Patch Tuesday Gives Birth to "Zombie Wednesday"
The Tenable research team spent the night writing 14 new plugins to check for the latest round of Microsoft patches. While many will have to schedule patch installations, those who run with full automatic updates enabled are theoretically all patched by now. However, it doesn't hurt to check with a quick Nessus patch audit.
Microsoft is in Love With the Word "Could"
There are several terms used by Microsoft throughout their advisories that spread uncertainty about the risk of the vulnerabilities presented. The excessive use of the world "could" is one such example. In the MS10-002 bulletin Microsoft states:
"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
I “could” also win the lottery, inherit millions of dollars and walk on water. In the case of this exploit "could" is an exceptionally bad word choice as there are several example videos showcasing the exploit in action using open-source software. The other issue with the above statement is the obligatory "users with less rights on the system will be less impacted". Someone should tell the Microsoft PR team that there are two privilege escalation exploits on the list this month, and one has been widely publicized for almost a month. On that note, let’s take a closer look at the 14 bulletins and 26 vulnerabilities that were patched this month.
Patch Tuesday Breakdown and Thoughts
What follows is a breakdown of the patches that have been released by Microsoft in the latest "Patch Tuesday" set and their associated Nessus plugins:
- MS10-002 - Nessus Plugin ID 44110 (Credentialed Check) - Fixes eight separate vulnerabilities associated with all versions of Internet Explorer. One of these vulnerabilities involves an XSS flaw in the XSS protection of Internet Explorer version 8. How's that for irony? This bulletin also includes a patch for the so-called "Aurora" exploit, thought to be used by Chinese attackers to compromise systems at Google, Adobe and several other large companies.
- MS10-003 - Nessus Plugin ID 44413 (Credentialed Check) - A vulnerability in MS Office XP and MS Office 2004 for Mac allows attackers to exploit buffer overflow conditions in "MSO.DLL" to gain remote code execution. At this time, there is no Nessus plugin that covers the MS Office 2004 for Mac OS X.
- MS10-004 - Nessus Plugin ID 44414 (Credentialed Check) - There are several overflow vulnerabilities in PowerPoint for both MS Office XP and Office 2004 for Mac OS X. If you are running OS X, sounds like it’s time to upgrade Office 2008 for Mac.
- MS10-005 - Nessus Plugin ID 44415 (Credentialed Check) - Using MS Paint to open "specially crafted" JPEG files allows remote attackers to gain remote code execution. Fortunately the default behavior makes this a little tricky to exploit: "By default, when a user double-clicks a JPEG file, the file will be opened in the Windows Picture and Fax Viewer.".
- MS10-006 - Nessus Plugin ID 44416 (Credentialed Check) - There are two flaws in the SMB client. A great paper by Laurent Gaffié describes how one of the flaws works by setting the SMB field "MaxBufferSize" to an unexpected (smaller) value. This level of detail about a vulnerability is appreciated by researchers, as it makes writing intrusion detection rules much easier.
- MS10-007 - Nessus Plugin ID 44417 (Credentialed Check) - This vulnerability allows remote attackers to execute local commands if a user clicks on a malicious link. This one came from the Zero-Day Initiative (ZDI) program.
- MS10-008 - Nessus Plugin ID 44418 (Credentialed Check) - This update disables certain ActiveX controls using "KillBits".
- MS10-009 - Nessus Plugin ID 44419 (Credentialed Check) -There are several flaws in the TCP/IP stack on various Windows platforms. Three are listed as "remote code execution", but there are no confirmed reports of exploitation.
- MS10-010 - Nessus Plugin ID 44420 (Credentialed Check) - If an authenticated user is logged in on a guest virtual machine, they can cause a denial of service condition on the Hyper-V server.
- MS10-011 - Nessus Plugin ID 44421 (Credentialed Check) - Another privilege escalation for select Windows platforms that requires that the user leave a program running on the target system after they have logged out.
- MS10-012 - Nessus Plugin ID 44422 (Credentialed Check) - A flaw in SMB has been uncovered that allows an attacker to access the remote file system and/or execute arbitrary code on a vulnerable Windows system. Some of the attacks require sending thousands of packets to a host in an effort to guess (and in some cases predict) the challenge/nonce of the remote host. Credentials are not required, and proof-of-concept code has been published. This protocol has been in use for approximately 14 years and we are still finding flaws in it. This gives me confidence that there will be no shortage of Microsoft Patch Tuesday bulletins to write-up in the future.
- MS10-013 - Nessus Plugin ID 44423 (Credentialed Check) - Another one from the ZDI project, this time it’s a DirectShow vulnerability that can be triggered by opening an AVI file. AVI files are something that should be easy to trick a user into opening, especially if you advertise it as "adult material". The scary part is that this vulnerability was reported over a year ago.
- MS10-014 - Nessus Plugin ID 44424 (Credentialed Check) - This is a Kerberos server NULL pointer dereference, being touted as a "denial of service only" vulnerability. Sometimes a DoS is just a DoS, but sometimes not.
- MS10-015 - Nessus Plugin ID 44425 (Credentialed Check) - This is a really neat local privilege escalation vulnerability in the Windows kernel on Microsoft Windows NT 3.1 through Windows 7. You may have seen it in the press advertised as "KiTrap0D". Tavis Owmandy disclosed it to the public on January 19, 2010 and described a method of escalation that takes advantage of the way Windows handles 16-bit applications and BIOS calls.