Hello and welcome to this month’s blog on the Microsoft patch release. This is another large release —the vendor is releasing 17 bulletins covering a total of 40 vulnerabilities.
Eight of the issues are rated ‘Critical’ and they affect Internet Explorer and the OpenType Font (OTF) format driver. The remainder of the issues are rated ‘Important’ or ‘Moderate’ and affect Publisher, Office, SharePoint, Windows, Windows kernel, Exchange, and Hyper-V. Included in this patch release is a fix for the last of the vulnerabilities Stuxnet was exploiting, the Windows Task Scheduler issue.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.
Microsoft’s summary of the December releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms10-dec.mspx
The following is a breakdown of the ‘Critical’ bulletins being addressed this month:
1. MS10-090 Cumulative Security Update for Internet Explorer (2416400)
CVE-2010-3340 (BID 45255) Microsoft Internet Explorer Uninitialized Object CVE-2010-3340 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6 and 7
CVE-2010-3342 (BID 45256) Microsoft Internet Explorer CVE-2010-3342 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate / Symantec Rating: 5.7/10)
A cross-domain information-disclosure vulnerability affects Internet Explorer because it incorrectly allows cached content to be rendered as HTML across domains. An attacker can exploit this issue by tricking an unsuspecting victim into visiting a Web page containing malicious content. A successful exploit will result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks. Affects: Internet Explorer 6, 7, and 8
CVE-2010-3343 (BID 45259) Microsoft Internet Explorer Uninitialized Object CVE-2010-3343 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6
CVE-2010-3345 (BID 45260) Microsoft Internet Explorer Uninitialized HTML Element CVE-2010-3345 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 8
CVE-2010-3346 (BID 45261) Microsoft Internet Explorer Uninitialized HTML Element CVE-2010-3346 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6, 7, and 8
CVE-2010-3348 (BID 45263) Microsoft Internet Explorer CVE-2010-3348 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate / Symantec Rating: 5.7/10)
A cross-domain information-disclosure vulnerability affects Internet Explorer because it incorrectly allows cached content to be rendered as HTML across domains. An attacker can exploit this issue by tricking an unsuspecting victim into visiting a Web page containing malicious content. A successful exploit will result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks. Affects: Internet Explorer 6, 7, and 8
CVE-2010-3962(BID 44536) Microsoft Internet Explorer CSS Tags Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.3/10)
A previously public (Nov 3, 2010), remote code-execution vulnerability affects Internet Explorer when storing a certain combination of Cascading Style Sheet (CSS) tags, resulting in a use-after-free condition. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6, 7, and 8
2. MS10-091 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Remote Code Execution (2296199)
CVE-2010-3956 (BID 45311) Microsoft Windows OpenType Font (OTF) Driver Invalid Array Index Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)
A remote code execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems
CVE-2010-3957 (BID 45315) Microsoft Windows OpenType Font (OTF) Driver Double-Free Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)
A remote code-execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems
CVE-2010-3959 (BID 45316) Microsoft Windows OpenType Font (OTF) Driver CMAP Table Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)
A remote code-execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems
More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.