• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Eight Microsoft Windows Bulletins Close Over 20 Security Holes Bulletins Affect SMB Client, WMP, the Kernel, and More

April 13, 2010 By The Editor

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to open malicious media
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eight security bulletins describing over 20 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-020: SMB Client Code Execution Vulnerabilities

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB client suffers from five security vulnerabilities, four of which could allow attackers to execute malicious code. Though the flaws differ technically, an attacker could exploit them all  in the same way.  By enticing one of your users to connect to a malicious SMB server, an attacker can exploit one of the flaws to gain complete control of a vulnerable Windows computer.
Microsoft rating: Critical.

  • MS10-019: Two Authenticode Code Execution Vulnerabilities

Microsoft has built a mechanism into Windows called Authenticode, which allows developers to sign their executable programs using Public-Key Cryptography standards. This mechanism allows you (or the operating system) to make sure  programs you run really come from the vendors you expect them from. If you’ve ever installed a driver in Windows, and received a message saying it wasn’t signed, the Authenticode Signature Verification system provided that message. According to Today’s bulletin, various components involved with the Authenticode system suffer from two security vulnerabilities. The flaws differ technically, but share the same general impact. By tricking one of your users into downloading and opening a specially crafted .EXE or .CAB file, an attacker could leverage either flaw to gain complete control of that user’s computer.
Microsoft rating: Critical.

  • MS10-025: Win2K Media Services Buffer Overflow Vulnerability

Windows 2000 (Win2k) ships with Windows Media Services to allow you to create a server for on-demand, streaming audio and video. Unfortunately, one of the Windows Media Services (the Unicast Service, nsum.exe) suffers from a buffer overflow vulnerability involving the way it handles specially malformed network packets. By sending a specially crafted packet to your Windows 2000 Media Server, an attacker could exploit this vulnerability to gain complete control of the machine. That said, Windows 2000 doesn’t enable the Windows Media Services by default. You are only vulnerable to this flaw if you’ve specifically enabled them.
Microsoft rating: Critical.

  • MS10-026: MP3 Codecs Buffer Overflow Vulnerability

MPEG Layer-3, otherwise known as MP3, is an audio encoding format used to compress audio for playback on digital devices, like computers. Windows ships with special codecs used to decode and playback MP3 audio within music files or videos. Windows’ MP3 codecs suffer from a buffer overflow vulnerability, involving their inability to handle specially crafted AVI movies with MP3 audio. By luring one of your users into downloading and playing a specially crafted AVI file, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-027: WMP Code Execution Vulnerability

Windows Media Player (WMP) is the audio and video player that ships with Windows. WMP also included ActiveX controls that allows it to playback media hosted on websites. The WMP ActiveX control suffers from an unspecified code execution vulnerability having to do with how it handles specially crafted media hosted on an malicious website. By enticing one of your users to visit a website with an embedded video, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This vulnerability only affects WMP 9, which ships with Windows 2000 and XP.
Microsoft rating: Critical.

  • MS10-021: Multiple Windows Kernel Elevation of Privilege and DoS Vulnerabilities

The kernel is the core component of any computer operating system. The Windows kernel suffers from multiple Denial of Service (DoS) and elevation of privilege vulnerabilities. By running a specially crafted program, an attacker could leverage these flaws to either crash or lock up your computer, or to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

  • MS10-022: VBScript F1 Code Execution Vulnerability

VBScript, or Visual Basic Scripting, is a scripting language created by Microsoft, and used by Windows and its applications. VBScript suffers from a complex security flaw, involving they way it interacts with Windows Help files via Internet Explorer. The vulnerability only crops up when a victim presses the “F1” key while visiting a specially crafted web page. You can learn more about this previously unpatched vulnerability in a Wire post we released in early March. In short, if an attacker can lure one of your users to a malicious web page and trick them into pressing the “F1” key on that web page (perhaps by using a pop-up dialog that instructs the user to press that key for some trumped-up reason), he can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As usual, if your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Important.

  • MS10-029: IPv6 ISATAP Source Spoofing Vulnerability

The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an IPv6 transition mechanism designed to allow you to send IPv6 packets over an IPv4 network. The Windows ISATAP component suffers from a potential spoofing vulnerability. Essentially, the Windows TCP/IP stack doesn’t properly validate the source address for tunneled ISATAP packets. By sending specially crafted IPv6 packets, an attacker could leverage this flaw to impersonate or spoof another address on your network, potentially bypassing any address-based filters you employ on a firewall. However, this vulnerability only affects systems with the ISATAP interface configured, which significantly lowers risk.
Microsoft rating: Moderate.

Microsoft also released an Exchange security bulletin today, that describes vulnerabilities that also affects Windows itself. We will release details about those Windows and Exchange vulnerabilities in another alert to be published today.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-020:

  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
  • Windows Vista
  • Windows Vista x64
  • Windows Server 2008
  • Windows Server 2008 x64
  • Windows Server 2008 Itanium
  • Windows 7
  • Windows 7 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 Itanium

MS10-019:

  • Windows 2000
    • Authenticode Signature Verification 5.1
    • Cabinet File Viewer Shell Extension 5.1
  • Windows XP
    • Authenticode Signature Verification 5.1
    • Cabinet File Viewer Shell Extension 6.0
  • Windows XP x64
    • Authenticode Signature Verification 5.1
    • Cabinet File Viewer Shell Extension 6.0
  • Windows Server 2003
    • Authenticode Signature Verification 5.1
    • Cabinet File Viewer Shell Extension 6.0
  • Windows Server 2003 x64
    • Authenticode Signature Verification 5.1
    • Cabinet File Viewer Shell Extension 6.0
  • Windows Server 2003 Itanium
    • Authenticode Signature Verification 5.1
    • Cabinet File Viewer Shell Extension 6.0
  • Windows Vista
    • Authenticode Signature Verification 6.0
    • Cabinet File Viewer Shell Extension 6.0
  • Windows Vista x64
    • Authenticode Signature Verification 6.0
    • Cabinet File Viewer Shell Extension 6.0
  • Windows Server 2008
    • Authenticode Signature Verification 6.0
    • Cabinet File Viewer Shell Extension 6.0
  • Windows Server 2008 x64
    • Authenticode Signature Verification 6.0
    • Cabinet File Viewer Shell Extension 6.0
  • Windows Server 2008 Itanium
    • Authenticode Signature Verification 6.0
    • Cabinet File Viewer Shell Extension 6.0
  • Windows 7
    • Authenticode Signature Verification 6.1
    • Cabinet File Viewer Shell Extension 6.1
  • Windows 7 x64
    • Authenticode Signature Verification 6.1
    • Cabinet File Viewer Shell Extension 6.1
  • Windows Server 2008 R2 x64
    • Authenticode Signature Verification 6.1
    • Cabinet File Viewer Shell Extension 6.1
  • Windows Server 2008 R2 Itanium
    • Authenticode Signature Verification 6.1
    • Cabinet File Viewer Shell Extension 6.1

MS10-025:

  • Windows 2000 Server

Note: This vulnerability does not affect any other versions of Windows

MS10-026:

  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Vista
  • Windows Vista x64
  • Windows Server 2008
  • Windows Server 2008 x64

Note: This vulnerability does not affect any other versions of Windows

MS10-027:

  • Windows Media Player 9 for:
    • Windows 2000 Server
    • Windows XP
    • Windows XP x64

Note: This vulnerability does not affect any other versions of Windows

MS10-021:

  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
  • Windows Vista
  • Windows Vista x64
  • Windows Server 2008
  • Windows Server 2008 x64
  • Windows Server 2008 Itanium
  • Windows 7
  • Windows 7 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 Itanium

MS10-022:

  • Windows 2000
    • VBScript 5.1
    • VBScript 5.6
    • VBScript 5.7
  • Windows XP
    • VBScript 5.6
    • VBScript 5.7
    • VBScript 5.8
  • Windows XP x64
    • VBScript 5.6
    • VBScript 5.7
    • VBScript 5.8
  • Windows Server 2003
    • VBScript 5.6
    • VBScript 5.7
    • VBScript 5.8
  • Windows Server 2003 x64
    • VBScript 5.6
    • VBScript 5.7
    • VBScript 5.8
  • Windows Server 2003 Itanium
    • VBScript 5.6
    • VBScript 5.7
  • Windows Vista
    • VBScript 5.7
    • VBScript 5.8
  • Windows Vista x64
    • VBScript 5.7
    • VBScript 5.8
  • Windows Server 2008
    • <a title="http://www.microsoft.com/downloads/details.aspx?familyid=DBE89813-0A45-463B-928C-1E58F7BB596A" href="http://www.microsoft.com/downloads/details.as

      Share This:

      Related

Filed Under: Security Bytes Tagged With: Microsoft, smb, wmp

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use