MS Patch Tuesday: Exploits expected for severe drive-by-download flaws

MS Patch Tuesday: Exploits expected for severe drive-by-download flaws

Summary: Two of the bulletins are rated "critical" for all versions of Microsoft's flagship operating system, including Windows 7 and Windows Server 2003 R2.

SHARE:

Microsoft today released 11 security bulletins with fixes for a total of 25 security vulnerabilities, including several flaws that expose users to browse-and-you're-hacked (malicious drive-by download) attacks.

Two of the bulletins are rated "critical" for all versions of Microsoft's flagship operating system, including Windows 7 and Windows Server 2003 R2.   In some cases, Microsoft is expecting to see "reliable exploit code" released within 30 days, highlighting the importance of applying these patches immediately.

The company urged its users to pay special attention to three bulletins this month -- MS10-019, MS10-026, and MS10-027.  Here's why:

  • MS10-019 affects all versions of Windows. While we give this a 2 on the exploitability index, the issue would allow an attacker to alter signed executable content (PE and CAB files) without invalidating the signature. Note that WU/MU content is not affected by this issue due to additional checks made when validating signed content.
  • follow Ryan Naraine on twitter
  • MS10-026 does not affect Windows 7, Windows Server 2008 R2, or Itanium versions of Windows Server 2008 and Windows Server 2003. However, it is critical on Windows 2000, XP, Server 2003 and Server 2008. The vulnerability could be triggered simply by visiting a web page hosting a specially crafted AVI file that began streaming when the page loads.
  • MS10-027 affects only Windows 2000 and Windows XP users who could potentially be exploited simply by visiting a specially crafted web page.

This chart from Microsoft's SR&D blog provides a great overview of the bulletins, severity risks and mitigations:

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes
MS10-027

(WMP)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploit code developed Windows Vista, Windows Server 2008, and Windows 7 not affected
MS10-026 (DirectShow) Victim browses to a malicious webpage or opens a malicious AVI movie. Critical 1 Likely to see reliable exploit code developed Windows 7 codec is not vulnerable.
MS10-019 (WinVerifyTrust) Victim double-clicks a malicious EXE or allows malicious content to run because content claims to be signed by a trusted publisher. Critical 2 Likely to see effective proof-of-concept code released to downgrade Authenticode checks from v2 down to v1. Authenticode v1 is a weaker algorithm. To reach code execution, attackers will need to find an Authenticode v1 bypass. Microsoft Update and Windows Update clients not directly vulnerable to this threat.
MS10-020

(SMB Client)

Attacker hosts malicious SMB server within enterprise network. Attacker lures victim to click on a link that causes victim to initiate an SMB connection to the malicious SMB server. Critical 2 Proof-of-concept code already exists for denial-of-service vulnerability. May see unreliable exploit code developed for other client-side SMB vulnerabilities that most often results in denial-of-service. Egress filtering at most corporations will limit exposure to attacker within enterprise network.

Several issues with differing exploitability. Please see SRD blog for more information.

MS10-022

(VBScript)

Victim browses to a malicious webpage and is tricked into clicking F1 on a VBScript messagebox. Important 1 Public exploit code exists for code execution after a user presses F1. Have not heard reports of real-world attacks yet, despite public exploit code. Vulnerability not reachable on Windows 7, Windows Server 2008, and Windows Vista by default. Bulletin rated defense-in-depth for those platforms.

Windows Server 2003 not vulnerable by default due to Enhanced Security Configuration.

MS10-025 (Windows Media Services) If a victim Windows 2000 machine has enabled Windows Media Services, an attacker can send network-based attack over port 1755 (TCP or UDP). Critical 1 Likely to see reliable exploit code developed. Only Windows 2000 is affected.
MS10-021

(Kernel)

Attacker able to run code locally on a machine exploits a vulnerability to run code at a higher privilege level. Important 1 Likely to see reliable exploit code developed for one or more of these eight vulnerabilities. SRD blog post explaining the Windows registry link vulnerabilities.
MS10-024

(SMTP Service)

Attacker causes SMTP Service running on 64-bit Windows Server 2003 to crash by initiating a DNS lookup handled by a malicious DNS server. Important n/a No chance for code execution. May see proof-of-concept code that crashes SMTP Service but not for Exchange. Exchange Server not directly affected by denial-of-service vulnerability because vulnerable versions never shipped as 64-bit application. Security update applies to 32-bit Exchange Server to add additional DNS protections.
MS10-028

(Visio)

Victim opens malicious .VSD file Important 1 Visio exploits not often seen in the wild. Unsure whether we will see exploit released. Visio not installed by default with most Office installations.
MS10-023

(Publisher)

Victim opens malicious .PUB file Important 1 Publisher exploits not often seen in the wild. Unsure whether we will see exploit released.
MS10-029

(ISATAP)

Attacker spoofs own source address by encapsulating iPv6 attack packet inside IPv4 wrapper. This may allow attacker to reach IPv6 destination that otherwise would be blocked. Moderate n/a May see proof-of-concept released publicly.
More to come...

Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

81 comments
Log in or register to join the discussion
  • But of course there's more to come... It's so obvious.

    Life's good when you're a windows vulnerability reporter. As long as we have Windows around we can be sure you will not go out of business and we, your avid faithful readers can be sure to have fresh windows vulnerability news delivered to us everyday, multiple times.

    Oh the easy life, you guys have all the luck. How I envy the Windows vulnerability reporters.

    You have it too easy so enjoy it while it lasts because windows is being deprecated.
    Great Kahuna
    • Just leave the defaults in place

      and yes, then life *is* good. You never notice the
      updating because uses intelligent background
      transfer. After patches Windows 7 rarely require
      reboots - at least compared to Ubuntu.

      Leave the defaults and be safe.
      honeymonster
      • What... No customization?

        But I always customize my systems, heavily, that's the reason I switched to Linux and have no regrets.
        Great Kahuna
      • Rarely requires reboots?

        I'm running W7x64. Also run SuSe 10 and Ubuntu.
        While the number of reboots needed for W7 is way down compared to earlier W versions, it's still much higher than any of the Linux versions.
        dabble53
        • Can't be true

          A Windows troll couldn't possibly get it wrong!
          rahbm
        • You dont use your linux boxes for much huh

          And how just is it that 100's of linux fans pack this forum everyday, to ridicule windows.

          The truth is.

          IMO They dont.

          Theyve got more important things to do.

          This is corporate warfare no doubt.

          No conspiracy.

          i would love to trace the ip's to prove my point.

          ok ok.. maybe 1% are legit.
          pcguy777
          • don't own a Windows box

            I've got Linux Mint on one box, Ubuntu 10.04 x64 on one box, Ubuntu 10.04 32-bit on another. Haven't had to reboot any of them for anything but a kernel update (happens more often for the two betas).
            tmsbrdrs
      • no reboot?

        It's patch Tuesday, and I just had to reboot to get all done..... and this happens EVERY patch Tuesday. With Ubuntu I regularly update and it doesn't require a reboot unless a Kernel update was pushed out....
        Mr. Byte
      • Not that good

        Only patches supplied by MS are applied.
        Dozens of third party applications don't get patched. It's up to you to figure out what you have installed & follow the individual apps proceedures for updates.

        One thing I love about Linux is that the update process applies to absolutely everything on the machine in one hit.
        AndyPagin
      • Windows 7 rarely reboots - compared to Ubuntu.

        Linux never has to be rebooted unless there is a kernel upgrade. In the future, when Linux kernels are run time hot pluggable, they won't need rebooting at all.

        Ubuntu has you reboot more often that is really necessary after updates. Quite often just restarting your X session, or a service is all that is really required. But Ubuntu is designed to be friendly to everyone, so it doesn't do anything unusual after upgrades. It either reboots, or does nothing.

        If it reboots more often, (it may) it's probably because upgrades to the OS occur almost on a daily basis.
        Tsingi
    • Btw, don't you have some apologizing to do over here:

      http://blogs.zdnet.com/security/?
      p=6123&tag=content;wrapper

      See, the posterchild for open source, the Apache
      foundation themselves, fell for a cross site
      scripting vulnerability.

      On Linux, no less.
      honeymonster
      • Wrong! Someone's browser fell for XSS and weak passwords did the rest

        You must pay more attention when reading.
        Great Kahuna
        • Last time i checked

          Cross Site Scripting (XSS) was a <i>server side
          vulnerability</i>.

          An Apache foundation site (a JIRA installation)
          was vulnerable. And it was exploited.

          Browsers don't "fall for" XSS. XSS means that
          script is injected into the website (a
          vulnerability). After that, the browser cannot
          distinguish malicious script from legitimate.

          It was an <b>Apache</b> web site which was not
          only vulnerable but also had weak passwords.

          If you were less hell-bend on apologizing you
          would realize this.
          honeymonster
          • Please specify

            how the script injected into the site?

            (that was a rhetorical request, I know beforehand that you will not be able satisfy that request because your line of reasoning is completely wrong.)
            Great Kahuna
          • Ok

            I suggest you read up on XSS. For someone who
            comes on as strong as you do, it surprises me
            how little you actually know of these subjects.

            From wikipedia
            (http://en.wikipedia.org/wiki/Cross-
            site_scripting), just read the first few lines:

            <i>Cross-site scripting (XSS) is a type of
            computer security vulnerability typically found
            in <b>web applications</b> that enables
            malicious attackers to <b>inject client-side
            script into web pages</b> viewed by other
            users</i>

            JIRA is an incident tracking application. It
            allows users to report bug. Hello? If it
            contains an XSS vulnerability, a user can
            report a bug with embedded, hidden script.
            Script injection. The attacker will merely have
            to wait for someone to view the bug report.

            A variant is when the web application displays
            fields from the url unsanitized. The attacker
            will then create a (malicious) link to the JIRA
            site. The link has embedded (but obfuscated)
            script which is then executed in the context of
            the users session when he follows the link. The
            link can be sent in an email to improve the
            chances that an admin will follow it. Or the
            link can be hosted on a fake blog/website in
            the hope that someone will follow it. Cross
            site scripting.
            honeymonster
          • You're funny man, honest, you are.

            For someone who searches so much you sure show a severe lack of reading comprehension.

            Now tell, in which language was the script written?

            Was it JavaScript, by any chance? <b style="font-size:150%">Yes?????</b>

            There you have it.
            Great Kahuna
          • I hope you will come back

            to this conversation in a year or two. Then you
            will realize how ignorant you were at this
            time. You simply refuse to educate yourself and
            just keep pushing the same completely false
            assumptions.

            I will try to explain this one last time.
            Please, <i>please</i> get in the game, ok?

            Yes, script XSS (script injections) are
            <i>javascript</i>.

            "Yes" you go, "see - JavaScript is a client
            side technology, ergo this must be client side
            problem - a browser".

            yes, yes, YES. You got me there!

            In your dreams.

            You even go as far as to point fingers at IE.


            Let's try this again:

            Javascript from a site can can execute within
            the security context of pages and cookies from
            that site.

            JavaScript from a foreign site (malicious.cn)
            <i>can not</i> get at cookies for apache.org.
            All browsers block that.

            But if apache.org has a vulnerable application
            where it displays unsanitized fields from a
            database or from URL parameters, attackers can
            <i>inject</i> their own script into the app.
            The browser will execute that script in the
            context of apache.org.

            Bingo, the script can get at the cookies from
            apache.org. The session cookie will allow
            attacker to hijack the users session. All the
            script has to do is to inject a img tag into
            the current page which retrieves its image from
            malicious.cn/fakeimages.jpg?
            sessioncookie=XXXXXX

            Very simple. Now attacker just sits and wait
            for requests to come into the fakeimages.jpg.
            The parameter is the session cookie. Run with
            that and you can hijack the poor user's
            session.
            honeymonster
          • So Apache and Linux are clean? Thanks for acknowledging that fact.

            Even though it took you too long to understand that I'm glad that yo finally made it.

            Congratulations!
            Great Kahuna
          • Clean? They were pwned, were they not? <nt>

            .
            honeymonster
          • Let me help you

            XSS was used to steal an admin's <blink>browser cookies</blink> and once in possession of the admin's browser cookies the attacker had access to a login java servlet on which it then initiated a dictionary attack and ended up by guessing the correct password.

            No Apache or Linux vulnerability involved, only a weak browser and a weak password, that's all.
            Great Kahuna