Security Advisory MTIS10-235

NEW THREAT OVERVIEW | PREVIOUS THREATS UPDATES | THREAT DETAILS

EXECUTIVE SUMMARY December 14, 2010 | MTIS10-235

Since the last McAfee® Labs Security Advisory (December 13), the following noteworthy events have taken place:

● Patches are available for the following: ❍ (MS10-090) Cumulative Security Update for Internet Explorer (2416400) ❍ (MS10-091) Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Remote Code Execution (2296199) ❍ (MS10-092) Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420) ❍ (MS10-093) Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434) ❍ (MS10-094) Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961) ❍ (MS10-095) Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678) ❍ (MS10-096) Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089) ❍ (MS10-097) Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105) ❍ (MS10-098) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673) ❍ (MS10-099) Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591) ❍ (MS10-100) Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962) ❍ (MS10-101) Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559) ❍ (MS10-102) Vulnerability in Hyper-V Could Allow Denial of Service (2345316)

(MS10-092) Microsoft Windows Task Scheduler Could Allow Elevation of Privilege (2305420) MTIS10-235-H IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-093) Microsoft Windows Movie Maker Could Allow Remote Code Execution (2424434) MTIS10-235-I IMPORTANCE: Medium COVERED PRODUCTS: Network Security Platform | Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-094) Microsoft Windows Media Encoder Could Allow Remote Code Execution (2447961) MTIS10-235-J IMPORTANCE: Medium COVERED PRODUCTS: Network Security Platform | Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

Security Advisory MTIS10-235 - Page 2 of 18 Back to top

(MS10-095) Microsoft Windows BranchCache Insecure Library Loading Could Allow Remote Code Execution (2385678) MTIS10-235-K IMPORTANCE: Medium COVERED PRODUCTS: Network Security Platform | Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-096) Microsoft Windows Address Book Could Allow Remote Code Execution (2423089) MTIS10-235-L IMPORTANCE: Medium COVERED PRODUCTS: Network Security Platform | Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-097) Microsoft Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105) MTIS10-235-M IMPORTANCE: Medium COVERED PRODUCTS: Network Security Platform | Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-098) Microsoft Windows Win32k Buffer Overflow Could Allow Elevation Of Privilege (2436673) MTIS10-235-N IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-098) Microsoft Windows Win32k Buffer Overflow Could Allow Elevation Of Privilege (2436673) MTIS10-235-O IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-098) Microsoft Windows Win32k Double Free Could Allow Elevation Of Privilege (2436673) MTIS10-235-P IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-098) Microsoft Windows Win32k WriteAV Could Allow Elevation Of Privilege (2436673) MTIS10-235-Q IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

Security Advisory MTIS10-235 - Page 3 of 18 Back to top

(MS10-098) Microsoft Windows Win32k Cursor Linking Could Allow Elevation Of Privilege (2436673) MTIS10-235-R IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-098) Microsoft Windows Win32k Memory Corruption Could Allow Elevation Of Privilege (2436673) MTIS10-235-S IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-099) Microsoft Windows Routing and Remote Access Could Allow Elevation of Privilege (2440591) MTIS10-235-T IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-100) Microsoft Windows Consent User Interface Could Allow Elevation of Privilege (2442962) MTIS10-235-U IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

(MS10-102) Microsoft Windows Hyper-V Could Allow Denial of Service (2345316) MTIS10-235-W IMPORTANCE: Medium COVERED PRODUCTS: Vulnerability Manager Web Gateway | Artemis | Policy Auditor SCAP | MNAC 2.x | UNDER ANALYSIS: Firewall Enterprise

Security Advisory MTIS10-235 - Page 4 of 18 Back to top

THREAT DETAILS

(MS10-090) Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability (2416400) MTIS10-235-A THREAT IDENTIFIER(S) CVE-2010-3340; MS10-090 THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS Web USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Internet Explorer. The vulnerability is specific to the access to a deleted or incorrectly initialized DESCRIPTION object. Exploitation could allow an attacker to execute remote code. The exploit requires the user visits a specially crafted website. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Under analysis VIRUS SCAN ENTERPRISE SCAN BOP Generic buffer overflow protection is expected to cover code-execution exploits. HOST IPS Generic buffer overflow protection is expected to cover code-execution exploits. The sigset release of December 14 includes the signature "HTTP: Microsoft Internet NETWORK SECURITY PLATFORM Explorer Object Use After Free Memory Corruption Vulnerability," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue.

POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis

FIREWALL ENTERPRISE Under analysis Run-Time Control locks down systems and provides protection in the form of Memory APPLICATION CONTROL Protection. (Vulnerabilities in authorized programs cannot be exploited) http://vil.nai.com/vil/content/v_vul58460.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx

(MS10-090) Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability (2416400) MTIS10-235-B THREAT IDENTIFIER(S) CVE-2010-3343; MS10-090

THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS Web USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Internet Explorer. The vulnerability is specific to the access to a deleted or incorrectly initialized DESCRIPTION object. Exploitation could allow an attacker to execute remote code. The exploit requires the user visits a specially crafted website. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Coverage not warranted VIRUS SCAN ENTERPRISE SCAN BOP Generic buffer overflow protection is expected to cover code-execution exploits. HOST IPS Generic buffer overflow protection is expected to cover code-execution exploits. The sigset release of December 14 includes the signature "HTTP: Microsoft Internet NETWORK SECURITY PLATFORM Explorer HTML Object Memory Corruption Vulnerability," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis

REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis

Security Advisory MTIS10-235 - Page 5 of 18 NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis Run-Time Control locks down systems and provides protection in the form of Memory APPLICATION CONTROL Protection. (Vulnerabilities in authorized programs cannot be exploited) http://vil.nai.com/vil/content/v_vul58462.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx

(MS10-090) Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability (2416400) MTIS10-235-C THREAT IDENTIFIER(S) CVE-2010-3345; MS10-090 THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS Web USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Internet Explorer. The vulnerability is specific to the access to a deleted or incorrectly initialized DESCRIPTION object. Exploitation could allow an attacker to execute remote code. The exploit requires the user visits a specially crafted website. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Coverage not warranted

VIRUS SCAN ENTERPRISE SCAN BOP Generic buffer overflow protection is expected to cover code-execution exploits. HOST IPS Generic buffer overflow protection is expected to cover code-execution exploits. The sigset release of December 14 includes the signature "HTTP: Microsoft Internet NETWORK SECURITY PLATFORM Explorer HTML Element Memory Corruption Vulnerability," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue.

POLICY AUDITOR Under analysis

NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis Run-Time Control locks down systems and provides protection in the form of Memory APPLICATION CONTROL Protection. (Vulnerabilities in authorized programs cannot be exploited) http://vil.nai.com/vil/content/v_vul58463.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx

(MS10-090) Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability (2416400) MTIS10-235-D THREAT IDENTIFIER(S) CVE-2010-3346; MS10-090 THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS Web USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Internet Explorer. The vulnerability is specific to the access to a deleted or incorrectly initialized DESCRIPTION object. Exploitation could allow an attacker to execute remote code. The exploit requires the user visits a specially crafted website. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Coverage not warranted

VIRUS SCAN ENTERPRISE SCAN BOP Generic buffer overflow protection is expected to cover code-execution exploits. HOST IPS Generic buffer overflow protection is expected to cover code-execution exploits. The sigset release of December 14 includes the signature "HTTP: Microsoft Internet NETWORK SECURITY PLATFORM Explorer HTML Element Memory Corruption Vulnerability II," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk.

Security Advisory MTIS10-235 - Page 6 of 18 WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis Run-Time Control locks down systems and provides protection in the form of Memory APPLICATION CONTROL Protection. (Vulnerabilities in authorized programs cannot be exploited) http://vil.nai.com/vil/content/v_vul58464.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx

(MS10-091) Microsoft Windows OpenType Font Index Vulnerability (2296199) MTIS10-235-E THREAT IDENTIFIER(S) CVE-2010-3956; MS10-091 THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS Web; E-Mail USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Windows. The vulnerability is specific to the parsing of OpenType Fonts. Execution could allow an DESCRIPTION attacker to execute remote code. Exploitation requires the user opens a specially crafted OpenType font. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE

DAT FILES Under analysis VIRUS SCAN ENTERPRISE SCAN BOP Generic buffer overflow protection is expected to cover code-execution exploits.

HOST IPS Generic buffer overflow protection is expected to cover code-execution exploits. The sigset release of December 14 includes the signature "HTTP: Microsoft Windows NETWORK SECURITY PLATFORM OpenType Font Index Vulnerability," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue.

POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis

FIREWALL ENTERPRISE Under analysis Run-Time Control locks down systems and provides protection in the form of Memory APPLICATION CONTROL Protection. (Vulnerabilities in authorized programs cannot be exploited) http://vil.nai.com/vil/content/v_vul58443.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-091.mspx

(MS10-091) Microsoft Windows OpenType Font Double Free Vulnerability (2296199) MTIS10-235-F THREAT IDENTIFIER(S) CVE-2010-3957; MS10-091 THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS Web; E-Mail USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Windows. The vulnerability is specific to the parsing of OpenType Fonts. Execution could allow an DESCRIPTION attacker to execute remote code. Exploitation requires the user opens a specially crafted OpenType font. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE

DAT FILES Under analysis VIRUS SCAN ENTERPRISE SCAN BOP Generic buffer overflow protection is expected to cover code-execution exploits. HOST IPS Generic buffer overflow protection is expected to cover code-execution exploits.

Security Advisory MTIS10-235 - Page 7 of 18 The sigset release of December 14 includes the signature "HTTP: Microsoft Windows NETWORK SECURITY PLATFORM OpenType Font Double Free Vulnerability," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis Run-Time Control locks down systems and provides protection in the form of Memory APPLICATION CONTROL Protection. (Vulnerabilities in authorized programs cannot be exploited) http://vil.nai.com/vil/content/v_vul58444.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-091.mspx

(MS10-091) Microsoft Windows OpenType CMAP Table Vulnerability (2296199) MTIS10-235-G THREAT IDENTIFIER(S) CVE-2010-3959; MS10-091 THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS Web; E-Mail USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Windows. The vulnerability is specific to the parsing of OpenType Fonts. Execution could allow an DESCRIPTION attacker to execute remote code. Exploitation requires the user opens a specially crafted OpenType font. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE

DAT FILES Under analysis VIRUS SCAN ENTERPRISE SCAN BOP Generic buffer overflow protection is expected to cover code-execution exploits.

HOST IPS Generic buffer overflow protection is expected to cover code-execution exploits. The sigset release of December 14 includes the signature "HTTP: Microsoft Windows NETWORK SECURITY PLATFORM OpenType CMAP Table Vulnerability," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue.

POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis

FIREWALL ENTERPRISE Under analysis Run-Time Control locks down systems and provides protection in the form of Memory APPLICATION CONTROL Protection. (Vulnerabilities in authorized programs cannot be exploited) http://vil.nai.com/vil/content/v_vul58445.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-091.mspx

(MS10-092) Microsoft Windows Task Scheduler Could Allow Elevation of Privilege (2305420) MTIS10-235-H THREAT IDENTIFIER(S) CVE-2010-3338; MS10-092 THREAT TYPE Vulnerability RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user USER INTERACTION REQUIRED Yes An elevation-of-privilege vulnerability exists in some versions of Microsoft Windows Task Scheduler. The flaw lies in improper validation of scheduled tasks running within DESCRIPTION the intended security context. Attackers who successfully exploit this vulnerability could execute arbitrary code with full user rights. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE

Security Advisory MTIS10-235 - Page 8 of 18 DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL / MVM package of November 22 includes a vulnerability check to assess if VULNERABILITY MANAGER your systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58067.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-092.mspx

(MS10-093) Microsoft Windows Movie Maker Could Allow Remote Code Execution (2424434) MTIS10-235-I THREAT IDENTIFIER(S) CVE-2010-3967; MS10-093 THREAT TYPE Vulnerability

RISK ASSESSMENT Medium MAIN THREAT VECTORS Web; E-Mail; LAN; WAN; Peer-to-Peer Networks

USER INTERACTION REQUIRED Yes A remote code execution vulnerability is present in the way that Windows Movie Maker DESCRIPTION handles the loading of DLL files. An attacker who successfully exploits this vulnerability could take complete control of an affected system. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE

DAT FILES Out of scope

REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis

NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58448.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-093.mspx

(MS10-094) Microsoft Windows Media Encoder Could Allow Remote Code Execution (2447961) MTIS10-235-J THREAT IDENTIFIER(S) CVE-2010-3965; MS10-094 THREAT TYPE Vulnerability

RISK ASSESSMENT High MAIN THREAT VECTORS Web; E-Mail; LAN; WAN; Peer-to-Peer Networks

USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Windows DESCRIPTION Media Encoder. The vulnerability is specific to the loading of DLL files in Microsoft Office. Exploitation could allow an attacker to execute arbitrary code. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue.

Security Advisory MTIS10-235 - Page 9 of 18 MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope The sigset release of August 26 includes the signature "HTTP: Attempt To Download NETWORK SECURITY PLATFORM DLL Over WEBDAV," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58541.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-094.mspx

(MS10-095) Microsoft Windows BranchCache Insecure Library Loading Could Allow Remote Code Execution (2385678) MTIS10-235-K THREAT IDENTIFIER(S) CVE-2010-3966; MS10-095

THREAT TYPE Vulnerability RISK ASSESSMENT High

MAIN THREAT VECTORS Web; E-Mail; LAN; WAN; Peer-to-Peer Networks

USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Windows. The vulnerability is specific to the opening of .eml, .rss, or .wpost files in the presence DESCRIPTION of a malicious library. Execution could allow an attacker to execute remote code. The exploit requires the user to open the file from a untrusted file location with the vulnerable application. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue.

MCAFEE PRODUCT COVERAGE DAT FILES Out of scope

VIRUS SCAN ENTERPRISE SCAN BOP Out of scope

HOST IPS Out of scope The sigset release of August 26 includes the signature "HTTP: Attempt To Download NETWORK SECURITY PLATFORM DLL Over WEBDAV," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58458.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-095.mspx

(MS10-096) Microsoft Windows Address Book Could Allow Remote Code Execution (2423089) MTIS10-235-L THREAT IDENTIFIER(S) CVE-2010-3147; MS10-096

THREAT TYPE Vulnerability RISK ASSESSMENT High

MAIN THREAT VECTORS Web; E-Mail; LAN; WAN; Peer-to-Peer Networks USER INTERACTION REQUIRED Yes

Security Advisory MTIS10-235 - Page 10 of 18 A remote code execution vulnerability is present in the way that Windows Address Book handles the loading of DLL files. This flaw is caused by the Address Book not DESCRIPTION correctly restricting the path from which external libraries are loaded. Exploitation could allow an attacker to take complete control of an affected system. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope The sigset release of August 26 includes the signature "HTTP: Attempt To Download NETWORK SECURITY PLATFORM DLL Over WEBDAV," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58447.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-096.mspx

(MS10-097) Microsoft Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105) MTIS10-235-M THREAT IDENTIFIER(S) CVE-2010-3144; MS10-097 THREAT TYPE Vulnerability

RISK ASSESSMENT High

MAIN THREAT VECTORS Web; E-Mail; LAN; WAN; Peer-to-Peer Networks USER INTERACTION REQUIRED Yes A remote code execution vulnerability exists in some versions of Microsoft Windows. The vulnerability is specific to the opening of .ins or .isp files by Internet Connection DESCRIPTION Sign-up Wizard. Exploitation could allow an attacker to execute remote code. The exploit requires the user to visit an untrusted remote file system and open a file with the vulnerable application. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE

DAT FILES Out of scope

VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope The sigset release of August 26 includes the signature "HTTP: Attempt To Download NETWORK SECURITY PLATFORM DLL Over WEBDAV," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58540.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-097.mspx

(MS10-098) Microsoft Windows Win32k Buffer Overflow Could Allow Elevation Of Privilege (2436673) MTIS10-235-N THREAT IDENTIFIER(S) CVE-2010-3939; MS10-098

Security Advisory MTIS10-235 - Page 11 of 18 THREAT TYPE Vulnerability RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user USER INTERACTION REQUIRED Yes An elevation of privilege vulnerability exists in the way Windows kernel-mode drivers DESCRIPTION improperly allocate memory when copying data from user mode. Exploitation could result in remote code execution. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58450.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx

(MS10-098) Microsoft Windows Win32k Buffer Overflow Could Allow Elevation Of Privilege (2436673) MTIS10-235-O THREAT IDENTIFIER(S) CVE-2010-3940; MS10-098

THREAT TYPE Vulnerability

RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user

USER INTERACTION REQUIRED Yes An elevation of privilege vulnerability exists due to the way the Windows kernel-mode drivers free objects that are no longer in use. The flaw is caused by a "double free" DESCRIPTION condition involving a pointer to a kernel-mode driver object. Exploitation could allow an attacker to execute remote code. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE

DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58451.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx

(MS10-098) Microsoft Windows Win32k Double Free Could Allow Elevation Of Privilege (2436673) MTIS10-235-P

Security Advisory MTIS10-235 - Page 12 of 18 THREAT IDENTIFIER(S) CVE-2010-3941; MS10-098 THREAT TYPE Vulnerability RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user USER INTERACTION REQUIRED Yes An elevation of privilege vulnerability exists due to the way the Windows kernel-mode drivers free objects that are no longer in use. The flaw is caused by a "double free" DESCRIPTION condition involving a pointer to a kernel-mode driver object. Exploitation could allow an attacker to execute remote code. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis

APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58452.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx

(MS10-098) Microsoft Windows Win32k WriteAV Could Allow Elevation Of Privilege (2436673) MTIS10-235-Q THREAT IDENTIFIER(S) CVE-2010-3942; MS10-098

THREAT TYPE Vulnerability RISK ASSESSMENT Medium

MAIN THREAT VECTORS Locally logged-on user USER INTERACTION REQUIRED Yes An elevation of privilege vulnerability exists in the way Windows kernel-mode drivers improperly allocate memory when copying data from user mode. The vulnerability DESCRIPTION occurs when the kernel-mode drivers do not properly allocate memory when copying data from user mode. Exploitation could allow an attacker to execute remote code. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis

FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58453.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx

Security Advisory MTIS10-235 - Page 13 of 18 (MS10-098) Microsoft Windows Win32k Cursor Linking Could Allow Elevation Of Privilege (2436673) MTIS10-235-R THREAT IDENTIFIER(S) CVE-2010-3943; MS10-098 THREAT TYPE Vulnerability RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user USER INTERACTION REQUIRED Yes An elevation of privilege vulnerability exists due to the way Windows kernel-mode drivers manage kernel-mode driver objects. The vulnerability is caused by a logic error DESCRIPTION that occurs when linking kernel-mode driver objects, leading to a corrupted linked list. Exploitation could allow an attacker to execute remote code. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis

FIREWALL ENTERPRISE Under analysis

APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58454.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx

(MS10-098) Microsoft Windows Win32k Memory Corruption Could Allow Elevation Of Privilege (2436673) MTIS10-235-S THREAT IDENTIFIER(S) CVE-2010-3944; MS10-098 THREAT TYPE Vulnerability

RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user

USER INTERACTION REQUIRED Yes An elevation of privilege vulnerability exists in the way the Windows kernel-mode DESCRIPTION drivers improperly validate input passed from user mode. Exploitation could allow an attacker to execute remote code. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis

NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis

APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58455.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx

Security Advisory MTIS10-235 - Page 14 of 18 Back to top

(MS10-099) Microsoft Windows Routing and Remote Access Could Allow Elevation of Privilege (2440591) MTIS10-235-T THREAT IDENTIFIER(S) CVE-2010-3963; MS10-099 THREAT TYPE Vulnerability RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user USER INTERACTION REQUIRED No A privilege escalation vulnerability exists in some versions of Microsoft Windows. The DESCRIPTION vulnerability is specific to the Routing and Remote Access component of the kernel. Exploitation could allow an attacker to execute remote code. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis

REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue.

POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis

FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58539.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-099.mspx

(MS10-100) Microsoft Windows Consent User Interface Could Allow Elevation of Privilege (2442962) MTIS10-235-U THREAT IDENTIFIER(S) CVE-2010-3961; MS10-100

THREAT TYPE Vulnerability

RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user

USER INTERACTION REQUIRED No A privilege escalation vulnerability exists in some versions of Microsoft Windows. The vulnerability is specific to the processing of values read from the registry by the DESCRIPTION Consent User Interface. Exploitation could allow an attacker to execute remote code with elevated privileges. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Out of scope VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue.

POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis

FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope

Security Advisory MTIS10-235 - Page 15 of 18 http://vil.nai.com/vil/content/v_vul58543.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-100.mspx

(MS10-101) Microsoft Windows Netlogon Service Could Allow Denial Of Service (2207559) MTIS10-235-V THREAT IDENTIFIER(S) CVE-2010-2742; MS10-101 THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS LAN; WAN USER INTERACTION REQUIRED Yes A denial of service vulnerability exists in implementations of the Netlogon RPC Service on some versions of Windows Server. The Netlogon Remote Protocol is a remote procedure call (RPC) interface for user and machine authentication on domain-based DESCRIPTION networks. This flaw exists due to the Netlogon RPC Service improperly validating user- provided data. An attacker can exploit this vulnerability by sending a specially crafted RPC packet to the Netlogon RPC Service. The attacker must have valid authentication credentials to exploit this vulnerability in compromised systems. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Under analysis VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope The sigset release of December 14 includes the signature "NETBIOS-SS: Netlogon RPC NETWORK SECURITY PLATFORM Service Denial of Service Vulnerability," which provides coverage. The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis

REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue. POLICY AUDITOR Under analysis

NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis

APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58431.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-101.mspx

(MS10-102) Microsoft Windows Hyper-V Could Allow Denial of Service (2345316) MTIS10-235-W THREAT IDENTIFIER(S) CVE-2010-3960; MS10-102 THREAT TYPE Vulnerability RISK ASSESSMENT Medium MAIN THREAT VECTORS Locally logged-on user USER INTERACTION REQUIRED No A denial of service vulnerability exists in some versions of Microsoft Windows. The vulnerability is specific to the Hyper-V's VMBus handling of packets. Exploitation could DESCRIPTION allow a local attacker to cause a denial of service. The exploit requires the attacker to have valid login credentials and be able to log in locally into a guest virtual machine. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue. MCAFEE PRODUCT COVERAGE DAT FILES Coverage not warranted VIRUS SCAN ENTERPRISE SCAN BOP Out of scope HOST IPS Out of scope

NETWORK SECURITY PLATFORM Out of scope The FSL/MVM package of December 14 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. WEB GATEWAY Under analysis REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue.

Security Advisory MTIS10-235 - Page 16 of 18 POLICY AUDITOR Under analysis NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis APPLICATION CONTROL Out of Scope http://vil.nai.com/vil/content/v_vul58542.htm ADDITIONAL INFORMATION http://www.microsoft.com/technet/security/bulletin/ms10-102.mspx

(MS10-090) Microsoft Internet Explorer Invalid Flag Remote Code Execution (2416400) MTIS10-211-A THREAT IDENTIFIER(S) CVE-2010-3962; MS10-090 THREAT TYPE Vulnerability RISK ASSESSMENT High MAIN THREAT VECTORS Web USER INTERACTION REQUIRED Yes A vulnerability in some versions of Microsoft Internet Explorer could lead to remote code execution. Under certain conditions an invalid flag reference can be accessed after an object is deleted. In a specially crafted attack and while attempting to access DESCRIPTION a freed object, Internet Explorer can allow remote code execution. Exploitation requires a user to visit a malicious web page and could allow an attacker to take complete control of affected systems. IMPORTANCE Medium. On December 14, Microsoft released a patch to address this issue.

MCAFEE PRODUCT COVERAGE Coverage is provided as "Exploit-CVE2010-3962" in the 6159 DAT files, released DAT FILES November 6. VIRUS SCAN ENTERPRISE SCAN BOP Generic buffer overflow protection is expected to cover code execution exploits. HOST IPS Generic buffer overflow protection is expected to cover code execution exploits. The UDS release of November 3 includes the signature "HTTP: Microsoft Internet NETWORK SECURITY PLATFORM Explorer Invalid Object Memory Corruption Vulnerability," which provides coverage. The FSL/MVM package of November 4 includes a vulnerability check to assess if your VULNERABILITY MANAGER systems are at risk. Coverage is provided as "Exploit-CVE2010-3962" in the current Gateway Anti-Malware WEB GATEWAY Database Update. REMEDIATION MANAGER An upcoming V-Flash will contain remedies for this issue.

POLICY AUDITOR Under analysis

NETWORK ACCESS CONTROL Under analysis FIREWALL ENTERPRISE Under analysis Run-Time Control locks down systems and provides protection in the form of Memory APPLICATION CONTROL Protection. (Vulnerabilities in authorized programs cannot be exploited) http://vil.nai.com/vil/content/v_vul57593.htm Microsoft: Microsoft Security Advisory (2458511 ADDITIONAL INFORMATION Microsoft: Microsoft Security Advisory - Vulnerability in Internet Explorer could allow remote code execution http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx

Detailed descriptions of the Security Advisories can be found in the Users Guide: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_UsersGuide.pdf

For more information on McAfee Avert Labs Security Advisories, see: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_FAQ.pdf

For McAfee Technical Support, click here.

For Multi-National Phone Support, click here.

McAfee values your feedback on this Security Advisory. Please reply to this mail with your comments.

*The information provided is only for the use and convenience of McAfee's customers in connection with their McAfee products, and applies only to the threats described herein. McAfee product coverage statements are limited to known attack vectors and should not be considered comprehensive. THE INFORMATION PROVIDED HEREIN IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE WITHOUT NOTICE.

The information contained herein is the property of McAfee, Inc. and may not be reproduced or disseminated without the expressed written

Security Advisory MTIS10-235 - Page 17 of 18 consent of McAfee, Inc.

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054 888.847.8766 www.mcafee.com

Security Advisory MTIS10-235 - Page 18 of 18