Beyondtrust

BeyondTrust Patch Tuesday

December 13, 2011

Microsoft Patch Disclosure

This month, Microsoft released 13 patches that fix a total of 19 vulnerabilities. Of these vulnerabilities, 14 were remote code execution vulnerabilities, three were elevation of privilege vulnerabilities, and two were information disclosure vulnerabilities.

Administrators should patch MS11-087, MS11-090, and MS11-092 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-088, MS11-089, MS11-091, MS11-093, MS11-094, MS11-095, MS11-096, MS11-097, MS11-098, and MS11-099 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday December 14th
    1pm PT / 4pm ET / 9pm GMT

BULLETIN / ADVISORY DETAILS

MS11-087

Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)


Microsoft Rating:

Critical

CVE:

CVE-2011-3402

 

Analysis:

This bulletin addresses a publicly reported remote code execution vulnerability in the Windows kernel. This vulnerability is exploited by Duqu. The patch fixes a mishandling of TrueType font files. An attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, restrict access to the affected binary, t2embed.dll. Note: Restricting access to t2embed.dll will break embedded font functionality within certain applications.

 

MS11-088

Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)


Microsoft Rating:

Important

CVE:

CVE-2011-2010

 

Analysis:

This bulletin addresses a privately reported local elevation of privilege vulnerability in the Microsoft Pinyin Input Method Editor. The patch fixes an elevation of privilege vulnerability that occurs due to certain improperly implemented configuration options that are exposed from the secure desktop. A local attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available.

 

MS11-089

Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)


Microsoft Rating:

Important

CVE:

CVE-2011-1983

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Office. The patch fixes a use-after-free vulnerability that occurs when incorrectly handling objects within memory. An attacker would need to convince the user to open a malicious Word document. Once this is accomplished, an attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no reasonable mitigation is available.

 

MS11-090

Cumulative Security Update of ActiveX Kill Bits (2618451)


Microsoft Rating:

Critical

CVE:

CVE-2011-3397

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in the Microsoft Time component. The patch fixes a vulnerability that occurs when the system's state has been corrupted. Additionally, third party killbits are applied as a part of this patch. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, prevent time behaviors from being used in Windows XP or Server 2003. Additionally, binary behaviors should be blocked from being used in Internet Explorer.

 

MS11-091

Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)


Microsoft Rating:

Important

CVE List:

CVE-2011-1508, CVE-2011-3410, CVE-2011-3411, & CVE-2011-3412

 

Analysis:

This bulletin addresses one publicly and three privately reported remote code execution vulnerabilities in Microsoft Publisher. These four vulnerabilities occur while parsing Publisher files. An attacker that successfully exploited any of these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no reasonable mitigation is available.

 

MS11-92

Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)


Microsoft Rating:

Critical

CVE:

CVE-2011-3401

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Windows Media Player. The patch fixes a memory corruption vulnerability that occurs when parsing .dvr-ms files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, restrict access to the affected binary, encdec.dll.

 

MS11-93

Vulnerability in OLE Could Allow Remote Code Execution (2624667)


Microsoft Rating:

Important

CVE:

CVE-2011-3400

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Object Linking and Embedding (OLE). The patch fixes a mishandling of in-memory OLE objects. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no reasonable mitigation is available.

 

MS11-094

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)


Microsoft Rating:

Important

CVE List:

CVE-2011-3396 & CVE-2011-3413

 

Analysis:

This bulletin addresses two privately reported remote code execution vulnerabilities in Microsoft PowerPoint. The patch fixes a memory corruption vulnerability, which occurs when reading invalid records in a publisher file, and an insecure library loading vulnerability. An attacker that successfully exploited either of these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be applied, block Office 2003 (and prior) binary files that fail validation and/or are from untrusted sources. Use MOICE when opening files that are not from trusted sources. Additionally, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

 

MS11-095

Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)


Microsoft Rating:

Important

CVE:

CVE-2011-3406

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Active Directory. The patch fixes a memory corruption vulnerability that occurs when processing certain queries. An attacker that successfully exploited this vulnerability would gain the ability to execute code on the system with Network Service rights.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, likely exploitation vectors can be deterred by blocking TCP port 389 using a perimeter firewall.

 

MS11-096

Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)


Microsoft Rating:

Important

CVE:

CVE-2011-3403

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Excel. The patch fixes a memory corruption vulnerability that occurs when improperly handling in-memory objects. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be applied, prevent files that fail validation from being opened in Microsoft Office Excel 2003. Also, block Microsoft Excel 2003 files from untrusted sources and use MOICE when opening files that are not from trusted sources.

 

MS11-097

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)


Microsoft Rating:

Important

CVE:

CVE-2011-3408

 

Analysis:

This bulletin addresses a privately reported local elevation of privilege vulnerability in Windows Client/Server Run-time Subsystem (CSRSS). The patch fixes a failure to properly validate permissions when processing device event messages sent from lower integrity processes to higher integrity processes. A local attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available.

 

MS11-098

Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)


Microsoft Rating:

Important

CVE:

CVE-2011-2018

 

Analysis:

This bulletin addresses a privately reported local elevation of privilege vulnerability in the Windows Kernel Exception Handler. The patch fixes a memory corruption vulnerability that occurs when accessing improperly initialized objects. An attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available.

 

MS11-099

Cumulative Security Update for Internet Explorer (2618444)


Microsoft Rating:

Important

CVE List:

CVE-2011-1992, CVE-2011-2019, & CVE-2011-3404

 

Analysis:

This bulletin addresses three privately reported vulnerabilities in Internet Explorer: one remote code execution vulnerability and two information disclosure vulnerabilities. The patch fixes an insecure library loading vulnerability, a cross-site scripting vulnerability, and a vulnerability involving the incorrect handling of Content-Disposition headers. An attacker that successfully exploited the insecure library loading vulnerability, which is the most likely attack vector, would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares. To protect against the information disclosure vulnerabilities, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones. While there is an information disclosure vulnerability in the XSS filter in Internet Explorer, it is still recommended that administrators keep it enabled, since exploitation unlikely, due to the difficulty involved in successfully executing an attack.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.