13 bulletins were released Tuesday as part of Microsoft’s regularly scheduled monthly security update cycle – five rated Critical, seven rated Important and one rated Moderate – to address 26 vulnerabilities in Windows and Microsoft Office.
There are many vulnerabilities in this set that organizations should be aware of, but it was one of the vulnerabilities rated ‘important’ that caught my attention: MS10-015.
Since other vulnerabilities were rated as Critical, why does this one bother me?
- It’s a kernel level vulnerability
- A successful exploit can escalate privileges and gain access to Ring 0
Microsoft only rates this one as Important because it is not remotely exploitable, i.e. code must be executed locally on the endpoint. But in the world of end-users tempted to click on glittering, shiny objects how hard is that?
No doubt, this will be used in social-engineering attacks to trick users (“your secret admirer has sent you this e-card, click here to see it”) into running code that exploits this vulnerability to gain system-level access. Even running as standard user doesn’t necessarily protect you from single file executables executed directly from the Web.
Or, you’ll see this vulnerability used in combination with another vulnerability in a chained attack. For example, an attack on another vulnerability rated as Important because the code only runs in the context of the user, but subsequently this vulnerability is exploited to gain kernel-level access. This is why Microsoft has rated is exploitability index at a “1” (consistent exploit code likely).
Net/Net – there are a bunch of vulnerability to pay attention to this month and this one although rated as “Important” is really critical in my book and should be treated as such.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.