SECURE IT ALERT: A Plethora of Microsoft Vulnerabilities Patched! #MS #IIS #Windows #Office #Microsoft

Secure IT Alert Header

Homeland Secure IT Alert

Homeland Secure IT Alert for Wednesday, September 15, 2010

Yesterday’s “Patch Tuesday” was an exciting one… It included patches across the board for all Microsoft Windows operating systems, Microsoft Office and IIS (web server).

The most critical in my opinion is IIS as it often sits on your server, providing Outlook Web Access, or other data, and is accessible to the outside world. So, in addition to applying updates to the workstations, please pay attention your servers too…

If you read the bulletins you will see that the majority of the exploits have involved coaxing someone to open an email or website with malicious payload. Cut your exposure dramatically by NOT following random links and keeping your systems patched, in addition to keeping current and quality Anti-Virus products on all systems in your network. We recommend, support  and sell Trend Micro Internet Security and Worry-Free Business Security products.

I have included security alerts from our friends at Watchguard, makers of outstanding firewalls and security appliances…

Microsoft Office Update Plugs Critical Outlook Hole

Severity: High

14 September, 2010

Summary:

  • These vulnerabilities affect: The versions of Outlook that ship with Microsoft Office 2002, 2003, and 2007
  • How an attacker exploits them: By enticing your users into opening or previewing a maliciously crafted email message
  • Impact: The attacker can execute code, potentially gaining complete control of your Windows computers
  • What to do: Install the appropriate Office patches immediately, or let Windows Automatic Update do it for you.

Exposure:

As part of today’s Patch Day, Microsoft released an Office security bulletin describing a critical buffer overflow vulnerability that affects the versions of Outlook that ship with Microsoft Office 2002, 2003, and 2007. Specifically, Outlook suffers from a heap buffer overflow vulnerability due to its inability to handle specially crafted email. If an attacker can get one of your Outlook users to open or preview a malicious email message, she can execute code on that user’s computer with that user’s privileges. If your users have local administrator privileges, as most Windows users do, the attacker can leverage this flaw to gain complete control of your users’ computers.

Luckily, one factor significantly mitigates the risk of this serious vulnerability for Outlook 2003 and 2007 clients. Specifically, this flaw only affects Outlook clients that connect to an Exchange server in Online Mode. It does not affect Outlook clients that connect to an Exchange server in Cached Exchange Mode. By default, Outlook 2003 and 2007 clients connect to Exchange servers with the unaffected Cached Exchange Mode. However, Outlook 2002 clients don’t support Cached Exchange Mode, and thus suffer the greatest risk from this flaw.

We recommend you upgrade all your Outlook clients as soon as possible to avoid this serious vulnerability. Furthermore, if you have Outlook 2002 clients, update them immediately.

Solution Path:

Microsoft has released patches that correct this serious Outlook flaw. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

Outlook Update for:

For All WatchGuard Users:

Attackers can exploit this flaw with seemingly normal email messages. The patches above are your best solution. Theoretically, WatchGuard’s incoming SMTP proxy might be able to help prevent emails that target this vulnerability. However, neither Microsoft, nor any third party researcher, have disclosed specifically how an attacker would have to craft an email in order to trigger this flaw. Without this information, we can’t say for sure whether or not our proxy might help. However, if we do learn such details, we will update this alert.

Status:

Microsoft has released patches correcting this issue.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Seven Windows Updates for an Equal Number of Vulnerabilities

Bulletins Affect Print Spooler, MPEG-4 Codec, RPC, and More

Severity: High

14 September, 2010

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (one flaw also affects Office to some extent)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to open malicious media or documents
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released seven security bulletins describing seven vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-061: Print Spooler Code Execution Vulnerability

The print spooler is a Windows service that manages printing. According to Microsoft, the print spooler does not adequately validate whether a remote user has adequate permissions to send it print jobs. By sending a specially crafted print request, an attacker can exploit this print spooler vulnerability to save a malicious file on your computer. Windows automatically executes files saved to certain locations. By placing a malicious executable in the right place, the attacker could exploit this flaw to gain complete control of your Windows machine. However, only computers with shared printers are vulnerable to this issue. Furthermore, most administrators do not allow the traffic necessary for print sharing (UDP and TCP ports 135, 137, 138, 445, and TCP port 593) through their firewall. So this flaw primarily poses an internal threat.
Microsoft rating: Critical.

  • MS10-062: MPEG-4 Codec Code Execution Vulnerability

MPEG Layer-4, is an audio and video encoding format used to compress media for playback on digital devices, like computers. Windows ships with special codecused to decode and playback MPEG-4 within music files or videos. Windows’ MPEG-4 codec suffers from an unspecified code execution vulnerability, involving its inability to handle specially crafted media files. By luring one of your users into downloading and playing a specially crafted media file, perhaps embedded on a website, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-063: Unicode Script Processor Memory Corruption Vulnerability

According to Microsoft, the Unicode Script Processor (USP10.DLL) is a collection of APIs that enables a text layout client to format complex scripts. Unfortunately, it suffers from a memory corruption vulnerability involving the way it handles specially crafted documents containing OpenType fonts. By enticing one of your users to download a malicious document, and then open it within an application that uses the Unicode Script Processor APIs, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. Keep in mind, third-party, non-Microsoft applications can also use the Unicode Script Processor. Note: Unicode Script Processor also ships with Office, so you will have to patch Office as well.
Microsoft rating: Critical.

  • MS10-066: RPC Memory Corruption Vulnerability

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. The Windows RPC client suffers from an unspecified memory corruption vulnerability involving its inability to handle specially crafted RPC requests. By sending a specially crafted response to an RPC request, an attacker could exploit this vulnerability to gain complete control of your Windows machines. That said, the attacker would have to find a way to lure the victim into making an RPC request to his malicious computer in the first place. Furthermore, most administrators do not allow RPC traffic through their firewall. Therefore, this flaw primarily poses an internal threat. Finally, this flaw only affects XP and Server 2003.
Microsoft rating: Important.

  • MS10-067: Wordpad Text Converter Memory Corruption Vulnerability

Wordpad is a very basic word processing program and text editor that ships with Windows. It also includes some text converter components that allow you to open various Word documents, even if you do not have Office or Word. Unfortunately, the Wordpad text converter suffers from an unspecified memory corruption vulnerability involving its inability to handle specially crafted Word 97 documents. By luring one of your users into downloading a malicious document, and opening it in Wordpad, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This flaw only affects XP and Server 2003.
Microsoft rating: Important.

  • MS10-068: LSASS Buffer Overflow Vulnerability

The Local Security Authority Subsystem Service (LSASS) is a Windows component that handles security policy and authentication tasks for Windows. LSASS suffers from a heap buffer overflow vulnerability caused when handling specially malformed LDAP messages. By sending a maliciously crafted LDAP message, an authenticated attacker could exploit this flaw to elevate his privileges, and gain complete control of your computer. Of course, the attacker would need valid credentials and access to your Active Directory server in order to exploit this vulnerability. It primarily poses an internal threat.
Microsoft rating: Important.

  • MS10-069: CSRSS Local Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It does not properly allocate memory when handling specific user transactions on Windows systems configured with Chinese, Japanese, or Korean system locales. By running a specially crafted program, an authenticated attacker could leverage this flaw to elevate privileges, gaining complete control of a Windows computer. However, the attacker would first need to gain local access to a Windows computer using valid credentials (Guest access would work) in order to exploit this flaw. Furthermore, this flaw only affects Windows systems with Chinese, Japanese, and Korean system locales installed. It also only affects XP and Server 2003.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-061:

MS10-062:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-063:

MS10-066:

Note: Other versions of Windows are not affected.

MS10-067:

Note: Other versions of Windows are not affected.

MS10-068:

MS10-069:

Note: Other versions of Windows are not affected.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. In fact, by default your Firebox will prevent most of the Microsoft flaws that require network access – specifically, the SMB-related vulnerabilities. You can also configure your Firebox to block the files types necessary to carry out some of these attacks (.DOC .MP4 files, etc…). That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Three IIS Flaws Allow Authentication Bypass, DoS, or Code Execution

Severity: Medium

14 September, 2010

Summary:

  • This vulnerability affects: IIS 5.1, 6.0, 7.0 and 7.5
  • How an attacker exploits it: By sending specially crafted HTTP requests or URLs
  • Impact: In the worst case, an attacker can gain complete control of your IIS server
  • What to do: Install Microsoft’s IIS update immediately, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes three vulnerabilities affecting IIS. The worst is a buffer overflow vulnerability involving the way IIS handles FastCGIenabled requests. By sending you IIS server a specially crafted HTTP request, an attacker could exploit this vulnerability to gain complete control of your IIS server. This flaw sounds quite bad, however a key mitigating factor limits its severity. FastCGI is not enabled by default on IIS server. You are only vulnerable to this flaw if you’ve specifically enabled it.

The two remaining flaws include a Denial of Service flaw that an attacker could leverage to crash your IIS server and an authentication bypass vulnerability that attackers could leverage to gain access to web resources that require authentication.

Though Microsoft only rates these flaws as Important, we recommend IIS administrator download, test and install the IIS update immediately.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS10-65

This alert was researched and written by Corey Nachreiner, CISSP.

WHEW! That was a ton of information! Are you still with me? Are your eyes glazed over yet?

As always, if you have questions or require assistance with these patches or any others, please call us at 864.990.4748 or email info@homelandsecureit.com– Please inquire about our Watchguard line of network security products!

Homeland Secure IT Alert Footer

Homeland Secure IT Alert

Leave a Reply

Your email address will not be published. Required fields are marked *