Back to Home

MS closed 17 vulnerabilities yesterday, including the Preloading / Hijacking DLL and the last unsecured vulnerability from the Stuxnet worm

Microsoft · vulnerabilities · patches · Stuxnet · ESET

MS closed 17 vulnerabilities yesterday, including the Preloading / Hijacking DLL and the last unsecured vulnerability from the Stuxnet worm

    MS released a large number of patches yesterday; many of these vulnerabilities have been known for more than a month. And some of them have already been used to the full extent in malicious programs, in fact, from where the information about them was obtained.

    MS10-090 (IE) is a comprehensive patch package covering a whole bunch of gaps (CVE-2010-3340, CVE-2010-3342, CVE-2010-3343, CVE-2010-3345, CVE-2010-3346, CVE-2010- 3348, CVE-2010-3962). Most of these attractive vulnerabilities allow remote code execution under IE6 / IE7 / IE8.

    MS10-091(Opentype Font driver) - this update also closes a whole bunch of vulnerabilities (CVE-2010-3956, CVE-2010-3957, CVE-2010-3959) in the Opentype Font driver (OTF) that could lead to remote code execution. An attacker can create a specially prepared OpenType font on a network share and, when viewed in Windows Explorer, arbitrary code is executed that will execute with system rights.

    MS10-092 (Task Scheduler) is the last unclosed vulnerability that remained from the Stuxnet worm and was used by it to elevate local privileges to the system level on Vista / Win7. What is interesting is that the vulnerability is workable on x64 systems, too, and has become fully used in the latest TDL4 rootkit modifications .. A detailed description of the vulnerability can be found in ESET's study “ Stuxnet under the microscope ” on page 39. By the way, the research team ( Aleksandr Matrosov , Eugene Rodionov , Juraj Malcho and David Harley ) added this report to the acknowledgment sheet.

    DLL Preloading Issues ( MS10-093 , MS10-094 , MS10-095 , MS10-096 , MS10-097 ) is again a whole complex of patches, but connected with one purpose to close vulnerabilities that allow the substitution of dynamic librariesin the process of loading them. Some of these patches close this gap in standard applications such as windows Address Book or windows Movie Maker. But in MS10-095, a really serious breach was fixed, allowing you to execute arbitrary code remotely when navigating a specially generated WebDAV path and opening a file that is replaced with an arbitrary one. The guys from Metasploit Ptoject were the first to show this method. They provided a working exploit in open access in August.

    MS10-098 - and again a whole set of vulnerabilities was closed (CVE-2010-3941, CVE-2010-3942, CVE-2010-3943, CVE-2010-3944), but this time for the kernel. All of them are designed to elevate local privileges to the system level and are closed thanks to the researcher Tarjei Mandtfrom Norman. Some of them are described in detail in his blog .

    In addition to the above, a number of the following vulnerabilities were also closed:
    MS10-099 (Routing and Remote Access NDProxy component) - Elevation of Privilege
    MS10-100 (Consent User Interface) - Elevation of Privilege
    MS10-101 (Netlogon RPC Service) - Denial of Service
    MS10-102 (Hyper-V) - Denial of Service
    MS10-103 (Microsoft Publisher) - Remote Code Execution
    MS10-104 (Microsoft SharePoint) - Remote Code Execution
    MS10-105 (Microsoft Office Graphics Filter) - Remote Code Execution
    MS10-106 (Microsoft Exchange) - Denial of Service

    Thanks to the user systracer for drawing attention to the fact that the vulnerability CVE-2010-4398 is still relevant. It is associated with stack overflow due to SystemDefaultEUDCFont and allows you to increase privileges to the system level on a large number of platforms including x64 too.

    Read Next