Eight Microsoft Windows Bulletins Close Over 20 Security Holes Bulletins Affect SMB Client, WMP, the Kernel, and More

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to open malicious media
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eight security bulletins describing over 20 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-020: SMB Client Code Execution Vulnerabilities

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB client suffers from five security vulnerabilities, four of which could allow attackers to execute malicious code. Though the flaws differ technically, an attacker could exploit them all  in the same way.  By enticing one of your users to connect to a malicious SMB server, an attacker can exploit one of the flaws to gain complete control of a vulnerable Windows computer.
Microsoft rating: Critical.

  • MS10-019: Two Authenticode Code Execution Vulnerabilities

Microsoft has built a mechanism into Windows called Authenticode, which allows developers to sign their executable programs using Public-Key Cryptography standards. This mechanism allows you (or the operating system) to make sure  programs you run really come from the vendors you expect them from. If you’ve ever installed a driver in Windows, and received a message saying it wasn’t signed, the Authenticode Signature Verification system provided that message. According to Today’s bulletin, various components involved with the Authenticode system suffer from two security vulnerabilities. The flaws differ technically, but share the same general impact. By tricking one of your users into downloading and opening a specially crafted .EXE or .CAB file, an attacker could leverage either flaw to gain complete control of that user’s computer.
Microsoft rating: Critical.

  • MS10-025: Win2K Media Services Buffer Overflow Vulnerability

Windows 2000 (Win2k) ships with Windows Media Services to allow you to create a server for on-demand, streaming audio and video. Unfortunately, one of the Windows Media Services (the Unicast Service, nsum.exe) suffers from a buffer overflow vulnerability involving the way it handles specially malformed network packets. By sending a specially crafted packet to your Windows 2000 Media Server, an attacker could exploit this vulnerability to gain complete control of the machine. That said, Windows 2000 doesn’t enable the Windows Media Services by default. You are only vulnerable to this flaw if you’ve specifically enabled them.
Microsoft rating: Critical.

  • MS10-026: MP3 Codecs Buffer Overflow Vulnerability

MPEG Layer-3, otherwise known as MP3, is an audio encoding format used to compress audio for playback on digital devices, like computers. Windows ships with special codecs used to decode and playback MP3 audio within music files or videos. Windows’ MP3 codecs suffer from a buffer overflow vulnerability, involving their inability to handle specially crafted AVI movies with MP3 audio. By luring one of your users into downloading and playing a specially crafted AVI file, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-027: WMP Code Execution Vulnerability

Windows Media Player (WMP) is the audio and video player that ships with Windows. WMP also included ActiveX controls that allows it to playback media hosted on websites. The WMP ActiveX control suffers from an unspecified code execution vulnerability having to do with how it handles specially crafted media hosted on an malicious website. By enticing one of your users to visit a website with an embedded video, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This vulnerability only affects WMP 9, which ships with Windows 2000 and XP.
Microsoft rating: Critical.

  • MS10-021: Multiple Windows Kernel Elevation of Privilege and DoS Vulnerabilities

The kernel is the core component of any computer operating system. The Windows kernel suffers from multiple Denial of Service (DoS) and elevation of privilege vulnerabilities. By running a specially crafted program, an attacker could leverage these flaws to either crash or lock up your computer, or to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

  • MS10-022: VBScript F1 Code Execution Vulnerability

VBScript, or Visual Basic Scripting, is a scripting language created by Microsoft, and used by Windows and its applications. VBScript suffers from a complex security flaw, involving they way it interacts with Windows Help files via Internet Explorer. The vulnerability only crops up when a victim presses the “F1” key while visiting a specially crafted web page. You can learn more about this previously unpatched vulnerability in a Wire post we released in early March. In short, if an attacker can lure one of your users to a malicious web page and trick them into pressing the “F1” key on that web page (perhaps by using a pop-up dialog that instructs the user to press that key for some trumped-up reason), he can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As usual, if your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Important.

  • MS10-029: IPv6 ISATAP Source Spoofing Vulnerability

The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an IPv6 transition mechanism designed to allow you to send IPv6 packets over an IPv4 network. The Windows ISATAP component suffers from a potential spoofing vulnerability. Essentially, the Windows TCP/IP stack doesn’t properly validate the source address for tunneled ISATAP packets. By sending specially crafted IPv6 packets, an attacker could leverage this flaw to impersonate or spoof another address on your network, potentially bypassing any address-based filters you employ on a firewall. However, this vulnerability only affects systems with the ISATAP interface configured, which significantly lowers risk.
Microsoft rating: Moderate.

Microsoft also released an Exchange security bulletin today, that describes vulnerabilities that also affects Windows itself. We will release details about those Windows and Exchange vulnerabilities in another alert to be published today.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-020:

MS10-019:

MS10-025:

Note: This vulnerability does not affect any other versions of Windows

MS10-026:

Note: This vulnerability does not affect any other versions of Windows

MS10-027:

Note: This vulnerability does not affect any other versions of Windows

MS10-021:

MS10-022:

Trackbacks/Pingbacks

  1. Thirteen Windows Bulletins Patch 18 Security Holes | WatchGuard Security Center - April 12, 2011

    […] execution vulnerabilities. The lesser risk flaw is a recap of MS10-022, which we described in a previous alert. This is a code execution issue that only crops up when you press F1 in a very particular […]

  2. Thirteen Windows Bulletins Patch 18 Security Holes | microreksa - April 12, 2011

    […] execution vulnerabilities. The lesser risk flaw is a recap of MS10-022, which we described in a previous alert. This is a code execution issue that only crops up when you press F1 in a very particular […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: