February '10 Patch Tuesday Detailed
This month’s Patch Tuesday was a big one. Microsoft announced that on February 9 it would release a grand total of 13 security bulletins, out of which 5 were rated as critical, 7 were rated as important and 1 was rated as moderate. With the February Patch Tuesday, Redmond-based software giant planned to plug a total of 26 security vulnerabilities that plague the Windows operating system and the Office productivity suite.
It is now February ‘10, Microsoft has released the 13 security bulletins it announced. This means we can now take a closer look under the hood, see more details about the February 2010 Patch Tuesday. Title: Vulnerabilities in SMB Client Could Allow Remote Code Execution
Rating: Critical
Description: Two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.
Most likely attack vector: Locally logged-in attacker with low privilege runs a malicious executable to elevate to high privilege.
Affected software: Microsoft Windows Title: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler.
Most likely attack vector: Attacker hosts a malicious webpage, lures victim to it.
Affected software: Microsoft Windows Title: Cumulative Security Update of ActiveX Kill Bits
Rating: Critical
Description: A privately reported vulnerability for Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted Web page that instantiates an ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.
Most likely attack vector: Attackers host a malicious webpage, lures victim to it.
Affected software: Microsoft Windows Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
Rating:
Description: Four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link
Most likely attack vector: Attacker sends network-based attack against system on local subnet.
Affected software: Microsoft Windows Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Victim opens malicious AVI or WAV file.
Affected software: Microsoft Windows Title: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution
Rating: Important
Description: A privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Attack sends malicious .xls file to victim who opens it with Office XP or lower. (Office 2003, 2007 not affected.)
Affected software: Microsoft Office Title: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution
Rating: Important
Description: Six privately reported vulnerabilities in Microsoft Office PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Attacks malicious .ppt file to victim who opens it with Powerpoint Viewer 2003.
Affected software: Microsoft Office Title: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service
Rating: Important
Description: A privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Most likely attack vector: Attacker running code on virtual machine crashes host OS.
Affected software: Microsoft Windows Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Rating: Important
Description: A privately reported vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not affected. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
Most likely attack vector: Attacker who logs onto console of system where victim later logs onto console of same system can potentially run code with victim’s identity.
Affected software: Microsoft Windows Title: Vulnerabilities in SMB Server Could Allow Remote Code Execution
Rating: Important
Description: Several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
Most likely attack vector: Attacker sends network-based malicious connection to remote Windows machine via SMB.
Affected software: Microsoft Windows. Title: Vulnerability in Kerberos Could Allow Denial of Service
Rating: Important
Description: A privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted.
Most likely attack vector: Attacker potentially able to cause denial of service via Kerberos traffic if victim server configured with trust relationship to MIT Kerberos realm.
Affected software: Microsoft Windows Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Rating: Important
Description: One publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.
Most likely attack vector: Attacker already able to execute code as low-privileged user escalates privileges.
Affected software: Microsoft Windows. Title: Vulnerability in Microsoft Paint Could Allow Remote Code Execution
Rating: Moderate
Description: A privately reported vulnerability in Microsoft Paint. The vulnerability could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Attacker sends malicious JPEG to victim. Victim saves JPG, launches mspaint, and then file->opens the malicious JPEG
Affected software: Microsoft Windows
The Microsoft Security Response Center (MSRC) has provided these visual representations of the February 2010 Patch Tuesday update.
It is now February ‘10, Microsoft has released the 13 security bulletins it announced. This means we can now take a closer look under the hood, see more details about the February 2010 Patch Tuesday. Title: Vulnerabilities in SMB Client Could Allow Remote Code Execution
Rating: Critical
Description: Two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.
Most likely attack vector: Locally logged-in attacker with low privilege runs a malicious executable to elevate to high privilege.
Affected software: Microsoft Windows Title: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler.
Most likely attack vector: Attacker hosts a malicious webpage, lures victim to it.
Affected software: Microsoft Windows Title: Cumulative Security Update of ActiveX Kill Bits
Rating: Critical
Description: A privately reported vulnerability for Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted Web page that instantiates an ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.
Most likely attack vector: Attackers host a malicious webpage, lures victim to it.
Affected software: Microsoft Windows Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
Rating:
Description: Four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link
Most likely attack vector: Attacker sends network-based attack against system on local subnet.
Affected software: Microsoft Windows Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Victim opens malicious AVI or WAV file.
Affected software: Microsoft Windows Title: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution
Rating: Important
Description: A privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Attack sends malicious .xls file to victim who opens it with Office XP or lower. (Office 2003, 2007 not affected.)
Affected software: Microsoft Office Title: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution
Rating: Important
Description: Six privately reported vulnerabilities in Microsoft Office PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Attacks malicious .ppt file to victim who opens it with Powerpoint Viewer 2003.
Affected software: Microsoft Office Title: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service
Rating: Important
Description: A privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Most likely attack vector: Attacker running code on virtual machine crashes host OS.
Affected software: Microsoft Windows Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Rating: Important
Description: A privately reported vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not affected. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
Most likely attack vector: Attacker who logs onto console of system where victim later logs onto console of same system can potentially run code with victim’s identity.
Affected software: Microsoft Windows Title: Vulnerabilities in SMB Server Could Allow Remote Code Execution
Rating: Important
Description: Several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
Most likely attack vector: Attacker sends network-based malicious connection to remote Windows machine via SMB.
Affected software: Microsoft Windows. Title: Vulnerability in Kerberos Could Allow Denial of Service
Rating: Important
Description: A privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted.
Most likely attack vector: Attacker potentially able to cause denial of service via Kerberos traffic if victim server configured with trust relationship to MIT Kerberos realm.
Affected software: Microsoft Windows Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Rating: Important
Description: One publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.
Most likely attack vector: Attacker already able to execute code as low-privileged user escalates privileges.
Affected software: Microsoft Windows. Title: Vulnerability in Microsoft Paint Could Allow Remote Code Execution
Rating: Moderate
Description: A privately reported vulnerability in Microsoft Paint. The vulnerability could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Attacker sends malicious JPEG to victim. Victim saves JPG, launches mspaint, and then file->opens the malicious JPEG
Affected software: Microsoft Windows
The Microsoft Security Response Center (MSRC) has provided these visual representations of the February 2010 Patch Tuesday update.
