Microsoft has released a total of 13 bulletins for its first heavy Patch Tuesday of 2010.
After only releasing one patch in January, 26 vulnerabilities are addressing this month with five critical problems addressed. This marks the third release for 2010, after the company was forced to release an out-of-band patch to cover the widely-publicised vulnerability in Internet Explorer last month.
Jason Miller, data and security team leader at Shavlik Technologies, commented that the size of this release is not uncommon, as historically Microsoft has had a light January followed by a large patch release in February.
He claimed that there are three bulletins that administrators should address right away – MS10 006, 007 and 013. Speaking on MS10-006, Miller said: “This fixes two vulnerabilities in the server message block (SMB) networking service that affects all supported operating systems. Visiting a malicious website that makes a file sharing connection can result in remote code execution.”
Matthew Walker, regional director of the UK & Ireland at Lumension, also commented on this, saying: “This bulletin contains a very concerning vulnerability (CVE 2010 0017) in the SMB Protocol. A specially crafted SMB packet can enable a hacker to take complete control of the machine and execute arbitrary code, with no need for any level of authentication on the computer.
“Even more concerning is that Microsoft rates this vulnerability as a ‘1' on its exploitability index, which is interpreted as ‘consistent exploit code likely'. However, Microsoft states that an alternative denial-of-service attack may be more probable through this vulnerability.”
Meanwhile Joshua Talbot, security intelligence manager at Symantec Security Response, said that the ‘SMB server pathname overflow vulnerability tops my list this month'.
He said: “Server-side vulnerabilities aren't too common anymore, but they are a golden goose for attackers when they are discovered. With this one, if an attacker can find a vulnerable remote server that has a guest account set up, just like that, they've got access to the machine and possibly the entire local network—all without any user involvement required.”
Moving on to MS10-007, Miller said that this fixes a vulnerability in the Windows Shell handler that affects Windows 2000, XP and 2003 operating systems. He said: “Visiting a specially crafted website can result in remote code execution. This vulnerability will more than likely be exploited in the near future as malicious websites are an extremely common attack vector for vulnerabilities.”
Talbot said: “This patch covers a vulnerability in the ShellExecute API function that a remote hacker could exploit to execute code on the computer. Microsoft also rates the associated CVE (CVE-2010-0027) as a ‘1' on its exploitability index.
“A high exploitability index associated with a vulnerability in a shell-oriented API is sure to earn this vulnerability close intense scrutiny by the hacker community. Microsoft also recommends prioritising MS10-008 and MS10-015.”
The MS10-013 patch addresses a vulnerability in Microsoft DirectShow where a specially crafted AVI file leads to remote execution of hacker code.
Walker said: “This vulnerability is rated as a ‘critical' across all currently supported Microsoft Windows platforms, including Window's most recently released platforms Windows 7 and Windows Server 2008 R2. The resulting required reboot of all Windows computers in an organisation could mean significant disruption in workplace productivity.”
Miller said: “Opening a specially crafted media file, AVI, can result in remote code execution. It is important to note that some operating systems may require multiple patches from this bulletin to fix the vulnerability. Media files are commonly sent and downloaded, so this vulnerability could affect many users.”
Wolfgang Kandek, CTO of Qualys, agreed that MS10-006 and 013 were highest on its list for application, while 007 and 008 should be taken seriously. Focussing on patch MS10-012, Kandek said: “This is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial-of-service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.”
He also commented on MS10-010 as it ‘addresses an interesting vulnerability' in the hypervisor of Windows 2008.
He said: “This virtualisation vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualisation is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.”
Microsoft also offered two bulletins for its Office platform, both rated as important.
Kandek said: “While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on Mac OS X should update as quickly as possible because file-based vulnerabilities have been a favourite of attackers in the last year.”