The Microsoft Security Response Center (MSRC)
June 2010 Security Bulletin Advance Notification
Today we published our advance notification for the June security bulletin release, scheduled for release next Tuesday, June 8. This month’s release includes ten bulletins addressing 34 vulnerabilities.
* Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
* Two bulletins, both with a severity rating of Important, affect Microsoft Office.
* One bulletin, again with a severity rating of Important, affects both Windows and Office.
* One bulletin, with a severity rating of Critical, affects Internet Explorer.
As ever, we recommend that customers prepare for the testing and deployment of these bulletins as soon as possible.
We will also be acting on two Security Advisories this month.
* We are closing Security Advisory 983438 (Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege) with the June bulletins.
* We are also addressing Security Advisory 980088 (Vulnerability in Internet Explorer Could Allow Information Disclosure).
Please join Adrian Stone and me for a public webcast on Wednesday next week where we will go into detail about the bulletins and answer questions live on the air. Register at the link below:
Date: Wednesday June 9
Time: 11:00 a.m. PDT (UTC -7)
Update 2- Information on exploits and vulnerabilities associated with the June 2010 Microsoft patches.
It looks like the http://www.microsoft.com/technet/security/bulletin/MS10-033.mspx is the most critical for both servers and workstations. Just about across the board it is flagged as critical regardless of what OS exists from 2000 forward. While no known exploits now exist, some are expected within the next 30 days. The vulnerability can be exploited when a user visits a specially crafted web page or opens a malicious AVI file using media player.
Patch http://www.microsoft.com/technet/security/bulletin/ms10-034.mspx seems to be most for workstations running 2000/XP/Vista and Win 7. It is flagged as critical for all those OSs but only moderate from a server OS perspective. MS10-034 is an update for the ActiveX kill bits that prevent code execution of the ActiveX controls from the following organizations
This update includes kill bits to prevent the following ActiveX controls from being run in Internet Explorer:
• Danske Bank has requested a kill bit for an ActiveX control, Danske eSec. If you have any questions or concerns regarding the Danske eSec ActiveX control, please contact Danske Bank. The class identifier (CLSID) for this ActiveX control is:
• CA has released a security advisory regarding an advisory for an ActiveX control, PSFormX in the Pest Scan product. Please see the security bulletin from CA for more information. This kill bit is being set at the request of the owner of the ActiveX control. The class identifier (CLSID) for this ActiveX control is:
• Eastman Kodak Company has requested a kill bit for the ActiveX control for the “Ofoto Upload Manager / Kodak Gallery Easy Upload Manager ActiveX Control”. Eastman Kodak Gallery has provided the following page to provide a variety of upload options: http://www.kodakgallery.com/gallery/photo-service/upload-photos.jsp. The replacement control for the control for which the kill bit is being set in this update can be found here: http://classic.kodakgallery.com/UploadChoicesAll.jsp. If you have any questions or concerns regarding this kill bit, please contact Kodak Gallery at http://www.kodakgallery.com/gallery/footerLinksContent.jsp?pageID=600002. The class identifiers (CLSID) for this ActiveX control are:
• Avaya has requested a kill bit for CallPilot Unified Messaging. If you have any questions or concerns regarding the kill bit for CallPilot Unified Messaging, please contact Avaya security at email@example.com. The class identifier (CLSID) for this ActiveX control is:
Patch http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx is for Internet Explorer and it is only flagged as critical for 2000sp4/XPsp2 and sp3/, Vista and Win 7
In short, I would really watch what your servers are used for (nothing new here), for web browsing until you have applied MS10-033 and try to apply MS10-034 and 10-035 for your workstations as soon as possible. I am sending this from my workstation which I have applied all patches to – with no anomalies as of this time.
Update 3 is MS10-032 a critical or important exposure?
Depending on what you read, the Win32K.sys driver vulnerability (http://www.microsoft.com/technet/security/Bulletin/MS10-032.mspx ) is either critical (as documented on ISC.sans.org) or important (classified by Microsoft). In short, I seem to be inclined to believe Microsoft in this instance. And here is why.
NOTE, the user already has to have local access to be able to even attempt to elevate privileges. But, just to be safe, I would still try to get this deployed on servers by this weekend.
Bulletin -MS10-032 (kernel drivers)
Most likely attack vector
Attacker already running code with low privileges on a vulnerable machine runs a malicious EXE to elevate to a higher privilege level.
Max Bulletin Severity
Max Exploit-ability Index Rating
Likely first 30 days impact
Likely to see an exploit released able to elevate from a low privileged user on the box to a higher privilege.
More info from –
MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Today we released a security update rated Important for CVE-2010-1255 in MS10-032. This vulnerability affects the win32k.sys driver. This blog post provides more information about this vulnerability that can help with prioritizing the deployment of updates this month.
What’s the risk?
A local attacker could write a custom user-mode attack application that passes a bad buffer to win32k.sys’s GetGlyphOutline while retrieving font information. This could be an attempt to cause memory corruption with the end goal of running code in ring 0 — a classic local Elevation-of-Privilege vulnerability.
If a regular, known-good application failed to properly request the length of the buffer when calling this API, that application might expose a different code execution attack vector to this vulnerability. Fortunately, default installations of Windows are not at risk because the API is properly used in Microsoft applications. If a third-party application inadvertently used this function incorrectly, this security update will protect any attack vector exposed by that application as well. In that light
, the deployment priority of this update may need to be adjusted accordingly.
How difficult is this to exploit?
Due to a validation statement in the write loop, the attacker cannot write data of arbitrary length beyond the allocated buffer; the overwrite length is approximately 0x10 bytes. Getting all of the data in the right place at the right time to gain code execution can be quite unreliable and as a result we gave it an Exploitability Index rating of 2. We do not expect to see reliable exploit code within the next 30 days.