notes on microsoft patches for february 2010

Patch Tuesday has come and gone, and I’d though I’d share a few notes about the patches this week, or rather, things that caught my eye.

ms10-003 – Office patch
ms10-004 – PowerPoint patch
ms10-005 – ms paint patch (yes, that ms paint; and how it opens jpg files)
ms10-006 – more smb client ownage (i.e. responding to a malicious smb server)
ms10-007 – shellexecuteapi (just know that this can be triggered via web browsing)
ms10-008 – your monthly set of activex killbits
ms10-009 – vista/2008 tcp/ip patches, including an anonymous remote DOS, as well as ipv6 issues
ms10-010 – hyper-v issue where guest code can affect host stability (and thus other guests)
ms10-011 – privilege escalation from local logon
ms10-012 – smb server (i.e. all Windows networked boxes) issues; including anonymous DOS
ms10-013 – malicious AVI files can r00t a box (beware your porn sites!)
ms10-014 – domain controller DOS via kerberos requests
ms10-015 – more local privilege escalations

I expect priv escalation issues (ms10-011 and ms10-015) to be tempting targets for Metasploit. Likewise, network-borne attacks against SMB I also expect to be exposed further (ms10-006 and ms10-012).

A few other attacks really should be patched on servers or you may risk insider DOS conditions in ms10-009, ms10-012, and ms10-014. Like teardrop attacks of old, these are still annoying risks, but hopefully modern networks have their risk limited via firewalls.

Opening bad websites and files is still a big deal. The Paint/JPG and AVI issues really do sound like easy exploits (ms10-005 and ms10-013). Likewise ms10-006, ms10-007, and ms10-008 can be browser-delivered. Hell, I wouldn’t be surprised if some of those local priv escalations could be delivered via web code or executed “codecs” and such.

I also wouldn’t be surprised if one or two of the network-borne DOS attacks could be extended to execute code. If so, that would elevate some of these risk levels.

Lastly, the holy grail of virtualization security is being able to jump from virtual guest system to the virtual host system. MS10-010 exposes an issue where code run on a guest system can affect the host system and effectively bring down all the rest of the guests. That’s not nearly the same as r00ting the host, but issues like this only make people worried. So far, guest-to-host attacks have been theoretical, academic, or highly impractical, and most would prefer not to think about the implications of a guest-to-host attack or how that changes PCI/compliance scopes and hardware allocations.