Patch Tuesday: Microsoft Kills Pwn2Own Browser Bug

The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities. Three of the bulletins are rated “critical” because of the risk of remote code execution attacks.  Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).

The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities.

Three of the bulletins are rated “critical” because of the risk of remote code execution attacks.  Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).

This month’s patch batch also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer.

Microsoft is urging its users to pay special attention to MS10-033  (Windows), MS10-034 (ActiveX killbits) and MS10-035 (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.

Here’s the skinny on these three bulletins:

  • MS10-033  — This security update resolves two privately reported vulnerabilities
    in Microsoft Windows. These vulnerabilities could allow remote code
    execution if a user opens a specially crafted media file or receives
    specially crafted streaming content from a Web site or any application
    that delivers Web content. This is rated Critical for Quartz.dll
    (DirectShow) on Microsoft Windows 2000, Windows XP, Windows Server 2003,
    Windows Vista, and Windows Server 2008; Critical for Windows Media
    Format Runtime on Microsoft Windows 2000, Windows XP, and Windows Server
    2003; Critical for Asycfilt.dll (COM component) on Microsoft Windows
    2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server
    2008, Windows 7, and Windows Server 2008 R2; and Important for Windows
    Media Encoder 9 x86 and x64 on Microsoft Windows 2000, Windows XP,
    Windows Server 2003, Windows Vista, and Windows Server 2008.
  • MS10-034 — This security update addresses two privately reported vulnerabilities
    for Microsoft software. This security update is rated Critical for all
    supported editions of Microsoft Windows 2000, Windows XP, Windows Vista,
    and Windows 7, and Moderate for all supported editions of Windows
    Server 2003, Windows Server2008, and Windows Server 2008 R2.  The vulnerabilities could allow remote code
    execution if a user views a specially crafted Web page that instantiates
    a specific ActiveX control with Internet Explorer. It also includes kill bits for four third-party ActiveX controls.
  • MS10-035 — Fixes five privately reported vulnerabilities and one publicly
    disclosed vulnerability in Internet Explorer. The most severe
    vulnerabilities could allow remote code execution if a user views a
    specially crafted Web page using Internet Explorer. Users whose accounts
    are configured to have fewer user rights on the system could be less
    impacted than users who operate with administrative user rights.This
    security update is rated Critical for Internet Explorer 6 Service Pack 1
    on Microsoft Windows 2000 Service Pack 4; Critical for Internet
    Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows
    clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and
    Internet Explorer 8 on Windows servers.

Qualys CTO Wolfgang Kandek noticed that four of the 10 bulletins address zero-day issues, the most significant being MS10-035, which fixes the zero-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI’S competition at CANSECWEST.  During that contest, Vreugdenhil bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. 
 
The MS10-040 bulletin is also interesting.  It covers a a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.  Microsoft rates this an “important” update.

 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.