This morning, we released 13 security bulletins. Five have maximum severity rating of Critical, seven Important, and one Moderate. One security bulletin (MS10-015, ntvdm.dll) has exploit code already published, but we are not aware of any active attacks or customer impact. We hope that the table and commentary below helps you prioritize the deployment of the updates appropriately.
Most likely attack vector
Max Bulletin Severity
Max Exploit- ability Index
Likely first 30 days impact
Victim opens malicious AVI or WAV file.
Likely to see working exploit in next 30 days.
Attacker hosts a malicious webpage, lures victim to it.
Likely to see exploit code released resulting in binary on WebDAV share being executed.
For more detail, see this SRD blog post.
Locally logged-in attacker with low privilege runs a malicious executable to elevate to high privilege.
Likely to see working exploit code for local attacker escalation.
Attackers host a malicious webpage, lures victim to it
third party code not rated for exploitability
Likely to see working exploit for vulnerabilities in third party ActiveX controls.
Attacker sends network-based malicious connection to remote Windows machine via SMB.
Likely to see working proof-of-concept in next 30 days for CVE-2010-0231 resulting in attacker luring remote victim user to open file on attacker server and initiating a connection back to machine where remote victim is logged on.
Less likely to see working exploit code for the authenticated code execution vulnerability (CVE-2010-0020) or unauthenticated denial-of-service vulnerabilities (CVE-2010-0021 and 0022)
Attacker already able to execute code as low-privileged user escalates privileges.
Proof of concept code already widely available. No active attacks.
Attacker who logs onto console of system where victim later logs onto console of same system can potentially run code with victim’s identity.
Likely to see proof-of-concept code published for this vulnerability. However, unlikely to see wide-spread exploitation due to extensive user interaction required.
Attacker sends network-based attack against system on local subnet.
May see denial-of-service proof-of-concept code published leveraging CVE-2010-0239 or CVE-2010-0241. Attackers are less likely to discover real-world attack surface in next 30 days for CVE-2010-0240.
/GS effective mitigation for CVE’s:
CVE-2010-0242 is denial of service only.
Attack sends malicious .xls file to victim who opens it with Office XP or lower. (Office 2003, 2007 not affected.)
Likely to see working exploit file effective on Office XP in first 30 days.
Office 2003 and Office 2007 not affected.
Attacks malicious .ppt file to victim who opens it with Powerpoint Viewer 2003.
Likely to see working exploit file effective on PowerPoint Viewer 2003. However, PowerPoint Viewer 2003 was replaced online by PowerPoint Viewer 2007. Only victims who use PowerPoint Viewer 2003 from Office 2003 install disk would be vulnerable to the PowerPoint Viewer vulnerabilities.
Less likely to see working exploit for other PowerPoint vulnerabilities.
Attacker running code on virtual machine crashes host OS.
Unlikely to see working exploit code in next 30 days.
Attacker potentially able to cause denial of service via Kerberos traffic if victim server configured with trust relationship to MIT Kerberos realm.
Unlikely to see public exploit code in next 30 days.
Attacker sends malicious JPEG to victim. Victim saves JPG, launches mspaint, and then file->opens the malicious JPEG
Likely to see exploit code developed. Unlikely to have broad impact as mspaint is not registered file association for JPEG.
We also released Security Advisory 977377 covering the TLS man-in-the-middle vulnerabilities disclosed several months ago. The advisory describes more about the Microsoft attack surface (and a mitigation option). You can read our blog post about the issue here: http://blogs.technet.com/srd/archive/2010/02/09/details-on-the-new-tls-advisory.aspx.
Thanks to all of MSRC Engineering for providing data for this table. Thanks Jerry Bryant, Andrew Roths, and Mark Wodrich for your ordering / priority thoughts.
- - Jonathan Ness, MSRC Engineering
*Posting is provided "AS IS" with no warranties, and confers no rights.*
Update Feb 10 - Changed Exploitability Index rating for third party killbits to "n/a" as we do not rate exploitability of third party vulnerabilities.
Update Feb 25 - Thanks to Secunia for sending in the PowerPoint Viewer question. Listed non-exploitable platforms in the table above.