patch out too soon with some testing missing, but its hard to determine when is the best appropriate time to roll out a patch with such a security important. We are holding off on the MS10-015 patch until more information is found out. Weighing the options leaves a potential nonfunctional system with the potential resulting BSoD error from a conflict of code in the system when patched or leave the potential remote execution privilege escalation vulnerability open for an attacker to exploit. At this point your company's required security environment should be noted in order to determine what is the best choice to make. Downloading, installation, and thorough testing of the MS10-015 patch should be implemented on test systems to determine the outcome of any potential BSoD or other errors specific to the general operating system or the specific software configuration to your company's system environment. For example, testing will determine if the MS10-015 issue is with a specific operating system distribution such as Windows XP vs Windows 7 in general; or it may specifically depend on the present configuration of system settings, what software and services are installed, etc. If your company has an adequate IT department, testing for this and other patches should have started last week Tuesday when the patches were released and following up on the potential issue today, if not later this week, or soon (depending on the size of your organization - the larger the organization, the more time needed for testing because there are more unique types of systems and configurations that patches need to be tested on before rolling them out with patches and if something is overlooked since there are more systems, more of them would be affected).

OTHER FEBRUARY 2010 UPDATES

Adobe have released a Critical Security Update for Flash, updated to 10.0.45.2 and for Adobe AIR, updated to 1.5.3.1930.

Adobe Flash Player
Adobe recommends all users of Adobe Flash Player 10.0.42.34 and earlier versions upgrade to the newest version 10.0.45.2 by downloading it from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted.

Adobe AIR
Adobe recommends all users of Adobe AIR version 1.5.3.1920 and earlier update to the newest version 1.5.3.1930 by downloading it from the Adobe AIR Download Center.

See http://www.adobe.com/support/security/bulletins/apsb10-06.html

Google Chrome may not be an update for everyone depending on what web browser you use - Chrome has just over 10% of the browser market share compared to Firefox with a bit under 50%. However, Chrome is gaining ground every month since its start as a beta release for Windows in September 2008. For more information visit http://www.w3schools.com/browsers/browsers_stats.asp for web statistics and trends for browsers. If you have Chrome it should be updated to 5.0.322.2 for Windows, Mac, and Linux platforms. For more information check out http://chrome.blogspot.com/.

Oracle also released critical patch and security updates for those who are involved with databases. Oracle Security Alert CVE-2010-0073 (http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html) deals with a remote exploit vulnerability in the Node Manager component of Oracle WebLogic Server. This remote exploit can be conducted without authentication (with out the need to input a username and password). For more information and to view the history of security alerts and critical patch updates for Oracle visit http://www.oracle.com/technology/deploy/security/alerts.htm.

Patch Tuesday Description and Thoughts
-MS10-006 - SMB Client Vulnerabilities (978251) | CRITICAL | Remote Code Execution | Mrxsmb.sys, Rdbss.sys, Sp3res.dll | Requires Restart | Microsoft Windows

This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.

-MS10-007 - Windows Shell Handler Vulnerability (975713) | CRITICAL | Remote Code Execution | Shlwapi.dll | Requires Restart | Microsoft Windows

This security update resolves a privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler.

-MS10-008 - ActiveX Kill Bits Cumulative Security Update (978262) | CRITICAL | Remote Code Execution | Registry Keys Only | May Require Restart | Microsoft Windows

This security update addresses a privately reported vulnerability for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2. The vulnerability could allow remote code execution if a user views a specially crafted Web page that instantiates an ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.

-MS10-009 - Windows TCP/IP Vulnerabilities (974145) | CRITICAL | Remote Code Execution | Tcpipreg.sys, Tcpipreg.sys, Netio.sys, Netio.sys, Netio.sys, Bfe.dll, Fwpkclnt.sys,
Fwpuclnt.dll, Ikeext.dll, Wfp.mof, Wfp.tmf, Bfe.dll, Fwpkclnt.sys, Fwpuclnt.dll, Ikeext.dll, Wfp.mof, Wfp.tmf, Tcpip.sys, Tcpip.sys, Tcpip.sys, Tcpip.sys, Netiomig.dll, Netiougc.exe, Tcpip.sys,
Tcpipcfg.dll, Netiomig.dll, Netiougc.exe, Tcpip.sys, Tcpipcfg.dll | Requires Restart | Microsoft Windows

This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link.

-MS10-013 - Microsoft DirectShow Vulnerability (977935) | CRITICAL | Remote Code Execution | Avifil32.dll, Mciavi32.dll, Msrle32.dll, Msvidc32.dll, Tsbyuv.dll | Requires Restart | Microsoft Windows

This security update resolves a privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The scary part of this vulnerability is that it was reported over a year ago.

-MS10-003 - Micosoft Office (MSO) Vulnerability (978214) | IMPORTANT | Remote Code Execution | ietag.dll, Mso.dll | May Require Restart | Microsoft Office

This security update resolves a privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

-MS10-004 - Microsoft Office PowerPoint Vulnerability (975416) | IMPORTANT | Remote Code Execution | Powerpnt.exe, Pp7x32.dll, Pptview.exe | May Require Restart | Microsoft Office

This security update resolves six privately reported vulnerabilities in Microsoft Office PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. If you are running Mac OS X you should upgrade to Office 2008 for Mac.

-MS10-010 - Windows Server 2008 Hyper-V Vulnerability (977894) | IMPORTANT | Denial of Service (DoS) | Vid.sys | Requires Restart | Microsoft Windows

This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

-MS10-011 - Windows Client/Server Run-time Subsystem Vulnerability (978037) | IMPORTANT | Privilege Escalation | Csrsrv.dll | Requires Restart | Microsoft Windows

This security update resolves a privately reported vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not affected. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.

-MS10-012 - SMB Server Vulnerability (971468) | IMPORTANT | Remote Code Execution | Srv.sys | Requires Restart | Microsoft Windows

This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities. This protocol has been used for approximately 14 years now and we are still finding flaws in it.

-MS10-014 - Kerberos Vulnerability (977290) | IMPORTANT | Remote Code Execution | Denial of Service (DoS) | Kdcsvc.dll | Microsoft Windows

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted.

-MS10-015 - Windows Kernel Vulnerability (977165) | IMPORTANT | Privilege Escalation | Mup.sys, Ntkrnlmp.exe, Ntkrnlpa.exe, Ntkrpamp.exe, Ntoskrnl.exe | Requires Restart | Microsoft Windows

This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users. Use caution when implementing this update. For one it affects the Windows Kernel and secondly there has been many reports of BSoD system errors upon installation. So please properly test out this patch on separate non-production test systems.

-MS10-005 - Microsoft Paint Vulnerability (978706) | MODERATE | Remote Code Execution | Mspaint.exe | Requires Restart | Microsoft Windows

This security update resolves a privately reported vulnerability in Microsoft Paint. The vulnerability could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

FOLLOWING UP

February gave us 13 significant patches and updates. 5 of which rated as critical, 9 updates as important, and 1 as moderate. I'm curious as to if I'm the only one who got a laugh out of the vulnerability in Microsoft Paint? Many remote exploits were addressed and fixed with these updates including 2 privilege escalation vulnerabilities. We are currently testing MS10-015 on our virtual machine testing systems for Microsoft XP, Server 2003, Windows 7, and Server 2008. We will follow up on the issue when the results are finished. Has anyone else been having issue with MS10-015 or any other updates this month? Please post a comment, we greatly appreciate it and we'll let you know how we can help with your issue.