This week brought another Microsoft Patch Tuesday, and Microsoft has released 3 patches addressing 11 vulnerabilities. This is a refreshing change of pace after the bumper crops of the most recent 2-3 months. The patched applications include MS Office, PowerPoint, and Microsoft’s Unified Access Gateway. In addition, MS last week acknowledged, but has not yet patched, a vulnerability in IE 6, 7, and 8. This unpatched browser vulnerability has been actively exploited in the wild.
The primary concern is MS10-087, which addresses 5 vulnerabilities in MS Office. One of these has been previously disclosed by security researchers, but so far as we’re aware is not being exploited by the bad guys. Several support remote code execution, if an attacker can get a user to open a malicious document.
The issues in MS Unified Access Gateway are somewhat interesting. UAG is Microsoft’s solution to provide secure remote access to enterprise resources, via a number of different channels (SSL VPN, web, DirectAccess, etc.) The vulns allow an attacker (by tricking a user into clicking on a crafty URL) to get redirected to a spoofed site of the attackers choosing, or even to inject malicious client-side scripts into the user’s browser via Cross-Site Scripting. Microsoft is currently not distributing this patch automatically via Windows Update; it’s only available for manual download only via the Microsoft Download Center.
The unpatched browser vuln (CVE-2010-3962) is another interesting case. There are limited reports of malicious URLs being distributed via email. When clicked, the user receives a Trojan that allows an attacker to transparently interact with the user’s desktop by delivering commands embedded in encrypted .gif files. The attack servers appear to have been decommissioned, and MS has opted not to deliver an emergency patch at this time.
McAfee’s products provide good coverage for this month’s vulnerabilities:
• McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 7 out of 12 new vulnerabilities this month.
• McAfee's Host Intrusion Prevention is expected to provide proactive protection against exploits of 7 out of 12 new vulnerabilities this month.
• McAfee's Application Control is expected to provide proactive protection for 8 out of 12 new vulnerabilities.
• McAfee's Network Security Platform now has content to protect against exploits of 12 out of 12 new vulnerabilities. (100% coverage!)
• McAfee Vulnerability Manager and Policy Auditor now have content to assess whether your systems are exposed to any of these new vulnerabilities.
Most of the uncovered vulns are related to the UAG patch; for customers not using this particular application, our coverage is very good indeed!