Internet Security Systems - AlertCon(TM)

Microsoft Super-Tuesday Thoughts

Posted by Shane Garrett on October 12, 2010 at 6:15 PM EDT.

Microsoft had a huge Super-Tuesday release this month.  They posted sixteen bulletins addressing over forty vulnerabilities across a broad range of software.  That is a lot of material to parse though so we wanted to highlight a few of the patches and share our thoughts.

 

MS10-085 - Vulnerability in SChannel Could Allow Denial of Service


This bulletin covers a vulnerability in how IIS 7 and 7.5 process client certificate requests in SSL communications.  Exploitation of this vulnerability results in a denial of service caused by the crashing of the LSASS service resulting in a system restart.  We feel that the potential financial impact of this vulnerability warrants patch application on affected systems.  Although this was a privately disclosed vulnerability, the details provided in the bulletin may provide enough information to allow for an attacker to determine the vulnerability and write an exploit.

 

MS10-076 - Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution


This bulletin covers vulnerability in the Embedded OpenType (EOT) engine when parsing tables in specially crafted fonts.  The EOT file format was developed by Microsoft for embedding font data in media and is supported by Internet Explorer as a method for designers to directly specify the font used to render a page.   Exploitation of this vulnerability by embedding a specially crafted EOT font in a web page can lead to remote code execution in the context of the current user.

 

MS10-078 - Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege


This bulletin covers two vulnerabilities in the OpenType Font format driver’s handling of unexpected font data.  Exploitation of one the vulnerabilities could lead to code execution in the context of the kernel, the other would result in a denial of service caused by a system bugcheck.  Microsoft’s bulletin indicates that these are local authenticated vulnerabilities since Internet Explorer doesn’t support specifying online OpenType fonts for rendering of web-pages.  Other web-browsers such as Firefox, however, do allow pages to specify an OpenType font for rendering which make them a vector for remote code execution.  We feel that if other browsers are common in your enterprise then the potential for remote code execution warrants this as a critical patch.

 

MS10-086 - Vulnerability in Windows Shared Cluster Disks Could Allow Tampering.


This bulletin covered a vulnerability in how the Windows 2008 R2 Microsoft Cluster Service (MSCS) administration tool set weak default permissions for new shared volumes in failover clusters.  This vulnerability could allow for inadvertent access to administrative shares to non-privileged users which can be problematic to distinguish from legitimate traffic.  Of note is applying this patch does not changes any existing permissions set.  We recommend verifying permissions on any clustered volumes configured in Windows 2008 R2.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.