Microsoft corrected critical flaws in its Server Message Block (SMB), issued kill-bits to block browser components containing ActiveX flaws and addressed nearly two-dozen other vulnerabilities in its Patch Tuesday updates.
The software giant issued 13 bulletins, five rated critical, fixing 26 vulnerabilities across nearly all facets of its product line.
Microsoft SMB client and server vulnerabilities
Two high-priority vulnerabilities in the Microsoft Server Message Block, a protocol that handles communication between network devices, were addressed in Microsoft bulletin MS10-006. The remote code execution vulnerabilities exist on SMB clients and could be exploited by an attacker if they convince a user to initiate a connection with a malicious SMB server. The update is rated critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows 7 and Windows Server 2008 R2; it is rated important for Windows Vista and Windows Server 2008.
In addition to the SMB client-side flaws, Microsoft repaired four SMB server component vulnerabilities in security bulletin MS10-0012. The bulletin addresses how the SMB validates SMB requests at the server. The errors result in memory corruption issues and buffer overflow conditions that could enable an attacker to execute code remotely. Though the holes exist, Microsoft said standard default firewall configurations should mitigate the threat of an attack, giving the bulletin an important rating. .
IE update, ActiveX kill-bits
Microsoft also issued another update for users of Internet Explorer on Windows 2000, Windows XP, and Windows Server 2003. Security bulletin MS10-007 repairs a URL validation vulnerability in the Windows Shell Handler. Shell handlers enable developers to use APIs to create dynamic objects, such as file submenus. The bulletin is an update to the emergency out-of-band release that corrected eight vulnerabilities in IE. Users of the older operating systems are required to deploy the update which blocks the vulnerability on the OS rather than the browser.
Microsoft also addressed ongoing ActiveX control issues, issuing a kill-bit that blocks a remote code execution vulnerability in the Microsoft Data Analyzer ActiveX control. MS10-008 prevents attackers from loading the vulnerable ActiveX control in Internet Explorer. As part of the bulletin, Microsoft also issued kill-bits blocking four vulnerable third-party ActiveX controls from running. Once deployed, the registry setting prevents vulnerable ActiveX controls for Google Desktop, Symantec WinFax Pro, PandaActiveScan Installer and Facebook Photo Updater from running in IE.
"This is a mitigation technique, which should be fairly easy for customers to install," said Amol Sarwate, manager of the the vulnerability research lab at vulnerability management vendor Qualys Inc, based in Redwood Shores, Calif. "The vulnerable component remains on the system. It's just being prevented from being loaded in the browser."
Windows TCP/IP handling flaws
Microsoft also addressed four networking remote code vulnerabilities in Microsoft Windows. Microsoft bulletin MS10-009 addresses Windows TCP/IP packet handling errors. An attacker could create malicious ICMPv6 router packets to a system with IPv6 enabled. The attack could enable a hacker to install programs, delete data or create new accounts with full user rights. The update is rated critical for users of Windows Vista and Windows Server 2008.
Critical media file handling vulnerablities
A vulnerability in the way Microsoft DirectShow streams an AVI video file could be exploited to take complete control of a system. Microsoft said the update, MS10-010 is rated important for x64-based editions of Windows Server 2008 and Windows Server 2008 R2. The exploit the flaw, an attacker must have valid logon credentials to log on locally into a guest virtual machine. A DoS condition could affect up to 10 virtual machines, since a hypervisor is the central component that runs them, said Qualys' Sarwate. With more organizations using Hyper-V, the virtualization feature in Windows Server 2008, future Microsoft patch releases could contain additional updates to the software, Sarwate said.
Windows kernel error
An update to the Windows kernel repairs a reportedly 17-year-old vulnerability in all 32-bit versions of Windows. Microsoft said MS10-015 repairs a flaw that could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. It addresses the kernel exception handling error addressed in an advisory issued Jan. 20. The bulletin is rated important for all Windows versions.
"We are aware of publicly available proof-of-concept code for this issue, but are not aware of any active attacks at this time," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC).
In addition, Microsoft addressed a vulnerability affecting versions of Microsoft Office XP and Office for Mac 2004. MS10-004 addresses six vulnerabilities in Microsoft Office PowerPoint for users of Microsoft Office XP and Microsoft Office 2003. Microsoft said the vulnerabilities could allow remote code execution if a user opens a malicious PowerPoint file.
Also, MS10-011 addresses a vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS). It affects users of Windows 2000, Windows XP and Windows Server 2003 systems. An attacker would need valid logon credentials and be able to log on locally to exploit the vulnerability, Microsoft said.
MS10-005 addresses a vulnerability in Microsoft Paint that could result in remote code execution if a person opens a malicious JPG file in the program. The issue is rated important for users of Microsoft Paint on Microsoft Windows 2000, Windows XP and Windows Server 2003.