Security Alert by Paul Henry, Security and Forensic Analyst, Lumension
Microsoft has released two security bulletins this month, MS10-030 and MS10-031 to address two vulnerabilities in Microsoft Windows and Microsoft Office, both rated Critical. As both bulletins are rated as critical, they will both demand a high priority in their deployment across the enterprise.
MS10-030 resolving one vulnerability affecting Outlook Express, Windows Mail and Windows Live Mail, Windows 2000, XP, Vista, Server 2003, and Server 2008 and has a severity rating of Critical. Windows 7 and Windows Server 2008 R2 are rated Important when an affected mail client is installed. It is important to note that neither has a mail client installed by default. Deployment of the patch will require a restart and hence could impact production systems.
MS10-031 resolves one vulnerability in Microsoft Visual Basic for Applications (VBA). It is rated Critical for Microsoft VBA SDK 6.0, and third-party applications that use Microsoft VBA. For Office XP, Office 2003 and Office 2007, MS10-031 it is rated as Important. Deployment of the patch may require a restart and hence could impact production systems.
As noted in our pre release commentary, no patch has been made available for the SharePoint vulnerability and Microsoft is directing users to Security Advisory 983438 as a workaround pending release of a patch.
Other software affected this Patch Tuesday:
Safari Vulnerability Impacts Windows Users
New Safari vulnerability that impacts Windows remains un-patched and Proof of Concept Code (POC) is freely downloadable on the Internet. The biggest concern here is that Safari is often installed silently when a user chooses to install QuickTime on their Windows PC. Hence many will not know they in fact are exposed to this issue.
In today’s popular / typical drive-by-malware fashion, if a user is tricked into visiting a specially crafted website the attacker may be able to execute arbitrary code.
In my own testing, only 25 out of 41 antivirus products correctly identified the POC code as being malicious http://bit.ly/db7oVT.
New Antivirus / Security Suite Issue
A new form of attack is able to bypass the vast majority of antivirus (AV) and related security products. Any product that uses the kernel level System Service Descriptor Table (SSDT) is vulnerable to this attack which will let malware simply bypass your defensive software. In an article from information Week http://www.informationweek.com/news..., every major vendor was found to be vulnerable to the issue including Kaspersky Internet Security 2010, McAfee Total Protection 2010, Norton Internet Security 2010, Sophos Endpoint Security and Control 9.0.5 and Trend Micro Internet Security Pro 2010.
The SSDT issue and its potential impact on literally every available security suite of products speaks volumes of our need to immediately begin complimenting traditional AV products with current technology application control / white listing in our efforts to maintain a reasonable level of risk mitigation.
By Paul Henry, Security and Forensic Analyst, Lumension MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE
Paul Henry is one of the world’s foremost global information security and computer forensic experts in the industry. With more than 20 years of experience, Henry is a seasoned speaker, author and contributor for some of the leading security events and publications.