Assessing the risk of the April Security Bulletins

Today we released eleven security bulletins with security updates addressing 25 CVE’s. Five of the bulletins have at least one CVE rated Critical. We hope that the table below helps you prioritize this month’s deployment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploit code developed Windows Vista, Windows Server 2008, and Windows 7 not affected

Victim browses to a malicious webpage or opens a malicious AVI movie. Critical 1 Likely to see reliable exploit code developed Windows 7 codec is not vulnerable.

Victim double-clicks a malicious EXE or allows malicious content to run because content claims to be signed by a trusted publisher. Critical 2 Likely to see effective proof-of-concept code released to downgrade Authenticode checks from v2 down to v1. Authenticode v1 is a weaker algorithm. To reach code execution, attackers will need to find an Authenticode v1 bypass. Microsoft Update and Windows Update clients not directly vulnerable to this threat.

(SMB Client)
Attacker hosts malicious SMB server within enterprise network. Attacker lures victim to click on a link that causes victim to initiate an SMB connection to the malicious SMB server. Critical 2 Proof-of-concept code already exists for denial-of-service vulnerability. May see unreliable exploit code developed for other client-side SMB vulnerabilities that most often results in denial-of-service. Egress filtering at most corporations will limit exposure to attacker within enterprise network.

Several issues with differing exploitability. Please see SRD blog for more information.

Victim browses to a malicious webpage and is tricked into clicking F1 on a VBScript messagebox. Important 1 Public exploit code exists for code execution after a user presses F1. Have not heard reports of real-world attacks yet, despite public exploit code. Vulnerability not reachable on Windows 7, Windows Server 2008, and Windows Vista by default. Bulletin rated defense-in-depth for those platforms.

Windows Server 2003 not vulnerable by default due to Enhanced Security Configuration.

(Windows Media Services)
If a victim Windows 2000 machine has enabled Windows Media Services, an attacker can send network-based attack over port 1755 (TCP or UDP). Critical 1 Likely to see reliable exploit code developed. Only Windows 2000 is affected.

Attacker able to run code locally on a machine exploits a vulnerability to run code at a higher privilege level. Important 1 Likely to see reliable exploit code developed for one or more of these eight vulnerabilities. SRD blog post explaining the Windows registry link vulnerabilities.

(SMTP Service)
Attacker causes SMTP Service running on 64-bit Windows Server 2003 to crash by initiating a DNS lookup handled by a malicious DNS server. Important n/a No chance for code execution. May see proof-of-concept code that crashes SMTP Service but not for Exchange. Exchange Server not directly affected by denial-of-service vulnerability because vulnerable versions never shipped as 64-bit application. Security update applies to 32-bit Exchange Server to add additional DNS protections.

Victim opens malicious .VSD file Important 1 Visio exploits not often seen in the wild. Unsure whether we will see exploit released. Visio not installed by default with most Office installations.

Victim opens malicious .PUB file Important 1 Publisher exploits not often seen in the wild. Unsure whether we will see exploit released.  

Attacker spoofs own source address by encapsulating iPv6 attack packet inside IPv4 wrapper. This may allow attacker to reach IPv6 destination that otherwise would be blocked. Moderate n/a May see proof-of-concept released publicly.  

There is one additional factor not represented in this table. MS10-019 may be more important to prioritize than it would appear at first glance. User education for years has stressed the need to check the signer or publisher of executable content before allowing it to run. MS10-019 represents an opportunity for attackers to potentially embed malicious content in an executable or executable-equivalent without invalidating the Authenticode-assured publisher. Specifically, the vulnerability allows an attacker to downgrade from strong Authenticode v2 checks to the weaker Authenticode v1 algorithm. The vulnerabilities addressed by MS10-019 will not lead to code execution directly for default installations; however, if you have users making Authenticode-based trust decisions to run content that might have been modified by malicious attackers, MS10-019 should be prioritized higher for your environment.

– Jonathan Ness and Andrew Roths, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*