=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN130
_____________________________________________________________________

DATE                      : 14/04/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows 2000, Windows XP, Windows Vista, Windows 7,
                             Windows Server 2003, Windows Server 2008
                             running Windows Authenticode Verification.

======================================================================
KB981210
http://www.microsoft.com/technet/security/bulletin/ms10-019.mspx
______________________________________________________________________

Microsoft Security Advisory (981210)

Vulnerabilities in Windows Could Allow Remote Code Execution

Published: April 13, 2010

Version: 1.0

General Information

Executive Summary

  This security update resolves two privately reported vulnerabilities in
  Windows Authenticode Verification that could allow remote code execution.
  An attacker who successfully exploited either vulnerability could take
  complete control of an affected system. An attacker could then install
  programs; view, change, or delete data; or create new accounts with full
  user rights.

  This security update is rated Critical for all supported versions of
  Microsoft Windows.

  The security update addresses the vulnerabilities by performing additional
  verification operations when signing and verifying a portable executable or
  cabinet file.

  Recommendation: The majority of customers have automatic updating enabled
  and will not need to take any action because this security update will be
  downloaded and installed automatically. Customers who have not enabled
  automatic updating need to check for updates and install this update
  manually. For information about specific configuration options in automatic
  updating, see Microsoft Knowledge Base Article 294871.

  For administrators and enterprise installations, or end users who want to
  install this security update manually, Microsoft recommends that customers
  apply the update immediately using update management software, or by
  checking for updates using the Microsoft Update service.

Affected Software

  Microsoft Windows 2000 Service Pack 4
  Windows XP Service Pack 2
  Windows XP Service Pack 3
  Windows XP Professional x64 Edition Service Pack 2
  Windows Server 2003 Service Pack 2
  Windows Server 2003 x64 Edition Service Pack 2
  Windows Server 2003 with SP2 for Itanium-based Systems
  Windows Vista
  Windows Vista Service Pack 1
  Windows Vista Service Pack 2
  Windows Vista x64 Edition
  Windows Vista x64 Edition Service Pack 1
  Windows Vista x64 Edition Service Pack 2
  Windows Server 2008 for 32-bit Systems
  Windows Server 2008 for 32-bit Systems Service Pack 2
  Windows Server 2008 for x64-based Systems
  Windows Server 2008 for x64-based Systems Service Pack 2
  Windows Server 2008 for Itanium-based Systems
  Windows Server 2008 for Itanium-based Systems Service Pack 2
  Windows 7 for 32-bit Systems
  Windows 7 for x64-based Systems
  Windows Server 2008 R2 for x64-based Systems
  Windows Server 2008 R2 for Itanium-based Systems

Mitigating Factors

  An attacker who successfully exploited these vulnerabilities could gain the
  same user rights as the local user. Users whose accounts are configured to
  have fewer user rights on the system could be less impacted than users
  who operate with administrative user rights.

Vulnerability Information

WinVerifyTrust Signature Validation Vulnerability - CVE-2010-0486

  A remote code execution vulnerability exists in the Windows Authenticode
  Signature Verification function used for portable executable (PE) and
  cabinet file formats. An anonymous attacker could exploit the
  vulnerability by modifying an existing signed executable file to
  manipulate unverified portions of the signature and file in such a way
  as to add malicious code to the file without invalidating the signature.
  An attacker who successfully exploited this vulnerability could take
  complete control of an affected system. An attacker could then install
  programs; view, change, or delete data; or create new accounts with full
  user rights.

Cabview Corruption Validation Vulnerability - CVE-2010-0487

  A remote code execution vulnerability exists in the Windows Authenticode
  Signature verification for cabinet (.cab) file formats. An anonymous
  attacker could exploit the vulnerability by modifying an existing signed
  cabinet file to point the unverified portions of the signature to
  malicious code, and then convincing a user to open or view the specially
  crafted cabinet file. An attacker who successfully exploited this
  vulnerability could take complete control of an affected system. An
  attacker could then install programs; view, change, or delete data; or
  create new accounts with full user rights.
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================