Microsoft addressed several critical media handling vulnerabilities, including a critical flaw in Windows Media Player that could be exploited remotely by attackers to gain access to critical files and take control of Windows machines.
The software giant issued 11 security bulletins, five critical, repairing 25 vulnerabilities across its product line.
One of several bulletins that should gain immediate attention is MS10-019, which addresses two vulnerabilities in Windows Authenticode Verification, a digital signature format used to verify the origin and integrity of software when it is installed on a machine. It is rated critical on all versions of Windows, including Windows 7. An attacker can exploit the vulnerabilities, tripping up the verification process to trick Windows users into thinking a malicious file is valid. Once the flaws are successfully exploited an attacker can gain access and take complete control of a computer. The MS10-019 patch doesn't repair the specific vulnerabilities. It forces Windows to perform additional verification steps when signing and verifying a software executable or cabinet file.
Mar. - Microsoft repairs Excel flaws, warns of new IE vulnerability: Two bulletins address eight vulnerabilities in Microsoft Windows and Office. Internet Explorer advisory warns of new zero-day vulnerability being used in targeted attacks.
Mar. - Microsoft emergency patch addresses IE vulnerabilities, zero-day Patch security professionals say that Microsoft's emergency update addressing IE vulnerabilities should be applied quickly.
Feb. - Microsoft patches SMB flaws, Hyper-V problem in big update: Microsoft issued 13 bulletins, patching more than two dozen flaws across its product line, including critical Server Message Block flaws and a hypervisor DoS vulnerability.
Jan. - Microsoft issues critical security update, blocks IE 6 attacks: Microsoft issued an emergency patch today blocking ongoing attacks against corporate networks that have been exploiting a vulnerability in Internet Explorer 6.
The flaws enable a savvy attacker to trick the verification system and impersonate a legitimate signature signed by Adobe Systems or other software vendor, said Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys Inc.
"If you combine these two vulnerabilities you can basically pass off an executable to install that's been signed by whomever you want to impersonate," Kandek said. "If I figure out the two stage exploit, I could then distribute signed malicious files that people could rightfully say they trusted the signature."
Critical media flaws pose risk of drive-by attacks
A bulletin repairing a flaw in Microsoft MPEG Layer-3 audio codecs also should rate high on the priority list, according to Jerry Bryant, senior security communications manager for the Microsoft Security Response Center. MS10-026 addresses an audio decoder stack overflow vulnerability. It is rated critical for Windows 2000, Windows XP, Windows Server 2003 and 2008. The flaw leaves machines vulnerable to an attack if a user attempts to open a malicious AVI file containing an MPEG Layer-3 audio stream.
"The vulnerability could be triggered simply by visiting a web page hosting a specially crafted AVI file that began streaming when the page loads," Bryant wrote on the MSRC blog.
Bryant said Windows administrators should also pay close attention to MS10-027, a vulnerability in Windows Media Player. The bulletin is rated critical for Windows Media Player 9 Series running on Windows 2000 and Windowx XP machines. The error, a remote code execution vulnerability in the Windows Media Player ActiveX control, can be exploited by an attacker by getting the user to browse to a website hosting malicious media content.
Qualys' Kandek said exploits for similar vulnerabilities are very common. A person could be attacked by visiting a legitimate website, he said.
"The best defense is to keep updated on the latest patches, the latest drivers and components," Kandek said.
Microsoft also closed out two known issues. Bryant said there have not been any active attacks against the issues. MS10-020 repairs a publicly known vulnerability in the Server Message Block (SMB) protocol, which handles communication between devices on a network. The bulletin addresses several other SMB flaws and is rated critical for SMB running on all versions of Windows. Microsoft said the patch fixes how the SMB client handles protocol responses, allocates memory and validates fields within the SMB response. If successfully exploited, the flaws can enable an attacker to gain access to a machine.
MS10-022 patches a VBScript issue in how it interacts with Windows Help files. The flaw could allow an attacker to run arbitrary code by tricking a user to browse to a malicious Web page and press the F1 key to access Windows Help files in Internet Explorer. The bulletin is rated important and affects Windows 2000, Windows XP and Windows Server 2003.
A critical vulnerability in Windows Media Services running on the Windows 2000 Server was addressed in Bulletin MS10-025. The remote code execution vulnerability can be exploited if an attacker sends a malicious transport information packet to a Windows 2000 server system running Windows Media Services, Microsoft said.
Also repaired were several vulnerabilities in the Windows Kernel. MS10-021 is rated important and affects all versions of Windows. The flaws affect how the kernel verifies registry keys and also includes a number of different memory errors. A vulnerability in Microsoft Office Publisher was also repaired in MS10-023. It affects Office Publisher 2002, 2003 and 2007. The buffer overflow vulnerability could be exploited to enable an attacker to gain the same user rights as the victim, Microsoft said.
Other Microsoft Bulletins:
MS10-024 is rated important and repairs a vulnerability in Microsoft Exchange and Windows SMTP Service. MS10-028 fixes a vulnerability rated important in Microsoft Office Visio. Bulletin MS10-029 repairs a Windows error rated moderate for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Microsoft said the flaw enables an attacker to spoof an IPv4 address to bypass filtering devices that rely on the source IPv4 address.