March Microsoft Out-Of-Band Patch Tuesday Roundup

Blog Post created by rapid7-admin on Mar 30, 2010

Originally Posted by Sheldon Malm



Brief summary of today's Out-Of-Band Microsoft Security update … 

1 Cumulative IE update, with 10 vulnerabilities covered. While Out-Of-Band updates are not unheard of (this is the second one so far this year), 10 vulnerabilities covered is a lot. 

Here’s the breakdown: 

MS10-018: Rated Critical.  Cumulative update for Internet Explorer, covering 10 vulnerabilities: 

CVE-2010-0267 (Uninitialized Memory Corruption) 

CVE-2010-0488 (Post Encoding Information Disclosure) 

CVE-2010-0489 (Race Condition Memory Corruption) 

CVE-2010-0490 (Uninitialized Memory Corruption) 

CVE-2010-0491 (Object Memory Corruption) 

CVE-2010-0492 (Object Memory Corruption) 

CVE-2010-0494 (Element Cross-Domain - Information Disclosure) 

CVE-2010-0805 (Memory Corruption) 

CVE-2010-0806 (Uninitialized Memory Corruption) 

CVE-2010-0807 (Rendering Memory Corruption) 

CVE-2010-0806 is the vulnerability with working, public exploit code that everyone has been talking about.  It looks like that issue gave Microsoft an emergency release vehicle to get the rest of these updates out before they turned into a laundry list of zero day bugs. 

IE versions including 5.01, 6, 7, and 8 are all affected, with Remote Code Execution across the board except for IE 6 on Server 2003 (Information Disclosure). 

Clear message here is that these updates should be tested and applied as quickly as possible.  There is already working, public exploit code for the previously known issue and 9 other vulnerabilities for the threat community to focus on.  If you haven't already rolled out MS10-002, move straight to 018 as it replaces 002.  Kudos to Microsoft for getting ahead of the curve on the other 9 issues in addition to CVE-2010-0806. 

As with every Microsoft Security Update, NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect these and every other Microsoft vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release. 

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts. 

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp 

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release. 

As always, Happy patching!!