Welcome back to another episode of the patch Tuesday summary.  After last month’s massive set of patches, this month is very light with only 11 CVEs.  After 49 vulnerabilities, a mere 11 seems like a walk in the park!

The patches this month fall across two products: Microsoft Office and Forefront Unified Access Gateway (UAG).  The vulnerabilities are very similar to the ones we’ve been seeing for the past few years.  On the UAG side the issues are mostly cross-site scripting (XSS), while it’s malformed document files for Office as usual, with one exception.

Here is a list of the vulnerabilities fixed in today’s patches:

Forefront Unified Acccess Gateway Vulnerabilities

• CVE-2010-2732 - UAG Redirection Spoofing Vulnerability. 

This vulnerability could be used to fool UAG users into giving their login credentials or other sensitive data to a malicious third party.

• CVE-2010-2733 - UAG XSS Allows EOP Vulnerability
• CVE-2010-2734 - XSS Issue on UAG Mobile Portal Website in Forefront Unified Access Gateway Vulnerability
• CVE-2010-3936 - XSS in Sginurl.asp Vulnerability

These three vulnerabilities are all cross-site scripting (XSS) issues.  XSS vulnerabilities are very common (there have been over 600 bugtraq IDs assigned to XSS flaws this year).  Cross-site scripting attacks are very flexible, and the attacker can choose to use them in a variety of ways.  Stealing authenticated sessions via cookies is one common outcome.

Microsoft Office Vulnerabilities

• CVE-2010-2572 - PowerPoint Parsing Buffer Overflow Vulnerability
• CVE-2010-2573 - PowerPoint Integer Underflow Causes Heap Corruption Vulnerability

These two vulnerabilities are typical of the issues fixed in Office patches.  Here, opening PowerPoint files can lead to arbitrary code execution.

• CVE-2010-3334 - Office Art Drawing Records Vulnerability
• CVE-2010-3335 - Drawing Exception Handling Vulnerability
• CVE-2010-3336 - MSO Large SPID Read AV Vulnerability

These three issues are similar to the PowerPoint issues above, but are a bit broader in that all office document formats are affected.

• RTF Stack Buffer Overflow Vulnerability - CVE-2010-3333

This vulnerability carries a higher severity rating (Critical) than the rest due to email being a possible vector.  Simply previewing a malicious email  with RTF formatting can trigger this issue.

• CVE-2010-3337 - Insecure Library Loading Vulnerability

This vulnerability belongs to a class of DLL loading issues that has seen a lot of activity this summer.  Back in August, “ACROS Security” posted a vulnerability disclosure about how iTunes could be tricked into loading (and executing) arbitrary code through DLLs hosted on remote file shares.  The broader security community quickly realized that this issue existed in hundreds of applications and disclosures and patches started appearing by the dozen.  Here is a chart of the number of DLL vulnerabilities assigned bugtraq IDs every month since August:

The rate of these bugs being found and fixed is clearly declining, although there are clearly more out there as this month’s patch Tuesday proves.

As we do every month, we’ve released a signature update to address the vulnerabilities fixed in today’s patches.   Happy patching!