Today we released MS10-081 (Important severity) and MS10-074 (Moderate severity), each providing an update for a single vulnerability. In this blog post we are going to cover some additional details on the severity of these vulnerabilities that may factor into how you prioritize the deployment of this month’s updates.
Neither of the two vulnerabilities covered by MS10-081 and MS10-074 have attack vectors through Microsoft software. Both CVEs require 3rd party code to be exercised before the vulnerabilities can be triggered. The CVE's and their vulnerability titles are as follows:
CVE-2010-2746 - Comctl32 Heap Overflow Vulnerability (Bulletin: MS10-081)
CVE-2010-3227 - Windows MFC Document Title Updating Buffer Overflow Vulnerability (Bulletin: MS10-074)
As a general rule, the resultant severity rating of a vulnerability only trigger-able via 3rd party code will be lower than as if it can only be triggered through in-box code. This is done to provide a baseline for Microsoft customers as every customer environment is different. Depending on your own environment, you may want to increase the severity of one or both of these bulletins when prioritizing the updates. Below is a brief description of each vulnerability, the attack vector, and severity:
CVE-2010-2746 - Comctl32 Heap Overflow Vulnerability
A heap overflow exists in comctl32.dll. The vulnerability can be exercised remotely through the browser when using a 3rd-party scalable vector graphics viewer (SVG). The vulnerability can be abused to yield arbitrary code execution. Remote code execution (RCE) browser-based vulnerabilities which require no user-interaction are generally rated Critical. Since IE does not have an attack vector this CVE has been rated Important. However, if you use a 3rd party browser, you may wish to give this a higher severity in your prioritization.
CVE-2010-3227 - Windows MFC Document Title Updating Buffer Overflow Vulnerability
A stack overflow exists in mfc.dll. The vulnerability can be exercised through a 3rd party zip viewer with some user-interaction. The vulnerability can be abused to yield arbitrary code execution. An exploitable code path in an in-box zip viewer would generally be rated Important, but in this case we've rated it Moderate due to the requirement of a 3rd party component. If you use a 3rd party zip viewer that sets windows titles based on attacker controlled data, you may want to treat this with a higher severity.
Thanks to Mark Woodrich and Brian Cavenah for their contribution to this blog post.
- The SRD Bloggers