Thursday 11 February 2010

Patch Tuesday: February 2010

With this February Microsoft Patch Tuesday Security Update, we see a significant security update with thirteen patches. Five patches were rated as critical, nine updates were rated as Important and one patch was rated as Moderate. Also worth noting, all patches released this month will most likely require a reboot of the target system.
In addition, the ChangeBASE AOK Patch Impact team has updated the sample application database to now more than 2000 unique application packages. All of the applications in this large sample application portfolio are analysed for application level conflicts with Microsoft Security Updates and potential dependencies, or down-level conflicts.
Based on the results of our AOK Application Compatibility Lab only one patch will have a moderate impact on a standard application portfolio; MS10-003 Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution. We have included a brief snap-shot of some of the results from our AOK Software that demonstrates some of the potential impacts on the OSP application package with the following snap-shot image.

MS10-003 Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution



Testing Summary
  • MS10-003 : "Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)"
  • MS10-004 : "Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)"
  • MS10-005 : "Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)"
  • MS10-006 : "Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)"
  • MS10-007 : "Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)"
  • MS10-008 : "Cumulative Security Update of ActiveX Kill Bits (978262)"
  • MS10-009 : "Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)"
  • MS10-010 : "Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)"
  • MS10-011 : "Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)"
  • MS10-012 : "Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)"
  • MS10-013 : "Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)"
  • MS10-014 : "Vulnerability in Kerberos Could Allow Denial of Service (977290)"
  • MS10-015 : "Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)"


Patch NameTotal
Issues
Matches
Affected
RebootRatingRAG
Microsoft Security Bulletin MS10-003312%YESModerate impact and negligible testing profileYellow
Microsoft Security Bulletin MS10-004231%YESMarginal impact and negligible testing profileYellow
Microsoft Security Bulletin MS10-005<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-006<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-007<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-008<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-009<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-010<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-011<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-012<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-013<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-014<1%<1%YESMarginal impact and negligible testing profileGreen
Microsoft Security Bulletin MS10-015<1%<1%YESMarginal impact and negligible testing profileGreen

Legend:
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

Security Update Detailed Summary
MS10-003Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payloadietag.dll, Mso.dll
ImpactImportant – Remote Code Execution

MS10-004Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution
DescriptionThis security update resolves six privately reported vulnerabilities in Microsoft Office PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadPowerpnt.exe, Pp7x32.dll, Pptview.exe
ImpactImportant – Remote Code Execution

MS10-005Vulnerability in Microsoft Paint Could Allow Remote Code Execution
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Paint. The vulnerability could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadMspaint.exe
ImpactModerate – Remote Code Execution

MS10-006Vulnerabilities in SMB Client Could Allow Remote Code Execution
DescriptionThis security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.
PayloadMrxsmb.sys, Rdbss.sys, Sp3res.dll
ImpactCritical - Remote Code Execution

MS10-007Vulnerability in Windows Shell Handler Could Allow Remote Code Execution
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler.
PayloadShlwapi.dll
ImpactCritical - Remote Code Execution

MS10-008Cumulative Security Update of ActiveX Kill Bits
DescriptionThis security update addresses a privately reported vulnerability for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2. The vulnerability could allow remote code execution if a user views a specially crafted Web page that instantiates an ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.
PayloadRegistry Keys Only
ImpactCritical - Remote Code Execution

MS10-009Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
DescriptionThis security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link.
PayloadTcpipreg.sys, Tcpipreg.sys, Netio.sys, Netio.sys, Netio.sys, Bfe.dll, Fwpkclnt.sys, Fwpuclnt.dll, Ikeext.dll, Wfp.mof, Wfp.tmf, Bfe.dll, Fwpkclnt.sys, Fwpuclnt.dll, Ikeext.dll, Wfp.mof, Wfp.tmf, Tcpip.sys, Tcpip.sys, Tcpip.sys, Tcpip.sys, Netiomig.dll, Netiougc.exe, Tcpip.sys, Tcpipcfg.dll, Netiomig.dll, Netiougc.exe, Tcpip.sys, Tcpipcfg.dll
ImpactCritical - Remote Code Execution

MS10-010Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service
DescriptionThis security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
PayloadVid.sys
ImpactImportant – Denial of Service

MS10-011Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not affected. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
PayloadCsrsrv.dll
ImpactImportant – Elevation of Privilege

MS10-012Vulnerabilities in SMB Server Could Allow Remote Code Execution
DescriptionThis security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
PayloadSrv.sys
ImpactImportant – Remote Code Execution

MS10-013Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
DescriptionThis security update resolves a privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadAvifil32.dll, Mciavi32.dll, Msrle32.dll, Msvidc32.dll, Tsbyuv.dll
ImpactCritical – Remote Code Execution

MS10-014Vulnerability in Kerberos Could Allow Denial of Service
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted.
PayloadKdcsvc.dll
ImpactImportant – Denial of Service

MS10-015Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
DescriptionThis security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.
PayloadMup.sys, Ntkrnlmp.exe, Ntkrnlpa.exe, Ntkrpamp.exe, Ntoskrnl.exe
ImpactImportant – Elevation of Privilege


*All results are based on an AOK Application Compatibility Lab’s test portfolio of over 1,000 applications.