Patch Tuesday: Microsoft plugs critical Windows worm holes
The company urged customers to prioritize and deploy four updates because of the "critical" severity rating and the fact that "consistent exploit code" is likely within the next 30 days.
Here's the skinny on the three updates that should be applied immediately:
- MS10-013: Addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.
- MS10-006: This is also rated Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.
- MS10-007: Fixes a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.
A fourth bulletin -- MS10-008 -- includes ActiveX Kill Bits for Internet Explorer and should also be treated with the utmost priority because it exposes surfers to malicious code execution attacks.
Eleven of 13 bulletins affect the Windows operating system while two affect older versions of Microsoft Office.
This chart from Microsoft's Security Research & Defense Blog provides useful information to help assess the risks associated with these vulnerabilities:
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit- ability Index | Likely first 30 days impact | Platform mitigations |
| (Quartz) | Victim opens malicious AVI or WAV file. | Critical | 1 | Likely to see working exploit in next 30 days. | |
| (ShellExecute) | Attacker hosts a malicious webpage, lures victim to it. | Critical | 1 | Likely to see exploit code released resulting in binary on WebDAV share being executed. For more detail, see this SRD blog post. | |
| (SMB Client) | Locally logged-in attacker with low privilege runs a malicious executable to elevate to high privilege. | Critical | 1 | Likely to see working exploit code for local attacker escalation. For more detail, see this SRD blog post. | |
| (ActiveX kill-bits) | Attackers host a malicious webpage, lures victim to it | Critical | 2 | Likely to see working exploit for vulnerabilities in third party ActiveX controls. | |
| (SMB Server) | Attacker sends network-based malicious connection to remote Windows machine via SMB. | Important | 1 | Likely to see working proof-of-concept in next 30 days for CVE-2010-0231 resulting in attacker luring remote victim user to open file on attacker server and initiating a connection back to machine where remote victim is logged on. Less likely to see working exploit code for the authenticated code execution vulnerability (CVE-2010-0020) or unauthenticated denial-of-service vulnerabilities (CVE-2010-0021 and 0022) For more detail, see this SRD blog post. | |
| (Kernel) | Attacker already able to execute code as low-privileged user escalates privileges. | Important | 1 | Proof of concept code already widely available. No active attacks. | |
| (CSRSS) | Attacker who logs onto console of system where victim later logs onto console of same system can potentially run code with victim’s identity. | Important | 1 | Likely to see proof-of-concept code published for this vulnerability. However, unlikely to see wide-spread exploitation due to extensive user interaction required. | |
| (TCP/IP) | Attacker sends network-based attack against system on local subnet. | Critical | 2 | May see denial-of-service proof-of-concept code published leveraging CVE-2010-0239 or CVE-2010-0241. Attackers are less likely to discover real-world attack surface in next 30 days for CVE-2010-0240. | /GS effective mitigation for CVE’s: CVE-2010-0239 CVE-2010-0240 |
CVE-2010-0241.
CVE-2010-0242 is denial of service only.
(Excel)
Attack sends malicious .xls file to victim who opens it with Office XP or lower. (Office 2003, 2007 not affected.)
Important
1
Likely to see working exploit file effective on Office XP in first 30 days.
Office 2003 and Office 2007 not affected.
(PowerPoint)
Attacks malicious .ppt file to victim who opens it with Powerpoint Viewer 2003.
Important
1
Likely to see working exploit file effective on PowerPoint Viewer 2003. However, PowerPoint Viewer 2003 was replaced online by PowerPoint Viewer 2007. Only victims who use
PowerPoint Viewer 2003 from Office 2003 install disk would be vulnerable to the PowerPoint Viewer vulnerabilities.
Less likely to see working exploit for other PowerPoint vulnerabilities.
(Hyper-V)
Attacker running code on virtual machine crashes host OS.
Important
3
Unlikely to see working exploit code in next 30 days.
(Kerberos)
Attacker potentially able to cause denial of service via Kerberos traffic if victim server configured with trust relationship to MIT Kerberos realm.
Important
3
Unlikely to see public exploit code in next 30 days.
(GDI+)
Attacker sends malicious JPEG to victim. Victim saves JPG, launches mspaint, and then file->opens the malicious JPEG
Moderate
1
Likely to see exploit code developed. Unlikely to have broad impact as mspaint is not registered file association for JPEG.
Microsoft also updated the malicious software removal tool to add detections for the Win32/Pushbot malware family.