Patch Tuesday

Exploit code for the the zero-day vulnerability in Internet Explorer has been added to the Metasploit framework. According to an email HD Moore wrote to ZDNet’s Ryan Naraine, the exploit works quite reliable – successful 50% of the times on Windows XP with SP2 and SP3 with IE7 and deactivated Data Execution Prevention (DEP). The security hole got reported yesterday on Microsoft’s March 2010 Patch Tuesday. Drive-by-Download-Exploits are likely to appear now as the Metasploit framework is open source and the exploit can now be abused even by script kiddies. Time to change the default browser – Microsoft just released a new browser choice screen which allows for exactly that!

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly quiet month—the vendor is releasing two bulletins covering a total of eight vulnerabilities. All of the issues are rated “Important” this month: seven affecting Office/Excel and one affecting Movie Maker and Producer. All of the issues are file-based remote code-execution vulnerabilities in the context of the currently logged-in user. Microsoft also released a security advisory (981374) today regarding a publicly disclosed vulnerability affecting Internet Explorer 6 and 7. Limited, targeted attacks exploiting this issue have been detected in the wild. ...

Microsoft has issued an advance notification for Patch Tuesday next week. The company said it expects to issue two patches, one for Windows and one for Office. Both are intended to patch vulnerabilities that could allow remote code execution and both are rated “important.” Microsoft Security Bulletin Advance Notification for March 2010 here.

Security blogger Brian Krebs is reporting that some Windows XP users are reporting blue screen of death on reboot after installing Microsoft’s Tuesday patch KB977165 (MS010–15: “Vulnerabilities in Windows kernel could allow elevation of privilege.”) “Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond,” ...

Microsoft has said it will issue an out-of-band patch today for critical vulnerabilities in Internet Explorer that allow remote execution of code. The company said yesterday it would not wait until the February “Patch Tuesday” to fix the vulnerabilities. The much discussed “Aurora” vulnerabilities in IE have been held at least partially responsible for cyber attacks on Google and more then two dozen other major companies. The attacks on Google were aimed at Gmail accounts of dissidents and Google’s source code. The attacks on the other companies were aimed at stealing intellectual property. ...

This Black Tuesday was different as anticipated – Microsoft releases only one security bulletin, but other companies “jumped in” and deliver updates now as well. For the windows operating systems, only one Security Bulletin was released. MS10-001 deals with a vulnerability in the decompression routines of the Embeded OpenType Font Engine. This means that especially in Windows 2000, programs like Internet Explorer, Word or PowerPoint for example which render EOT fonts can put the system at risk when viewing manipulated contents. In newer operating systems the flawed code is used differently so that Microsoft assumes that it isn’t exploitable there. ...

There has been extensive news coverage this week of Adobe’s plans for ramped-up security in its popular Reader, Acrobat and Flash Player applications, especially the Reader and Acrobat updates promised next week. A vulnerability that was publicized in December in Reader and Acrobat allows an attacker to execute arbitrary code with a specially crafted PDF file using ZLib compressed streams. In a short time, proof-of-concept code was made public. In the past week, anti-virus companies began intercepting malicious .pdf files that exploit the vulnerability to install a back door on victims’ machines. ...

It’s the second Tuesday of the month and there are important updates being released. From Microsoft, of course, but also from Adobe. There’s a critical security issue in Adobe Flash Player 10.0.32.18 and earlier. It’s important that organizations deploy these updates before the Christmas holiday reduces IT staffing. Fortunately, this patch cycle is as early as can be landing on the 8th so there’s still time to test and deploy. ...