===================================================================== CERT-Renater Note d'Information No. 2010/VULN056 _____________________________________________________________________ DATE : 10/02/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Windows 2000, Windows XP, Windows Vista Windows 7, Windows Server 2003, Windows Server 2008 running ActiveX. ====================================================================== KB978262 http://www.microsoft.com/technet/security/bulletin/ms10-008.mspx ______________________________________________________________________ Microsoft Security Bulletin MS10-008 - Critical Cumulative Security Update of ActiveX Kill Bits (978262) Published: February 09, 2010 Version: 1.0 General Information Executive Summary This security update addresses a privately reported vulnerability for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2. The vulnerability could allow remote code execution if a user views a specially crafted Web page that instantiates an ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls. The security update addresses the vulnerability by setting a kill bit so that the vulnerable control does not run in Internet Explorer. Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. Known Issues. None Affected Software Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Vulnerability Information Microsoft Data Analyzer ActiveX Control Vulnerability - CVE-2010-0252 A remote code execution vulnerability exists in the Microsoft Data Analyzer ActiveX Control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Third-Party Kill Bits This update includes kill bits to prevent the following ActiveX controls from being run in Internet Explorer: Symantec has requested a kill bit for the ActiveX control for Symantec WinFax Pro 10.3. Please see the post for more information about Symantec's recommendation for customers to set the kill bit for the control. If you have any questions or concerns regarding the kill bit for the Symantec WinFax Pro 10.3 control, please contact Symantec Security at secure@symantec.com. The class identifier (CLSID) for this ActiveX control is: {C05A1FBC-1413-11D1-B05F-00805F4945F6}. Google has requested a kill bit for the ActiveX control for Google Desktop Gadget v5.8. If you have any questions or concerns regarding Google Desktop Gadget Control v5.8, please contact Google security at security@google.com. The class identifier (CLSID) for this ActiveX control is: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D}. Facebook has requested a kill bit for the ActiveX control for Facebook Photo Updater 5.5.8. The new control can be found here. If you have any questions or concerns regarding the kill bit for the Facebook Image Uploader ActiveX control, please contact Facebook Security. The class identifier (CLSID) for this ActiveX control is: {0CCA191D-13A6-4E29-B746-314DEE697D83}. Panda Security has requested a kill bit for the ActiveX control for PandaActiveScan Installer 2.0. The new control can be found here. If you have any questions or concerns regarding the kill bit for the Panda Security ActiveX control, please contact Panda Security. The class identifier (CLSID) for this ActiveX control is: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8}. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================