BeyondTrust Patch Tuesday
August 09, 2011
Microsoft Patch Disclosure
This month, Microsoft released 13 patches that repair a total of 22 vulnerabilities. Four of these patches address Remote Code Execution vulnerabilities, three patches address Elevation of Privilege vulnerabilities, three patches address Denial of Service vulnerabilities, and three patches address Information Disclosure vulnerabilities.
Administrators are advised to patch MS11-057 and MS11-058 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-059, MS11-060, MS11-061, MS11-062, MS11-063, MS11-064, MS11-065, MS11-066, and MS11-067 as soon as possible. Lastly, administrators should patch MS11-068 and MS11-069 at their earliest convenience. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time:
Wednesday August 10th
1pm PT / 4pm ET
BULLETIN / ADVISORY DETAILS
MS11-057
Cumulative Security Update for Internet Explorer (2559049)
Microsoft Rating:
CVE List:
CVE-2011-1257, CVE-2011-1960, CVE-2011-1961, CVE-2011-1962, CVE-2011-1963, CVE-2011-1964, & CVE-2011-2383
Analysis:
This bulletin addresses two publicly reported and five privately reported vulnerabilities in Internet Explorer. Four are remote code execution vulnerabilities and three are information disclosure vulnerabilities. The patch fixes a combination of use-after-free vulnerabilities, logic vulnerabilities, and information disclosure vulnerabilities. By exploiting the worst of these vulnerabilities, an attacker could gain user level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones. Additionally, the default cookie folder should be renamed to a random name and the registry key, "HKEY_CURRENT_USER - Software - Microsoft - Windows - Current Version - Explorer - User Shell Folders - Cookies", should reflect this new name
MS11-058
Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)
Microsoft Rating:
CVE List:
CVE-2011-1966 & CVE-2011-1970
Analysis:
This bulletin addresses two privately reported vulnerabilities, a remote code execution vulnerability and a denial of service vulnerability, within the Windows DNS server. The patch fixes a logic vulnerability and a memory corruption vulnerability, both of which occur when parsing malicious packets. An attacker that successfully exploited the remote code execution vulnerability could gain system level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. If the DNS service is not being used, stopping or disabling the service will help to mitigate the vulnerability. Best practices suggest disabling unused services, so any services that are not required should be disabled, as part of a standard security policy.
MS11-059
Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)
Microsoft Rating:
CVE:
CVE-2011-1975
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in the Data Access Components of Windows. The patch fixes an insecure library loading vulnerability that occurs when loading Excel files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Deploy the patch as soon as possible. Until the patch can be applied, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.
MS11-060
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978)
Microsoft Rating:
CVE List:
CVE-2011-1972 & CVE-2011-1979
Analysis:
This bulletin addresses two privately reported remote code execution vulnerabilities in Microsoft Visio. The patch fixes two improper memory validation vulnerabilities that occur when parsing Visio files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.
Recommendation:
Deploy the patch as soon as possible, since no reasonable mitigation is available.
MS11-061
Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250)
Microsoft Rating:
CVE List:
CVE-2011-1263
Analysis:
This bulletin addresses a privately reported elevation of privilege vulnerability in the Remote Desktop Web Access component of Windows. The patch fixes a reflected cross site scripting vulnerability that occurs when a specially crafted URL parameter is parsed at the logon page for Remote Desktop Web Access. An attacker that successfully exploited this vulnerability would gain the ability to execute code on the site, with same rights as the user that had logged on to the site.
Recommendation:
Deploy the patch as soon as possible. Until the patch can be installed, enable the XSS filter in Internet Explorer (available in versions 8 and higher).
MS11-062
Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454)
Microsoft Rating:
CVE List:
CVE-2011-1974
Analysis:
This bulletin addresses a privately reported elevation of privilege vulnerability in the Remote Access Service NDISTAPI driver in Windows. The patch fixes the way the NDISTAPI validates input from user-mode data. A local attacker that successfully exploited this vulnerability would gain system level access to the target machine.
Recommendation:
Deploy the patch as soon as possible, since no mitigation is available.
MS11-063
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)
Microsoft Rating:
CVE List:
CVE-2011-1967
Analysis:
This bulletin addresses a privately reported elevation of privilege vulnerability in the Windows Client/Server Run-time Subsystem (CSRSS). The patch fixes a logic vulnerability that fails to properly validate permissions between lower-integrity and higher-integrity processes. A local attacker that successfully exploited this vulnerability would the ability to execute code within the context of another process on the machine, which could have any range of privileges, from user to system level permissions.
Recommendation:
Deploy the patch as soon as possible, since no mitigation is available.
MS11-064
Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)
Microsoft Rating:
CVE List:
CVE-2011-1871 & CVE-2011-1965
Analysis:
This bulletin addresses two privately reported denial of service vulnerabilities in the Windows TCP/IP stack. The patch fixes how Windows handles certain sequences of ICMP packets, as well as how Windows handles specially crafted in-memory URLs. An attacker that successfully exploited this vulnerability could crash the affected system, causing it to restart.
Recommendation:
Deploy the patch as soon as possible. Until the patch can be installed, block ICMP packets, by using a firewall. If it will not interfere with network efficiency, it is advised to disable Policy-based Quality of Service.
MS11-065
Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)
Microsoft Rating:
CVE List:
CVE-2011-1968
Analysis:
This bulletin addresses a privately reported denial of service vulnerability in the Remote Desktop Protocol. The patch fixes a use after free vulnerability that occurs when parsing a series of specially crafted packets. An attacker that successfully exploited this vulnerability could crash the affected system, causing it to restart.
Recommendation:
Deploy the patch as soon as possible. Until the patch can be applied, block TCP port 3389 using a firewall, and disable any unused remote access services (such as Terminal Services, Remote Desktop, Remote Assistance, and Remote Web Workplace).
MS11-066
Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)
Microsoft Rating:
CVE List:
CVE-2011-1977
Analysis:
This bulletin addresses a privately reported information disclosure vulnerability in the .NET Framework, specifically the Microsoft Chart Control. The patch fixes a function verification mechanism that takes place when parsing certain URI parameters. An attacker that successfully exploited this vulnerability would gain information not normally available to the attacker, such as the contents of the web.config file of an affected ASP.NET server. This disclosed information could be used by an attacker to further penetrate a network.
Recommendation:
Deploy the patch as soon as possible, since no mitigation is available.
MS11-067
Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)
Microsoft Rating:
CVE List:
CVE-2011-1976
Analysis:
This bulletin addresses a privately reported information disclosure vulnerability in both Microsoft Visual Studio and Microsoft Report Viewer. The patch fixes a reflected cross site scripting vulnerability that occurs when validating parameters from a data source. An attacker that successfully exploited this vulnerability could execute code within the user's browser.
Recommendation:
Deploy the patch as soon as possible. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.
MS11-068
Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)
Microsoft Rating:
CVE List:
CVE-2011-1971
Analysis:
This bulletin addresses a privately reported denial of service vulnerability in the Windows kernel. The patch fixes the way certain file metadata information is parsed, when traversing folders. An attacker that successfully exploited this vulnerability could crash and restart the vulnerable machine.
Recommendation:
Deploy the patch at the earliest convenience. Until the patch can be applied, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and disable both the Preview and Details Pane in Windows Explorer.
MS11-069
Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)
Microsoft Rating:
CVE List:
CVE-2011-1978
Analysis:
This bulletin addresses a privately reported information disclosure vulnerability in the .NET Framework. The patch fixes the way that trust levels are validated within the System.Net.Sockets namespace. An attacker that successfully exploited this vulnerability would be able to expose information that is normally hidden or redirect the affected system's traffic to other systems on the network accessible to the affected system.
Recommendation:
Deploy the patch at the earliest convenience. Until the patch can be installed, prevent XAML browser applications from running within Internet Explorer, since this is the most likely target for exploiting this vulnerability.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.