- Install vendor patches as soon as they become available after proper testing in a test environment before applying to a production environment.
- It is important to run all applications at the user level (least privileges) and only run the administrator account and as a privileged user to maintain functionality of the machine as needed (i.e. When needing admin privileges to install an application, a user can use the RunAs function to quickly switch to Administrator privileges while logged into a lower-privileged user).
- Users should avoid downloading files from unknown or questionable sources - whether an email with attachment from an unknown sender, downloading from questionable website, or using flashdrive media where the integrity of the drive such as the drive's origin is in question.
- Block external access at the network perimeter to systems until specifically required.
1. MS10-031 Vulnerability in Microsoft Visual Basic for Applications
(978213) CVE-2010-0815 (BID 39931)
A remote code-execution vulnerability CVE-2010-0815 in the VBE6.DLL was reported in Microsoft Visual Basic for Applications (VBA). Many Microsoft products, including Office, use the Visual Basic Environment such as the VBA runtime. This vulnerability allows for remote exploitation if a user can be tricked into opening a host application that opens and passes a specially crafted file to the VBA runtime. The vulnerability involves a code defect in text parsing code allowing for a one-byte stack overwrite. The patch resolves the issue by changing the way VBA searches for ActiveX controls embedded in documents. Very specific properties of the program must exist for an attacker to gain control of the machine. Three conditions limit the attacker's control:
- The byte being overwritten = 0x2e (decimal: 46)
- The overwriting value always = 0
- No zero byte between the parsing buffer and the byte being overwritten = 0x2e
Microsoft believes that code for this exploitation of this vulnerability is not likely to be seen in the wild within the next 30 days. However, because of the possibility, Microsoft has classified the MS10-031 as critical.
- Man-in-the-middle Attack: Attacker intercepts and manipulates a user's POP3 or IMAP connection to intercept communications between the client and a legitimate email server.
- An attacker can exploit the Windows Mail Integer Overflow Vulnerability by tricking a user into connecting to a malicious mail server. A successful exploit involves a currently logged-in user and the execution of arbitrary attacker-supplied code.
- An attacker cannot exploit a machine by simply sending a malicious email.
- A user uses an affected email program, but uses an Exchange Server and does not use POP3 or IMAP. However, it is still recommended to install the update.
Attack Vector Details
An attacker attempting to intercept and modify legitimate POP3 and IMAP communications across an untrusted network such as a Wi-Fi hotspot is the most likely attack vector. However, an attack is less likely to succeed if users check the option in their mail account to encrypt the POP3 or IMAP protocols with SSL.
- Malicious email server
A less likely scenario involves an attacker tricking a user to connect to a malicious email server. This would involve making the user change their email client configuration to connect to a malicious email server which would require either a great amount of social engineering or the attacker would have access to the user's local area network (LAN) and poison the DNS entry for the email server to change the legitimate email server address to that of the malicious server.
Microsoft TechNet Security Bulletin Summary for May 2010
Rober Keith @ Symantec Connect - Security Response