Microsoft today released 13 security bulletins with fixes for 26 vulnerabilities affecting Windows and Office users and warned customers to pay special attention to a slew of flaws that can be trivially exploited by malware miscreants.
The company urged customers to prioritize and deploy four updates because of the “critical” severity rating and the fact that “consistent exploit code” is likely within the next 30 days.
Here’s the skinny on the three updates that should be applied immediately:
- MS10-013: Addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.
- MS10-006: This is also rated Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.
- MS10-007: Fixes a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.
A fourth bulletin — MS10-008 — includes ActiveX Kill Bits for Internet Explorer and should also be treated with the utmost priority because it exposes surfers to malicious code execution attacks.
Eleven of 13 bulletins affect the Windows operating system while two affect older versions of Microsoft Office.
This chart from Microsoft’s Security Research & Defense Blog provides useful information to help assess the risks associated with these vulnerabilities:
Bulletin |
Most likely attack vector |
Max Bulletin Severity |
Max Exploit- ability Index |
Likely first 30 days impact |
Platform mitigations |
(Quartz) |
Victim opens malicious AVI or WAV file. |
Critical |
1 |
Likely to see working exploit in next 30 days. |
|
(ShellExecute) |
Attacker hosts a malicious webpage, lures victim to it. |
Critical |
1 |
Likely to see exploit code released resulting in binary on WebDAV share being executed.
For more detail, see this SRD blog post. |
|
(SMB Client) |
Locally logged-in attacker with low privilege runs a malicious executable to elevate to high privilege. |
Critical |
1 |
Likely to see
For more detail, see this SRD blog post. |
|
(ActiveX kill-bits) |
Attackers host a malicious webpage, lures victim to it |
Critical |
2 |
Likely to see working exploit for vulnerabilities in third party ActiveX controls. |
|
(SMB Server) |
Attacker sends network-based malicious connection to remote Windows machine via SMB. |
Important |
1 |
Likely to see working proof-of-concept in next 30 days for CVE-2010-0231 resulting in attacker
Less
For more detail, see this SRD blog post. |
|
(Kernel) |
Attacker already able to execute code as low-privileged user escalates privileges. |
Important |
1 |
Proof of concept code already widely available. No active attacks. |
|
(CSRSS) |
Attacker |
Important |
1 |
Likely to see |
|
(TCP/IP) |
Attacker sends network-based attack against system on local subnet. |
Critical |
2 |
May see denial-of-service proof-of-concept |
/GS effective mitigation for CVE’s: CVE-2010-0239 CVE-2010-0240 CVE-2010-0241.
CVE-2010-0242 is denial of service only. |
(Excel) |
Attack sends malicious .xls file to victim who opens it with Office XP or lower. (Office 2003, 2007 not affected.) |
Important |
1 |
Likely to see working exploit file effective on Office XP in first 30 days. |
Office 2003 and Office 2007 not affected. |
(PowerPoint) |
Attacks malicious .ppt file to victim who opens it with Powerpoint Viewer 2003. |
Important |
1 |
Likely to see working exploit file effective
Less likely to see working exploit for other PowerPoint vulnerabilities. |
|
(Hyper-V) |
Attacker running code on virtual machine crashes host OS. |
Important |
3 |
Unlikely to see working exploit code in next 30 days. |
|
(Kerberos) |
Attacker potentially able to cause denial of service via |
Important |
3 |
Unlikely to see public exploit code |
|
(GDI+) |
Attacker sends malicious JPEG to victim. Victim saves JPG, launches mspaint, and then file->opens the malicious JPEG |
Moderate |
1 |
Likely to see exploit code developed. Unlikely to have broad impact as mspaint is not registered file association for JPEG. |
Microsoft also updated the malicious software removal tool to add detections for the Win32/Pushbot malware family.