Tuesday, May 11, 2010

Microsoft Patch Tuesday - May 2010


The month of May is a fairly light month for Microsoft's Patch Tuesday. Microsoft release of two security bulletins to mitigate two vulnerabilities dealing with holes in its e-mail programs and Visual Basic for Applications (VBA) programming language implementation built into office. Successful exploitation of these vulnerabilities allow an attacker to gain complete control of a user's machine. Affected systems and software include Windows 2000, XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, Office 2003, 2007, Microsoft Oiffice System, Microsoft Visual Basic for Applications, and Visual Basic for Applications software development kit. However, users with Windows 7 and Server 2008 R2 are not vulnerable with default system configurations.

Adobe also released a critical security update for Shockwave Player and less critical for ColdFusion.


Security Best Practices Tips:
  • Install vendor patches as soon as they become available after proper testing in a test environment before applying to a production environment. 
  • It is important to run all applications at the user level (least privileges) and only run the administrator account and as a privileged user to maintain functionality of the machine as needed (i.e. When needing admin privileges to install an application, a user can use the RunAs function to quickly switch to Administrator privileges while logged into a lower-privileged user). 
  • Users should avoid downloading files from unknown or questionable sources - whether an email with attachment from an unknown sender, downloading from questionable website, or using flashdrive media where the integrity of the drive such as the drive's origin is in question. 
  • Block external access at the network perimeter to systems until specifically required.


Patch Tuesday: May 2010

Microsoft’s summary of the May releases can be found here:http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx

The following is Microsoft's summary of the releases followed by research and commentary of the vulnerabilities:
1. MS10-031 Vulnerability in Microsoft Visual Basic for Applications
    (978213) 
CVE-2010-0815 (BID 39931)

A remote code-execution vulnerability CVE-2010-0815 in the VBE6.DLL was reported in Microsoft Visual Basic for Applications (VBA). Many Microsoft products, including Office, use the Visual Basic Environment such as the VBA runtime. This vulnerability allows for remote exploitation if a user can be tricked into opening a host application that opens and passes a specially crafted file to the VBA runtime. The vulnerability involves a code defect in text parsing code allowing for a one-byte stack overwrite. The patch resolves the issue by changing the way VBA searches for ActiveX controls embedded in documents. Very specific properties of the program must exist for an attacker to gain control of the machine. Three conditions limit the attacker's control:

  • The byte being overwritten = 0x2e (decimal: 46)
  • The overwriting value always = 0
  • No zero byte between the parsing buffer and the byte being overwritten = 0x2e

Microsoft believes that code for this exploitation of this vulnerability is not likely to be seen in the wild within the next 30 days. However, because of the possibility, Microsoft has classified the MS10-031 as critical.


2. MS10-030  Vulnerability in Outlook Express & Windows Mail
    (978542) 
CVE-2010-0816 (BID 39927)


A remote code-execution vulnerability was reported which affects Windows Mail client software including Outlook Express 5.5 SP2, 6, 6 SP1, Windows Mail, and Windows Live Mail. However, default installations of Windows 7 and Server 2008 R2 do not include Windows Live Mail and are therefore not affected by this vulnerability. Proof-of-concept code is publicly available; so be quick to test and deploy the patch as soon as possible.

Attack Scenarios
  • Man-in-the-middle Attack: Attacker intercepts and manipulates a user's POP3 or IMAP connection to intercept communications between the client and a legitimate email server.
  • An attacker can exploit the Windows Mail Integer Overflow Vulnerability by tricking a user into connecting to a malicious mail server. A successful exploit involves a currently logged-in user and the execution of arbitrary attacker-supplied code.


Safe Scenarios
  • An attacker cannot exploit a machine by simply sending a malicious email.
  • A user uses an affected email program, but uses an Exchange Server and does not use POP3 or IMAP. However, it is still recommended to install the update.

Attack Vector Details

  • Man-in-the-middle
    An attacker attempting to intercept and modify legitimate POP3 and IMAP communications across an untrusted network such as a Wi-Fi hotspot is the most likely attack vector. However, an attack is less likely to succeed if users check the option in their mail account to encrypt the POP3 or IMAP protocols with SSL.
  • Malicious email server
    A less likely scenario involves an attacker tricking a user to connect to a malicious email server. This would involve making the user change their email client configuration to connect to a malicious email server which would require either a great amount of social engineering or the attacker would have access to the user's local area network (LAN) and poison the DNS entry for the email server to change the legitimate email server address to that of the malicious server.

Upcoming Microsoft Fixes

Microsoft is still developing a fix a proof-of-concept exploit for vulnerabilities in SharePoint Services 3.0 and SharePoint Server 2007 which could lead to attacks in cross-site scripting in Internet browsers such as Internet Explorer (IE).


-Stephen Geldersma, Digital Designs LLC


Last Updated: 05/12/2010 18:55 ET

*Posting is provided "AS IS" with no warranties, and confers no rights.*