Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

October, 2010

  • Assessing the risk of the October security updates

    Today we released sixteen security bulletins. Four have a maximum severity rating of Critical, ten have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes
    MS10-071
    (IE)
    Victim browses to a malicious webpage. Critical 1 Likely to see a code execution exploit developed for memory corruption vulnerabilities. Neither IE7 nor IE8 vulnerable to CVE-2010-3326, one of the two Critical issues addressed by this security bulletin.
    MS10-076
    (EOT)
    Victim browses to a malicious webpage. Critical 1 Likely to see an exploit released for older platforms ASLR on Windows Vista and later operating systems makes building a successful exploit for code execution much more difficult.
    MS10-077
    (.Net Framework)
    Victim running 64-bit Windows browses to a malicious webpage. Also could be used by malicious attacker allowed to run ASP.Net code on 64-bit IIS server to run arbitrary code. Critical 1 Likely to see an ASP.Net exploit released capable of running arbitrary code. 32-bit platforms not affected.
    MS10-075
    (WMP)
    Attacker sends malicious RTSP network packet to Windows Vista and Windows 7 client on the same network who has opted-in to Windows Media Network Sharing service. Only Windows 7 Home Edition opts-in by default. Critical 1 Likely to see a code execution exploit developed. Unlikely to see wide-spread exploitation due to feature being accessible only on local subnet and being off-by-default on most versions of Windows. Service is reachable only by machines on local subnet.

    Domain-joined machines are not vulnerable by default.

    Feature is on-by-default only for Windows 7 Home Edition.
    MS10-073
    (Win32k.sys)
    Attacker running code on a machine already elevates from low-privileged account to SYSTEM. Important 1 Stuxnet malware currently leverages this vulnerability for local elevation of privilege if run on Windows XP. The local elevation of privilege vulnerability used by Stuxnet (CVE-2010-2743) reachable only on Windows XP, not later platforms.
    MS10-082
    (WMP)
    User interaction required when visiting a malcious website. Important 1 Likely to see a code execution exploit developed. Internet Explorer users are not vulnerable.
    MS10-081
    (Comctl32)
    No known attack vectors using Microsoft software.

    Victim using a 3rd party image viewer could be vulnerable when browsing to a malicious webpage.
    Important 1 Likely to see a code execution exploit developed. No attack vectors if using only Microsoft software.

    See this SRD blog post for more information.
    MS10-079
    (Word)
    Victim opens a malicious .DOC file Important 1 Likely to see a code execution exploit developed. Nine of the eleven issues affect only Office 2002 and Office for Mac platforms.
    MS10-080
    (Excel)
    Victim opens a malicious .XLS file Important 1 Likely to see a code execution exploit developed. Excel 2010 not vulnerable.

    Ten of the thirteen issues affect only Office 2002 and Office for Mac platforms.
    MS10-084
    (LPC)
    Attacker running code on a machine elevates from low-privileged account to SYSTEM. Important 1 Proof-of-concept publicly released already.
    MS10-078
    (OTF font)
    No remote attack vectors using Microsoft software.

    Victim using a 3rd party browser could be vulnerable when browsing to a malicious webpage.
    Important 1 Likely to see a code execution exploit developed.
    MS10-083
    (COM)
    Victim opens a malicious Wordpad document or malicious shortcut file, instantiating a COM object that would otherwise not run. Important 1 May see proof-of-concept code developed.
    MS10-072
    (SafeHTML)
    Attacker submits malicious HTML to a server, bypassing SafeHTML’s sanitization code. The malicious HTML is subsequently displayed to a victim, resulting in potential information disclosure. Important 3 No chance for direct code execution.
    MS10-085
    (SChannel)
    Attacker sends a malicious client-side certificate to an IIS server, causing it to restart. Important 3 No chance for code execution. Affects only applications, features, or services that are configured to accept SSL connections.
    MS10-074
    (MFC)
    Victim uses an application built using MFC to open untrusted content. No Microsoft attack vectors. Moderate n/a  

    No known Microsoft attack vectors.

    See this SRD blog post for more information.

    MS10-086
    (Cluster Disk Setup)
    Attacker tampers with files to which they would otherwise not have access due to incorrect ACL’s assigned during the setup of shared cluster disks. Moderate n/a See this SRD blog post for more information about this vulnerability.

    Thanks to Fermin J. Serna, David Ross, and Richard van Eeden of the MSRC Engineering team for validating the accuracy of this table. And, of course, thanks to the whole MSRC Engineering for their work on this month’s cases.

    Update Oct 18, 2010: Clarified scope of MS10-085

    - Jonathan Ness and Andrew Roths, MSRC Engineering

    *Posting is provided "AS IS" with no warranties, and confers no rights.*

  • Note on Bulletin Severity for MS10-081 and MS10-074

    Today we released MS10-081 (Important severity) and MS10-074 (Moderate severity), each providing an update for a single vulnerability. In this blog post we are going to cover some additional details on the severity of these vulnerabilities that may factor into how you prioritize the deployment of this month’s updates.

    Neither of the two vulnerabilities covered by MS10-081 and MS10-074 have attack vectors through Microsoft software. Both CVEs require 3rd party code to be exercised before the vulnerabilities can be triggered. The CVE's and their vulnerability titles are as follows:

    CVE-2010-2746 - Comctl32 Heap Overflow Vulnerability (Bulletin: MS10-081)

    CVE-2010-3227 - Windows MFC Document Title Updating Buffer Overflow Vulnerability (Bulletin: MS10-074)

    As a general rule, the resultant severity rating of a vulnerability only trigger-able via 3rd party code will be lower than as if it can only be triggered through in-box code. This is done to provide a baseline for Microsoft customers as every customer environment is different. Depending on your own environment, you may want to increase the severity of one or both of these bulletins when prioritizing the updates. Below is a brief description of each vulnerability, the attack vector, and severity:

    CVE-2010-2746 - Comctl32 Heap Overflow Vulnerability

    A heap overflow exists in comctl32.dll. The vulnerability can be exercised remotely through the browser when using a 3rd-party scalable vector graphics viewer (SVG). The vulnerability can be abused to yield arbitrary code execution. Remote code execution (RCE) browser-based vulnerabilities which require no user-interaction are generally rated Critical. Since IE does not have an attack vector this CVE has been rated Important. However, if you use a 3rd party browser, you may wish to give this a higher severity in your prioritization.

    CVE-2010-3227 - Windows MFC Document Title Updating Buffer Overflow Vulnerability

    A stack overflow exists in mfc.dll. The vulnerability can be exercised through a 3rd party zip viewer with some user-interaction. The vulnerability can be abused to yield arbitrary code execution. An exploitable code path in an in-box zip viewer would generally be rated Important, but in this case we've rated it Moderate due to the requirement of a 3rd party component. If you use a 3rd party zip viewer that sets windows titles based on attacker controlled data, you may want to treat this with a higher severity.

    Thanks to Mark Woodrich and Brian Cavenah for their contribution to this blog post.

    - The SRD Bloggers

  • MS10-086: Disk Clustering Vulnerability

    This morning we released security bulletin MS10-086 to address a vulnerability in Windows failover disk clustering. Exposure to this vulnerability will only occur if Failover Clustering is installed. Failover Clustering is supported on Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Hyper-V, and Windows Server 2008 R2 Storage Server editions. However, on these platforms, Failover Clustering is not enabled by default.

     

    What is the Impact of this vulnerability?

     

    In a normal scenario when hard disks are added to a machine the default permissions on administrative shares (C$, Admin$, etc.) only allow administrators to access them.  This vulnerability will set the permissions on administrative shares for new shared cluster disks, created via the failover cluster manager UI, to everyone full control. This could allow for unauthorized access to administrative shares.

     

    Is my server affected by this vulnerability?

    By default, affected editions of Windows Server 2008 R2 are not impacted by this vulnerability. This vulnerability only manifests itself when hard disks are added to a failover cluster. When an administrator creates a failover cluster disk in the Failover Cluster Manager UI, the default permissions on the administrative shares are set to allow everyone full control. Even though permissions on the shared cluster are set to allow everyone full control, NTFS Access Control Lists (ACLs) are still respected. By default, when formatting a partition, NTFS defaults to granting BUILTIN\Authenticated Users read, write, and modify permissions. If an administrator has manually configured ACLs on the entire drive, or selected folders/files, those ACLs are still properly enforced. All non-clustered hard disks on the system maintain the correct share permissions.

    Taking this update into consideration, how should I deploy a new disk cluster?

    When installing a new failover cluster, please use the following steps to help ensure that your administrative shares on failover cluster disks are properly permissioned.

    Administrator privileges are required to complete this procedure. To learn more about using the appropriate accounts and group memberships, see the TechNet Library article, Local and Domain Default Groups.

     

    Install the Failover Clustering feature: 

    1. If you recently installed Windows Server 2008 R2 on the server and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add features and Proceed to Step 3.

       

    2. If Initial Configuration Tasks is not displayed, add the feature through Server Manager:

       

      • If Server Manager is already running, click Features. Then under Features Summary, click Add Features

         

      • If Server Manager is not running, click Start, click Administrative Tools, click Server Manager, and then, if prompted for permission to continue, click Continue. Then, under Features Summary, click Add Features

         

    3. In the Add Features Wizard, click Failover Clustering, and then click Install.

       

    4. When the wizard finishes, close it.

       

    5. Install security update KB2294255.

       

    6. Repeat the process for each server that you want to include in the cluster.

     

    After completing this procedure, any new clusters you create will not be affected by this vulnerability. 

    Why has Microsoft issued this security update and rated it Moderate?

    Microsoft has made security assurances with respect to administrative privileges in general, and customers have come to expect that the permissions on administrative shares be set correctly by default. A security assurance is embodied in either a security feature or a product feature/function that customers expect will offer a consistent level of security protection. In order to uphold this expectation, and to enable customers to rely on the integrity of this Windows feature, a security update has been issued. While the actual severity rating of this vulnerability is only Moderate, depending on the customer environment, the impact caused by this vulnerability could be significant. Customers should evaluate this vulnerability as it pertains to their specific environment to make the appropriate risk assessment.

     

    Thanks to Mark Debenham for his work on this case.

     

    Charles Weidner Microsoft Security Response Center

     

     

    Update 11/10: Removed inaccurate requirement to manually set permissions after installing the update.