Beyondtrust

BeyondTrust Patch Tuesday

April 12, 2011

Microsoft Patch Disclosure

This month, Microsoft released 17 patches which address a total of 64 vulnerabilities. 15 of these patches address Remote Code Execution vulnerabilities, 1 addresses an Information Disclosure vulnerability, and 1 addresses an Elevation of Privilege vulnerability.

Administrators are urged to patch MS11-018, MS11-019, MS11-020, and MS11-028 immediately. MS11-018 is being used in the wild, MS11-019 and MS11-020 are a dangerous combination when used in conjunction, and MS11-028 because .NET has historically been a target for attackers. Next, MS11-027, MS11-021, MS11-022, MS11-029, MS11-024, and MS11-030 should be patched as soon as possible. Lastly, MS11-023, MS11-025, MS11-026, MS11-034, MS11-033, MS11-031, and MS11-032 should be patched at the administrators' earliest convenience. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
Register Now >>

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday April 13th at
    1pm PT / 4pm ET

BULLETIN / ADVISORY DETAILS

MS11-018

Cumulative Security Update for Internet Explorer (2497640)


Microsoft Rating:

Critical

CVE List:

CVE-2011-0094, CVE-2011-0346, CVE-2011-1244, CVE-2011-1245, CVE-2011-1345

 

Analysis:

This bulletin addresses three memory corruption vulnerabilities, as well as two information disclosure vulnerabilities. To exploit any of these vulnerabilities, the attacker would simply have to convince a user to open a malicious web page (by sending them a link through email, instant messaging, etc.). Upon opening the malicious page, the memory corruption would occur, granting the attacker the ability to execute arbitrary code within the context of the current user.

 

Recommendation:

Install the patch immediately, as this patches the pwn2own vulnerability that was disclosed. Until this is possible, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones.

 

MS11-019

Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)


Microsoft Rating:

Critical

CVE List:

CVE-2011-0654, CVE-2011-0660

 

Analysis:

This bulletin addresses a memory corruption vulnerability and an SMB parsing vulnerability. Both of these could permit an attacker to execute remote arbitrary code on a vulnerable system, granting the attacker full system control, with the memory corruption vulnerability granting system-level access. Neither vulnerability requires authentication to be exploited. To exploit one of the vulnerabilities, the attacker would simply need to send a malicious Browser request to a vulnerable system, which would permit them to execute remote code on that system.

 

Recommendation:

Install the patch immediately, as attackers will be seeking to combine the vulnerabilities in this patch with those in MS11-020, which can make for a very malicious worm. Until this is possible, block TCP ports 138, 139, and 445 with a firewall.

 

MS11-020

Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)


Microsoft Rating:

Critical

CVE:

CVE-2011-0661

 

Analysis:

This bulletin addresses a parsing vulnerability in the SMB protocol implementation. This could permit an attacker to execute remote arbitrary code on a vulnerable system, granting them full control of the compromised system. This vulnerability requires no authentication to be exploited. To exploit this vulnerability, the attacker would simply need to send a malicious SMB packet to a vulnerable system, which would permit them to execute remote code on that system.

 

Recommendation:

Install the patch immediately, as attackers will be seeking to combine the vulnerabilities in this patch with those in MS11-019, which can make for a very malicious worm. Until this is possible, block TCP ports 139 and 445 with a firewall.

 

MS11-021

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)


Microsoft Rating:

Important

CVE List:

CVE-2011-0097, CVE-2011-0098, CVE-2011-0101, CVE-2011-0103, CVE-2011-0104, CVE-2011-0105, CVE-2011-0978, CVE-2011-0979, CVE-2011-0980

 

Analysis:

This bulletin addresses nine various memory corruption vulnerabilities in Microsoft Excel, that when exploited, could permit an attacker to execute remote arbitrary code on a system that is vulnerable. A user would simply have to open a malicious Excel file, to be exploited, granting the attacker the same rights as the user. The attacker might send this Excel file via email, instant message, via a link to a malicious file hosted on a web site, or other similar methods.

 

Recommendation:

Install the patch as soon as possible since consistent code execution is likely. Until this is possible, block Office Excel 2003 files from untrusted sources and use MOICE when opening files that are not from trusted sources. It should be noted that no realistic mitigation exists for CVE-2011-0105 or CVE-2011-0101, so patching is the only way to block against these vulnerabilities.

 

MS11-022

Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)


Microsoft Rating:

Important

CVE List:

CVE-2011-0655, CVE-2011-0656, CVE-2011-0976

 

Analysis:

This bulletin addresses three various memory corruption vulnerabilities in Microsoft PowerPoint, which occur, due to improperly handling errors in a malformed PowerPoint file. If a user were to open a malicious file, it would grant the attacker the ability to execute remote arbitrary code with the same rights as the user. The attacker might send this PowerPoint file via email, instant message, via a link to a malicious file hosted on a web site, or other similar methods.

 

Recommendation:

Install the patch as soon as possible since consistent code execution is likely. Until this is possible, prevent editing documents in protected mode, using Office File Validation, for PowerPoint 2010. Additionally, block Office PowerPoint 2003 files from untrusted sources and use MOICE when opening files that are not from trusted sources.

 

MS11-023

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)


Microsoft Rating:

Important

CVE List:

CVE-2011-0107, CVE-2011-0977

 

Analysis:

This bulletin addresses two remote code execution vulnerabilities in Microsoft Office: a DLL hijacking vulnerability and a memory object dereferencing vulnerability. An attacker seeking to exploit the DLL hijacking vulnerability would merely need to convince a user to open a file on a WebDav share, which would cause attacker's malicious DLL to be loaded and the arbitrary code inside would be executed. Alternatively, the attacker could send the user a malicious file (or a link to the malicious file hosted on a web site), which the user would need to be convinced to open. Upon opening the file, the vulnerability would be exploited, permitting the attacker to execute remote arbitrary code in the context of the current user.

 

Recommendation:

Install the patch at the earliest possible convenience. Administrators should install the patch at their earliest convenience. Until this is possible, DLLs should blocked from being loaded off of WebDAV shares, the WebClient service should be disabled, and TCP ports 139 and 445 should be blocked with a firewall.

 

MS11-024

Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)


Microsoft Rating:

Important

CVE:

CVE-2010-3974

 

Analysis:

This bulletin addresses a remote code execution vulnerability in the Windows Fax Cover Page Editor. To exploit this vulnerability, an attacker would need to convince a user to open a malicious .cov file, which could be sent via email, instant messenger, hosted on a web site, etc. Once the user opened this malicious .cov file in Windows Fax Cover Page Editor, a memory corruption would occur, granting the attacker the ability to execute remote arbitrary code in the context of the current user.

 

Recommendation:

Install the patch as soon as possible, as it has been publicly disclosed and it has been found that consistent code execution is likely. Until this is possible, disassociate the .cov file extension from the Windows Fax Cover Page Editor on Windows XP and Server 2003. The other operating systems do not have mitigations provided, so patching is the only way to protect those systems against this vulnerability.

 

MS11-025

Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)


Microsoft Rating:

Important

CVE:

CVE-2010-3190

 

Analysis:

This bulletin addresses a remote code execution vulnerability in how MFC loads DLL files. To exploit this, an attacker would need to convince a user to open a file on a WebDAV share that was associated with any application that used MFC, which would result in the attacker's malicious DLL being loaded and the arbitrary code inside would be executed. This is a far broader range than the normal DLL loading vulnerability, as they generally target only specific applications, whereas this DLL loading vulnerability targets any application that was built to use the MFC.

 

Recommendation:

Administrators should install the patch at their earliest convenience. Until this is possible, DLLs should be blocked from being loaded off of WebDAV shares, the WebClient service should be disabled and block TCP ports 139 and 445 with a firewall.

 

MS11-026

Vulnerability in MHTML Could Allow Information Disclosure (2503658)


Microsoft Rating:

Important

CVE:

CVE-2011-0096

 

Analysis:

This bulletin addresses an information disclosure vulnerability in MHTML. Attackers could convince a user to view a web page that contained the malicious MIME-formatted request that existed in a permitted security context, but accessed data that is in a security context that the script should be unable to access. At this point, the attacker would be able to access data that should not be accessible for scripts running in the attacker's security context.

 

Recommendation:

Administrators should install the patch at their earliest convenience. Until this is possible, either disable or lock down the MHTML protocol. Additionally, block/disable ActiveX controls and Active Scripting in both Internet and Local Internet zones.

 

MS11-027

Cumulative Security Update of ActiveX Kill Bits (2508272)


Microsoft Rating:

Critical

CVE List:

CVE-2010-0811, CVE-2010-3973, CVE-2011-1243

 

Analysis:

This bulletin addresses three remote code execution vulnerabilities, by issuing kill-bits for the affected products. Three kill-bits were set on Microsoft files and fourteen third-party kill-bits. To exploit these vulnerabilities, an attacker would need to convince a user to visit a malicious page that they control. When the user visited the site, the page would load a malicious ActiveX control, exploiting one of the vulnerabilities, providing the attacker with the ability to execute remote arbitrary code.

 

Recommendation:

Install the patch as soon as possible since consistent code execution is likely. Until this is possible, disable COM objects in Internet Explorer, block/disable ActiveX Controls and Active Scripting in both Internet and Local Internet zones.

 

MS11-028

Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)


Microsoft Rating:

Critical

CVE:

CVE-2010-3958

 

Analysis:

A remote code execution vulnerability exists in the .NET framework Just-In-Time (JIT) compiler. If an attacker were to be able to convince a user to visit a malicious site controlled by the attacker, they would be able to exploit the vulnerability, causing a stack corruption to occur on the user's machine, granting the attacker the ability to execute remote arbitrary code within the context of either the current user or the ASP.NET account.

 

Recommendation:

Install the patch immediately since this vulnerability has been publicly disclosed. Until this is possible, prevent use of Microsoft .NET partially trusted applications and prevent the use of XAML applications in Internet Explorer.

 

MS11-029

Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)


Microsoft Rating:

Critical

CVE:

CVE-2011-0041

 

Analysis:

This bulletin addresses a remote code execution vulnerability in GDI+. An attacker seeking to exploit this on someone's machine would simply have to convince a user to load a malicious page, controlled by the attacker, which would load the malicious EMF image file, causing an integer overflow to occur, giving the attacker the ability to exploit remote arbitrary code with the same rights as the current user. The attacker could direct the user to this page by sending them a link via email, instant message, or other similar methods.

 

Recommendation:

Install the patch as soon as possible since consistent code execution is likely. Until this is possible, prevent metafiles from being processed, and prevent gdiplus.dll from being accessed.

 

MS11-030

Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)


Microsoft Rating:

Critical

CVE:

CVE-2011-0657

 

Analysis:

This bulletin addresses a vulnerability in the Windows DNS client. When it handles LLMNR queries that are malicious, an unauthenticated attacker on the network could exploit the vulnerability on the target machine. For Windows Vista, Server 2008, 7, and Server 2008 R2, the attacker could remotely execute arbitrary code by sending a malicious LLMNR broadcast to vulnerable systems. If the target OS is Windows XP or Server 2003, the attacker would need to locally authenticate, but would be able to elevate their privileges to gain network NetworkService rights, by executing a maliciously crafted application.

 

Recommendation:

Install the patch as soon as possible since consistent code execution is likely. Until this is possible, block TCP/UDP port 5355, use group policy to disable the Link-Local Multicast Name Resolution, and disable Network Discovery.

 

MS11-031

Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)


Microsoft Rating:

Critical

CVE:

CVE-2011-0663

 

Analysis:

An information disclosure vulnerability exists in the JScript and VBScript scripting engines when processing crafted scripts. An attacker would need to convince the user to visit a specially crafted web page or open a malicious script in order to exploit the vulnerability. Loading the decoded script into memory can cause a integer overflow to occur, allowing the attacker to execute remote code in the context of the current user.

 

Recommendation:

Administrators should install the patch at their earliest convenience. Until this is possible, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled.

 

MS11-032

Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)


Microsoft Rating:

Critical

CVE:

CVE-2011-0034

 

Analysis:

A vulnerability exists in the Windows OpenType Compact Font Format (OTF) driver when processing an OpenType font containing a crafted parameter value. Successful exploitation of this vulnerability allows remote execution of arbitrary code. Some third-party applications (e.g. web browsers) include native support for rendering OpenType, increasing the attack surface for this vulnerability. Once exploitation is achieved, the attacker would have kernel mode access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.

 

Recommendation:

Administrators should install the patch at their earliest convenience. Until this is possible, disable the preview and details pane in Windows Explorer. Additionally, disable the WebClient service.

 

MS11-033

Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)


Microsoft Rating:

Critical

CVE:

CVE-2011-0028

 

Analysis:

This bulletin addresses a remote code execution vulnerability in WordPad. A user would need to simply open a malicious file to have their system exploited, which would grant the attacker the same rights as the user, when executing arbitrary code.

 

Recommendation:

Administrators should install the patch at their earliest convenience. Until this is possible, use CACLS to prevent access to mswrd8.wpc (and mswrd864.wpc on x64 bit systems).

 

MS11-034

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)


Microsoft Rating:

Critical

CVE List:

CVE-2011-0662, CVE-2011-0665, CVE-2011-0666, CVE-2011-0667, CVE-2011-0670, CVE-2011-0671, CVE-2011-0672, CVE-2011-0674, CVE-2011-0675, CVE-2011-1234, CVE-2011-1235, CVE-2011-1236, CVE-2011-1237, CVE-2011-1238, CVE-2011-1239, CVE-2011-1240, CVE-2011-1241, CVE-2011-1242, CVE-2011-0673, CVE-2011-0676, CVE-2011-0677, CVE-2011-1225, CVE-2011-1226, CVE-2011-1227, CVE-2011-1228, CVE-2011-1229, CVE-2011-1230, CVE-2011-1231, CVE-2011-1232, CVE-2011-1233

 

Analysis:

This bulletin addresses thirty local code execution vulnerabilities that exist in the Windows Kernel. These permit a locally authenticated attacker to run a crafted application that would grant the attacker local system rights.

 

Recommendation:

Administrators should install the patch at their earliest convenience. There are no mitigations to these vulnerabilities provided by Microsoft.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.