Updated: September 23, 2010 14:00EST
After labor day it would of been nice to have a lighter Patch Tuesday this month; however, this is not the case. Microsoft Security bulletin Summary for September 2010 shows 9 bulletin addressing a total of 13 security vulnerabilities. Adobe, Mozilla, Cisco, Apple all releasing security patches in the last 7 days - putting a major stress on security teams and others dealing with patch management.
13 security vulnerabilities are addressed affecting Windows XP, Windows Server 2003, Windows vista, Windows Server 2008, Windows 7,Windows Server 2008 R2, Microsoft Office XP, Office 2003, and Office 2007.
Older Windows Platforms Essentially Less Secure
It is recommended to move away from Windows XP and Server 2003. Older versions of Windows are essentially more insecure than newer versions.
As shown, those running Windows 7 and Server 2008R2 have a much less patching demand for their system environment contrasted to those running older versions of Windows. Those on XP and Server 2003 need to way the cost and risk factors with staying on these older platforms. Tangable benefits of those running Windows 7 and Windows Server 2008R2 are very apparent after looking at this month’s Patch Tuesday. These teams will be able to allocate more time and resources into focusing on securing their network from current active exploits and deploying patches from other vendors and virus signatures are protecting against the latest malicious email campaign and other threats.
Newest is Not Always the Best
This outlook of older Windows platforms being essentially less secure is true. However, this is not to be confused with keeping up with the newest and greatest platform. New operating systems can introduce new fresh vulnerabilities along with compatibility issues with older or former hardware or break former functionality of a certain feature. These new operating systems should have their time to mature into the industry. Many larger organizations do not adapt a new platform until there has been successful deployment of at least one service pack for the operating system.
Vulnerability Summary and Exploitability Index
The Following is the vulnerability summary for September 2010 along with the exploitability index rating from *1*/1-3.
*1* - Extreme Attention - Exploit Code Publicly Disclosed and/or Exploited in the Wild
1 - Consistent Exploit Code Likely
2 - Inconsistent Exploit Code Likely
3 - Functioning Exploit Code Unlikely
Microsoft Security Bullitin Summary September 2010:
-MS10-061 - [Printer Spooler Service - (2347290) - Remote Code Execution]
Remote code execution if an attacker sends a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC such as a Shared network printer.
-Printer Spooler Service Impersonation Vulnerability - 1 - CVE-2010-2729: Exploited in the wild
-MS10-062 - [MPEG-4 - (975558) - Remote Code Execution]
Vulnerability in MPEG-4 codec that can allow remote code execution if a user opens a specially crafted media file or MPEG-4 spreaming content from a website or other application delivering web content. A successful exploit allows an attacker to gain the same user rights as the current local user. Regardless of this exploit, users should use a user account with restrictive or non-administrator rights and using an administrator account sparingly for administrative tasks only such as installing software, etc. Users utilizing this security procaution have less of an impact with this and many other exploits than those who operate with administrative user rights.
-MPEG-4 Codec Vulnerability - 1 - CVE-2010-0818:
Less impact on Windows Vista and Windows 7 due to additional heap mitigations
-MS10-063 - [Unicode Scripts Processor - (2320113) - Remote Code Execution]
A vulnerability in the Unicode Scripts Processor can allow remote code execution if a user viewed a specially crafted document or Web page with an application supporting embedded OpenType fonts. A successful exploit allows an attacker to gain the same user rights as the local user. Again, remember that those who do not operate with administrative user rights will be less impacted.
-Uniscribe Font Parsing Engine Memory Corruption Vulnerability -2 - CVE-2010-2738
-MS10-064 - [Outlook - (2315011) - Remote Code Execution]
This vulnerability allows for remote code execution if a user opens or previews a specially crafted e-mail message using an affected version of Microsoft Outlook which connects to an Exchange Server with online mode. The same outcome of an attacker obtaining the same user rights as the current user logged on during the exploit is present.
-Heap Based Buffer Overflow in Outlook Vulnerability - 2 - CVE-2010-2738
Vulnerability in Microsoft Internet Information services (IIS) could allow for remote code execution if a client sends a specially crafted HTTP request to the server which would allow an attacker to gain complete control of the affected system. For newer platforms this vulnerability is only marked as important due to the low exploitability level.
-Directory Authentiation Bypass Vulnerability - *1* - CVE-2010-2731: Publicly disclosed vulnerability
-IIS repeated Parameter Request Denial of Service Vulnerability - 3 - CVE-2010-1899:
DoS vulnerablity only
-MS10-066 - [RPC - (982802) - Remote Code Execution]
Vulnerability in Windows Remote Procedure Call could allow for remote code execution. This vulnerability is marked important for Windows XP/2003 only. Windows Server 2008, Windows 7, and Server 2008R2 are not affected by the vulnerability. An attacker sending a specially crafted RPC response packet to a client initiated RPC request can take complete control of an affected system. However, an attack must convince the user to initiate an RPC connection to a malicious server under the attacker’s control. So without user interaction an attacker cannot exploit this vulnerability.
-RPC Memory Corruption Vulnerability - 1 - CVE-2010-2567
-MS10-067 - [WordPad - (2259922) - Remote Code Execution]
Vulnerability in WordPad Text Converters could allow for remote code execution. This vulnerability is marked important for Windows XP/2003 only. Windows Vista, Windows Server 2008, Windows 7, and Server 2008R2 are not affected by the vulnerability. A users machine is exploited if a user opens a specially crafted file using WordPad. Those not operating with administrative user rights will be less impacted.
-WordPad Word 97 Text Converter Memory Corruption Vulnerability - 1 - CVE-2010-2563
-MS10-068 - [Local Security Authority Subsystem - (983539) - Privilege Escalation ]
Vulnerability exists in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). Privilege excalation if an authenticated attacker sends specially crafted Lightweight Directory Access Protocol (LDAP) messages to a listening LSASS server. An attacker must have a member account within the target Windows domain but does not need a workstation joined to the domain.
-LSASS Heap Overflow Vulnerability - 1 - CVE-2010-1891
-MS10-069 - [Windows Client/Serve Runtime Subsystem (2121546) - Privilege Escalation]
Vulnerability rated as important for Windows XP and Windows Server 2003. Newer platforms including Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by this vulnerability. For older platforms privilege escalation can be performed by an attacker logs on to an affected system configured with a Chinese, Japanese, or Korean system locale. A successful exploit would allow for full complete control of the system.
-CSRSS Local Elevation of Privilege Vulnerability - 1 - CVE-2010-1891
Security updates are available as usual from Microsoft Download Center or via Internet Explorer brower (IE) available from Microsoft Update. Patches for September 2010 Security Release can also be downloaded as an .ISO Image here Windows-KB913086-201009.iso which you can burn onto a CD/DVD.
In the last week the following sizable IT security to-do list has materialized.
Yet again, Adobe is having a hard time with security with their more/less bloated software. Again Adobe has 0day exploits being replicated in the wild from critical vulnerabilities existing in:
-Adobe Flash Player 10.1.8.76 and earlier versions for Windows, Mac, Linux and Solaris. Critical vulnerability also exists in Adobe Flash Player 10.1.92.10 for Android. Active exploits have been performed on Windows platform and a fix will not be available until the week of October 4, 2010. Because there is not yet a fix for the vulnerability users should be aware that they are at risk from this critical vulnerability and should treat all Flash files especially those from unsolicited email with caution. As exploited in the wild, an attacker only needs to send a maliciously crafted flash file via email or trick the user into visiting a web page hosting this malicious flash content. Users can experience a system crash and allow an attacker to take control over the affected system. Currently known exploits: Troj/SWFLdr-T - CVE-2010-2884 since September 13, 2010.
-Reader 9.3.4 and earlier versions for Windows, Mac, and Linux. Actively exploited in the wild. Again, this fix will also not be available until the week of October 4, 2010. CVE-2010-2883
IT teams can get help from Microsoft’s Enhanced Mitigation Experience Toolkit 2.0. A vulnerability work around has provided that blocks this exploit.
Cisco’s Wireless LAN controller that address various vulnerabilities. These vulnerabilities if left unattended can facilitate remote access to controller and configuration information can be changed and access controls can effectively be bypassed allowing the attacker into the network. More information is provided by the Cisco Security Advisory on September 08, 2010.
-Cisco 2000, 2100, 5100, 4400, 5500 Series WLCs
-Cisco Wireless Services Modules (WiSMs)
-Cisco WLC Modules for Integrated Service Routers (ISRs)
-Cisco Catalyst 3750G Integrated VLCs
-Two denial of service (DoS) vulnerabilities
-Three privilege escalation vulnerabilities
-two access control list (ACL) bypass vulnerabilities
Mozilla 3.6.9 - Addressed multiple vulnerabilities including remote execution of arbitrary code, access to sensitive information and cross-site scripting (XSS) issues.
MFSA 2010-63 Information leak via XMLHttpRequest statusText
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
MFSA 2010-61 UTF-7 XSS by overriding document charset using <object> type attribute
MFSA 2010-60 XSS using SJOW scripted function
MFSA 2010-59 SJOW creates scope chains ending in outer object
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
Apple Safari 5.0.2 and 4.1.2 is now available and addresses the following vulnerabilities in prior versions in 4.x and 5.x. The updated versions both address the same set of security issues. “Safari 5.0.2 is provided for Mac OS X v10.5, Mac OS X v10.6, and Windows systems. Safari 4.1.2 is provided for Mac OS X v10.4 systems.”
CVE-2010-1805 [Safari] addresses a search path issue that when “displaying the location of a downloaded file, Safari launches Windows Explorer without specifying a full path to the executable. Launching Safari by opening a file in a specific directory will include that directory in the search path. Attempting to reveal the location of a downloaded file may execute an application contained in the directory, which may leave to arbitrary code execution.’” This fix is available for XP SP2/SP3, Windows Vista, and Windows 7. Users opening a file in a directory that is writable by other users could lead to arbitrary code execution.
CVE-2010-1807 [WebKit] describes the impact of a user “visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. An input validation issue exists in WebKit's handling of floating point data types. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of floating point values.” Fix is available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later.
CVE-2010-1806 [WebKit] “Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution from A use after free issue exists in WebKit's handling of elements with run-in styling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of object pointers.” The patch is available for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later.
Apple iTunes 10
iTunes 10 is available for download for Max OS X, Windows 7, Vista, XP SP2 or later and can be obtained from: http://www.apple.com/itunes/download/. iTunes 10 addresses multiple vulnerabilities in WebKit.
QuickTime 7.6.8 was released and is now available for download.
Mac OS X v10.6.4 was released on September 20, 2010. Information for the single security update can be found here.
CVE-2010-1820 for Mac OS X 10.6, Mac OS X Server 10.6 addresses a vulnerability in the ability for “A remote attacker may access AFP shared folders without a valid password. An error handling issue exists in AFP Server. A remote attacker with knowledge of an account name on a target system may bypass the password validation and access AFP shared folders. By default, File Sharing is not enabled. This issue does not affect systems prior to Mac OS X v10.6. Credit to Pike School in Massachusetts for reporting this issue.”
Ubuntu:990-2: Apache Vulnerability - September 21, 2010
Ubuntu:990-1: OpenSSL Vulnerability - September 21, 2010
Ubuntu:986-3: dpkg Vulnerability - September 20, 2010
Ubuntu:986-2: ClamAV Vulnerability - September 20, 2010
Ubuntu:986-1: bzip2 Vulnerability - September 20, 2010
Ubuntu:978-2: Thunderbird Regression - September 16, 2010
Ubuntu:975-2: Firefox and Xulrunner Regression - September 16, 2010
Ubuntu:978-1: Thunderbird Vulnerabilities - September 08, 2010
Ubuntu:975-1: firefox and Xulrunner vulnerabilities - September 08, 2010
Ubuntu:985-1: Mountall Vulnerability - September 08, 2010
Ubuntu:984-1: LFTP Vulnerability - September 07, 2010
Ubuntu:983-1: Sudo vulnerability - September 07, 2010
Ubuntu:982-1: Wget vulnerability - September 02, 2010
Other Linux distribution security update highlights include:
Debian: 2109-1: samba: buffer overflow September 16, 2010
Debian: 2108-1: cvsnt: programming error September 14, 2010
Debian: 2097-2: phpmyadmin: insufficient input sanitisi Sep 11, 2010
Debian: 2107-1: couchdb: untrusted search path September 09, 2010
Debian: 2102-1: barnowl: unchecked return value September 03, 2010
Gentoo: 201009-01: wxGTK: User-assisted execution of arbitrary code September 02, 2010
SuSE: 2010-040: Linux kernel September 13, 2010
SuSE: 2010-038: kernel September 03, 2010
SuSE: 2010-036: kernel September 01, 2010
Slackware: 2010-258-03: sudo redo: Security Update September 15, 2010
Slackware: 2010-257-01: samba: Security Update September 15, 2010
Slackware: 2010-257-02: sudo: Security Update September 15, 2010
Slackware: 2010-253-01: mozilla-firefox: Security Update September 10, 2010
Slackware: 2010-253-02: mozilla-thunderbird: Security Update September 10, 2010
Slackware: 2010-253-03: seamonkey: Security Update September 10, 2010
Mandriva: 2010:184: samba September 16, 2010
Mandriva: 2010:183: socat September 15, 2010
Mandriva: 2010:182: kdegraphics September 14, 2010
Mandriva: 2010:181: ntop September 14, 2010
Mandriva: 2010:180: rpm September 13, 2010
Mandriva: 2010:179: libglpng September 12, 2010
Mandriva: 2010:178: ocsinventory September 12, 2010
Mandriva: 2010:177: tomcat5 September 12, 2010
Mandriva: 2010:176: tomcat5 September 12, 2010
Mandriva: 2010:175: sudo September 12, 2010
Mandriva: 2010:174: quagga September 11, 2010
Mandriva: 2010:173: firefox September 11, 2010
Mandriva: 2010:172: kernel September 09, 2010
Mandriva: 2010:170: wget September 02, 2010
Mandriva: 2010:169: mozilla-thunderbird September 02, 2010
Mandriva: 2010:168: openssl September 01, 2010
Red Hat: 2010:0698-01: samba3x: Critical Advisory September 14, 2010
Red Hat: 2010:0697-01: samba: Critical Advisory September 14, 2010
Red Hat: 2010:0670-01: kernel: Important Advisory September 02, 2010
Pardus: 2010-119: OpenSSL: Use-after-free September 03, 2010
Pardus: 2010-120: Flashplugin: Multiple September 03, 2010
Malicious email campaigns seemingly continue and it is important to keep virus signatures up to date on all machines again the latest threats. However, it is uniquely important to not create a false sense of security on only rely on updated virus signatures to protect your machines. The human factor plays a huge role in providing additional security safe guards that IT and non IT personnel need to remember. A brief description of this human factor would included examples such as only open email attachments from known and trusted senders, do NOT surf or use/open email on mission-critical machines and servers - such important machines should not even have Adobe Flash Player or Adobe Reader installed on the platform.