Video Screencast Help
Security Response

Microsoft Patch Tuesday - February 2010

Created: 09 Feb 2010 21:01:19 GMT • Updated: 23 Jan 2014 18:29:45 GMT
Robert Keith's picture
0 0 Votes
Login to vote

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a busy month—the vendor is releasing 13 bulletins covering a total of 26 vulnerabilities.

Eight of the issues are rated “Critical” and affect SMB Server, SMB Client, Windows, and Data Analyzer ActiveX control. An attacker could exploit the SMB Server issues remotely to gain complete control of an affected computer. However, to exploit the SMB Client issues to compromise a computer, the attacker must first entice a victim to connect to a malicious server.

The remaining issues, rated “Important” and “Moderate,” affect SMB Server, Windows, Windows Kernel, Office, PowerPoint, and Paint. Although the kernel issues are rated only “Important” by Microsoft, we consider them to be a high security risk because exploit code already exists for one of the issues.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the February releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx

The following is a breakdown of the some of the more notable issues being addressed this month:

1. MS10-012 Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)

CVE-2010-0020 (BID 38049) Microsoft Windows SMB Pathname Remote Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.6/10)

A remote code-execution vulnerability affects SMB server when handling specially crafted SMB packets. An attacker can exploit this issue by sending malicious packets to an affected server. A successful exploit will result in the execution of arbitrary attacker supplied code in the context of the affected application.

CVE-2010-0021 (BID 38054) Microsoft Windows SMB Memory Corruption Remote Denial of Service Vulnerability (MS Rating: Important / Symantec Urgency Rating 5.7/10)

A remote denial-of-service vulnerability affects SMB server when handling specially crafted SMB packets. An attacker can exploit this issue by sending malicious packets to an affected server. A successful exploit will cause the service and thereby the affected system to stop responding.

CVE-2010-0022 (BID 38051) Microsoft Windows SMB Null Pointer Remote Denial of Service Vulnerability (MS Rating: Important / Symantec Urgency Rating 5.7/10)

A remote denial-of-service vulnerability affects SMB server when handling specially crafted SMB packets. An attacker can exploit this issue by sending malicious packets to an affected server. A successful exploit will cause the affected computer to stop responding.

CVE-2010-0231 (BID 38085) Microsoft Windows SMB NTLM Authentication Unauthorized Access Vulnerability (MS Rating: Important / Symantec Urgency Rating 6.8/10)

An authentication bypass vulnerability affects SMB server when handling multiple authentication requests. An attacker can exploit this issue by sending multiple authentication requests to an affected service. A successful exploit will result in the attacker gaining access as a previously authenticated user.

2. MS10-009 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)

CVE-2010-0239 (BID 38061) Microsoft Windows ICMPv6 Router Advertisement Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)

A remote code execution vulnerability affects the Windows TCP/IP stack when processing specially crafted ICMPv6 Router Advertisement packets. An attacker can exploit this issue by sending malicious packets to an affected computer. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

CVE-2010-0241 (BID 38063) Microsoft Windows ICMPv6 Route Information Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)

A remote code execution vulnerability affects the Windows TCP/IP stack when processing specially crafted ICMPv6 Route Information packets. An attacker can exploit this issue by sending malicious packets to an affected computer. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

3. MS10-007 Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)

CVE-2010-0027 (BID 37884) Microsoft Internet Explorer URI Validation Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)

A remote code execution vulnerability affects the ‘ShellExecute’ API function due to a failure to properly validate user-supplied input. An attacker can exploit this issue by tricking an unsuspecting victim into following a malicious URI. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

4. MS10-013 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)

CVE-2010-0250 (BID 38112) Microsoft DirectX DirectShow AVI File Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Microsoft DirectShow when handling specially crafted AVI media files. An attacker can exploit this issue by tricking an unsuspecting user into opening a malicious file or into viewing malicious streaming content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

5. MS10-006 Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)

CVE-2010-0016 (BID 38093) Microsoft Windows SMB Client Pool Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.8/10)

A remote code execution vulnerability affects SMB when handling specially crafted responses from a malicious server. An attacker must trick an unsuspecting victim into initiating a connection to a malicious SMB server to exploit this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

CVE-2010-0017 (BID 38100) Microsoft Windows SMB Client Race Condition Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.8/10)

A remote code execution vulnerability affects SMB when handling specially crafted Negotiate responses from a malicious server. An attacker must trick an unsuspecting victim into initiating a connection to a malicious SMB server to exploit this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

6. MS10-008 Cumulative Security Update of ActiveX Kill Bits (978262)

CVE-2010-0252 (BID 38045) Microsoft Data Analyzer 'max3activex.dll' ActiveX Control Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects the Data Analyzer ActiveX control. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

7. MS10-015 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)

CVE-2010-0232 (BID 37864) Microsoft Windows #GP Trap Handler Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency Rating 8/10)

A previously public (Jan 19, 2010) local privilege escalation vulnerability affects the Windows kernel due to how it handles certain exceptions. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. A successful exploit may aid in the complete compromise of an affected computer.

CVE-2010-0233 (BID 38044) Microsoft Windows Double Free Memory Corruption Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency Rating 6.6/10)

A local privilege escalation vulnerability affects the Windows kernel due to a double-free error. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. A successful exploit may aid in the complete compromise of an affected computer.

More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.