Video Screencast Help

Microsoft Patch Tuesday - September 2010

Created: 14 Sep 2010 19:43:49 GMT • Updated: 23 Jan 2014 18:25:10 GMT
Robert Keith's picture
+1 1 Vote
Login to vote

Hello and welcome to this month’s blog on the Microsoft patch releases. This is an average size month for releases —the vendor is releasing nine bulletins covering a total of 11 vulnerabilities.

Four of the issues are rated “Critical” and affect Windows, Office, and Outlook. Of particular note is the issue in the Windows Print Spooler service. That issue is currently being exploited by the Stuxnet malware and can be exploited remotely to completely compromise an affected computer. The remaining issues, rated “Important”, affect Windows, WordPad, and Internet Information Services (IIS).

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the September releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx

The following is a breakdown of the issues being addressed this month:

1. MS10-061 Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)

CVE-2010-2729 (BID 43073) Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 9.6/10)

A remote code-execution vulnerability affects the Windows Print Spooler because it does not properly restrict where a user can print to a file. An attacker can exploit this issue by sending a specially crafted print request to a vulnerable server over RPC. The service will fail to properly restrict access and allow the file to be saved in an attacker-specified location. This may facilitate a complete compromise of an affected computer.

2. MS10-062 Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558)

CVE-2010-0818 (BID 43039) Microsoft MPEG-4 Codec Media File Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects MPEG-4 codec when handling certain supported media files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file or viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

3. MS10-063 Vulnerability in Unicode Scripts Processor Could Lead to Remote Code Execution (2320113)

CVE-2010-2738 (BID 43068) Microsoft Windows and Office Uniscribe Font Parsing Engine Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Windows and Office when handling embedded OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into opening a file or viewing a web page containing malformed fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

4. MS10-064 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011)

CVE-2010-2728 (BID 43063) Microsoft Outlook 'Online Mode' Remote Heap Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Outlook when connected to an Exchange server in ‘Online’ mode. An attacker can exploit this issue by sending a specially crafted email message to an unsuspecting victim. When the victim opens or previews the message, the attacker-supplied code will run. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

5. MS10-065 Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)

CVE-2010-1899 (BID 43140) IIS Microsoft IIS Repeated Parameter Request Denial of Service Vulnerability (MS Rating: Important / Symantec Rating: 5.7/10)

A remote denial-of-service vulnerability affects Internet Information Services (IIS) due to an excessive recursion when handling malformed requests. An attacker can exploit this issue to cause the affected server to become unresponsive, effectively denying service to legitimate users.

CVE-2010-2730 (BID 43138) Microsoft IIS Request Header Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 6.8/10)

A remote code-execution vulnerability affects Internet Information Services (IIS) when handling FastCGI requests. An attacker can exploit this issue by sending a specially crafted HTTP request to an affected server with FastCGI enabled. A successful exploit will result in the execution of arbitrary attacker-supplied code with the privileges of the vulnerable application.

CVE-2010-2731 (BID 41314) Microsoft IIS 5.1 Alternate Data Stream Authentication Bypass Vulnerability (MS Rating: Important / Symantec Rating: 6.5/10)

An authentication-bypass vulnerability affects Internet Information Services (IIS) because it fails to properly restrict access to certain directories. An attacker can exploit this issue by sending a specially crafted request to an affected server to bypass authentication and execute scripts in a protected directory.

6. MS10-066 Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802)

CVE-2010-2567 (BID 43119) Microsoft Windows RPC Memory Allocation Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.8/10)

A remote code-execution vulnerability affects the Remote Procedure Call (RPC) client interface when handling a malformed RPC response. An attacker can exploit this issue by tricking an unsuspecting victim into initiating a connection to a malicious RPC server. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the client application.

7. MS10-067 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922)

CVE-2010-2563 (BID 43122) Microsoft WordPad Text Converter Word 97 File Parsing Memory Corruption Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects WordPad when handling a Word 97 file containing certain malformed fields. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

8. MS10-068 Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539)

CVE-2010-0820 (BID 43037) Microsoft LSASS ADAM/ADLDS Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 7.6/10)

A remote privilege-escalation vulnerability affects the Local Security Authority Subsystem Service (LSASS) when handling certain malformed Lightweight Directory Access Protocol (LDAP) messages. An authenticated attacker can exploit this issue by sending a specially crafted LDAP message to an affected server. A successful exploit will result in the complete compromise of the affected computer.

9. MS10-069 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546)

CVE-2010-1891 (BID 43121) Microsoft Windows CSRSS Memory Allocation Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 5.9/10)

A local privilege-escalation vulnerability affects Windows Client/Server Runtime Subsystem (CSRSS) when dealing with certain user transactions on systems configured with a Korean, Chinese, or Japanese system locale. A local attacker can exploit this issue to execute arbitrary code with local-system privileges. This will facilitate a complete compromise of an affected computer.

============================================================

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.