Today’s Patch Tuesday release is being overshadowed by a new zero-day vulnerability in Internet Explorer that can allow remote code execution. The exploit reportedly is currently being used in targeted attacks in the wild. It was reported today in an advisory by Microsoft – the same day they released the monthly patches for March 2010.

From the Microsoft statement :

“Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.”

Additional details from Microsoft can be found here: http://www.microsoft.com/technet/security/advisory/981374.mspx.

Overview of Microsoft bulletin:
Today’s Patch Tuesday release from Microsoft is particularly light this month, and includes two bulletins that are rated important with an aggregate Exploitability Index rating of “1” which should be addressed as soon as possible.

From an impact perspective, today’s bulletins may require a restart, and may have an impact on operations: one in Microsoft Office and one in Microsoft Windows.

Details:
MS10-016-Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)
This security update addresses a privately reported vulnerability in Windows Movie Maker, and Microsoft Producer 2003. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker, or Microsoft Producer project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-017-Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)
This security update resolves seven privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In reviewing the details of the vulnerabilities, each involves a user downloading a specially crafted file which is yet another reminder of the importance of endpoint security, and our need to shift our focus from the gateway to the endpoint.

Earlier this week, customers were also alerted to a VBScript that was exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer. Although this issue won’t be addressed by today’s monthly patches, a workaround has been provided by Microsoft. Of note, Microsoft has said that they don’t think it’s a big issue, and will continue to monitor the situation.

End-of life reminder
Interestingly, Microsoft also announced some end-of-life dates of Windows XP, so customers will soon have to start updating these operating systems, which include Windows XP Service Pack 2, as they will no longer be supported after July 13, 2010. Customers are being encouraged to upgrade to Service Pack 3 or to Windows 7 as soon as possible.

Other Patch Tuesday related news this period:

Changes with Apache 2.2.15
Latest version of the web server software includes five security fixes:

• CVE-2009-3555 mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the ‘SSLInsecureRenegotiation’ directive to re-open this vulnerability, and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. Source: [Joe Orton, and with thanks to the OpenSSL Team]
• CVE-2009-3555 mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated re-negotiations which forcibly disable keep-alive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using OpenSSL >= 0.9.8l. Source: [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
• CVE-2010-0408 mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR.  Source: [Niku Toivola <niku.toivola sulake.com>]
• CVE-2010-0425 mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. Source: [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
• CVE-2010-0434: Ensures each sub-request has a shallow copy of headers_in so that the parent request headers are not corrupted.  Also eliminates a problematic optimization in the case of no request body (PR 48359).  Source: [Jake Scott, William Rowe, Ruediger Pluem]

HP performance insight
Operating on HP are UX, Linux, Solaris and Windows. HP could take a lesson from Microsoft in providing useful details for security patches. For those users that cannot deploy the patch immediately, sufficient information should be provided in order to use alternate controls to reduce the risk. The information provided on these HP issues is very limited:

This issue is caused by an unspecified error with unknown attack vectors. No further details have been disclosed. http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02033170

IBM AIX buffer overflow issues
Problems with in GOS-Mod and Goslist allow the execution of arbitrary code via a local system. Patches are available at http://aix.software.ibm.com/aix/efixes/security/.

IT pros are also hunting Wabbits this week
Malware reportedly to have been in the wild since 2007 – “The installer for the Energizer Duo software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory,” the U.S. Computer Emergency Readiness Team said in an advisory on Friday.

“Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Its capabilities include the ability to list directories, send and receive files, and execute programs.”

Opera is also currently working on a patch to address a critical vulnerability.