April Microsoft Patch Tuesday Roundup

Blog Post created by rapid7-admin on Apr 13, 2010

Originally Posted by Sheldon Malm



Time for this month's summary of the latest Microsoft Security updates … 

11 advisories, with 25 vulnerabilities covered. 5 Critical; 5 Important; 1 Moderate.  This is the heaviest April update we've seen; we generally see 5-8 updates in April and 25 vulnerabilities breaks the 2009 April record of 21. 

The SMB DoS issue is being addressed, rated Important and affecting Windows & Exchange.  2 issues affecting Office, both of which are rated Important.  The other 8 affect Windows with 5 Critical, 2 Important, and 1 Moderate. 

Here’s the breakdown: 

MS10-019: Rated Critical.  Potential Remote Code Execution in Windows Authenticode Verification, covering 2 vulnerabilities: CVE-2010-0486 (WinVerify Trust Signature Validation) and CVE-2010-0487 (Cabview Corruption Validation). 

MS10-020: Rated Critical.  Potential Remote Code Execution in SMB Client, covering 5 vulnerabilities: CVE-2010-3676 (Incomplete Response), CVE-2010-0269 (Memory Allocation), CVE-2010-0270 (Transaction), CVE-2010-0476 (Response Parsing), and CVE-2010-0477 (Message Size). 

MS10-021: Rated Important.  Potential Elevation of Privilege in Windows Kernel, covering 8 vulnerabilities: CVE-2010-0234 (Null Pointer), CVE-2010-0235 (Symbolic Link Value), CVE-2010-0236 (Memory Allocation), CVE-2010-0237 (Symbolic Link Creation), CVE-2010-0238 (Registry Key), CVE-2010-0481 (Virtual Path Parsing), CVE-2010-0482 (Malformed Image), and CVE-2010-0810 (Exception Handler). 

MS10-022: Rated Important.  Potential Remote Code Execution in VBSCript, covering 1 vulnerability: CVE-2010-0483 (Help Keypress). 

MS10-023: Rated Important.  Potential Remote Code Execution in Microsoft Office Publisher, covering 1 vulnerability: CVE-2010-0479 (File Conversion TextBox Processing Buffer Overflow). 

MS10-024: Rated Important.  Potential Denial of Service in Exchange and Windows SMTP Service, covering 2 vulnerabilities: CVE-2010-0024 (Server MX Record) and CVE-2010-0025 (Memory Allocation). 

MS10-025: Rated Critical.  Potential Remote Code Execution in Windows Media Services, covering 1 vulnerability: CVE-2010-0478 (Stack-based Buffer Overflow). 

MS10-026: Rated Critical.  Potential Remote Code Execution in Microsoft MPEG Layer-3 Codecs, covering 1 vulnerability: CVE-2010-0480 (Stack Overflow). 

MS10-027: Rated Critical.  Potential Remote Code Execution in Windows Media Player, covering 1 vulnerability: CVE-2010-0268 (Remote Code Execution). 

MS10-028: Rated Important.  Potential Remote Code Execution in Visio, covering 2 vulnerabilities: CVE-2010-0254 (Attribute Validation Memory Corruption) and CVE-2010-0256 (Index Calculation Memory Corruption). 

MS10-029: Rated Moderate.  Potential Spoofing Exposure in Windows ISATAP Component, covering 1 vulnerability: CVE-2010-0812 (IPv6 Source Address Spoofing). 

Interesting to note that MS10-029 is the one that has been talked about lately ... while Microsoft maintains that there is no practical vector of exploit for Windows 7 and Server 2008 R2, they are patching the underlying vulnerability.  Given the recent activity around DEP and other protections, this is an extremely smart move on Microsoft's part. 

This looks like the month of Media Updates.  There are only 3 updates that are both rated Critical and have an Exploitability Index of 1, according to Microsoft: 025, 026, and 027.  Similar to the combination of Rapid7's temporal risk scoring and Exploit Exposure, the combination of high impact & likelihood with high probability of consistent exploit code should put these 3 at the top of your list for testing and deployment.  The Windows Kernel update should also be high on your list, as 2 of the 8 vulnerabilities addressed are rated 1 on Microsoft's Exploitability Index. 

The one that will be at the bottom of your patching list?  Probably 029 if you're IPv4 only.  In the meantime, if you don't need ISATAP, disable it. 

As with every month, NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect these and every other Microsoft vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release. 

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts. 

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp 

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the 

Microsoft release. 

As always, Happy patching!!