X
Tech

Microsoft finally fixes Pwn2Own browser flaw

The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities.
Written by Ryan Naraine, Contributor

The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities.

Three of the bulletins are rated "critical" because of the risk of remote code execution attacks.  Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).

This month's patch batch also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer.

Microsoft is urging its users to pay special attention to MS10-033  (Windows), MS10-034 (ActiveX killbits) and MS10-035 (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.

Here's the skinny on these three bulletins:

  • MS10-033 -- This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. This is rated Critical for Quartz.dll (DirectShow) on Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008; Critical for Windows Media Format Runtime on Microsoft Windows 2000, Windows XP, and Windows Server 2003; Critical for Asycfilt.dll (COM component) on Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; and Important for Windows Media Encoder 9 x86 and x64 on Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
  • MS10-034 -- This security update addresses two privately reported vulnerabilities for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, and Windows 7, and Moderate for all supported editions of Windows Server 2003, Windows Server2008, and Windows Server 2008 R2.  The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. It also includes kill bits for four third-party ActiveX controls.
  • MS10-035 -- Fixes five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.This security update is rated Critical for Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4; Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers.

Qualys CTO Wolfgang Kandek noticed that four of the 10 bulletins address zero-day issues, the most significant being MS10-035, which fixes the zero-day published by Core Security for an information disclosure vulnerability originally published in February 2010.

It also fixes the Pwn2Own vulnerability that security researcher Peter Vreugdenhil used to win ZDI’S competition at CanSecWest.  During that contest, Vreugdenhil bypassed all built-in protections such as DEP and ASLR by combining multiple flaws and attack methods.

The MS10-040 bulletin is also interesting.  It covers a a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.  Microsoft rates this an "important" update.

Editorial standards