BeyondTrust Patch Tuesday
February 08, 2011
Microsoft Patch Disclosure
This month, Microsoft released 12 patches which repair a total of 22 vulnerabilities. 5 of these patches address Remote Code Execution vulnerabilities, 5 address Elevation of Privilege, 1 addresses Denial of Service, and 1 addresses Information Disclosure.
Administrators are advised to patch MS11-003, MS11-004, MS11-006, MS11-007, MS11-011 and MS11-014 immediately to prevent exploitation by attackers.
Next, administrators should patch MS11-005, MS11-008, MS11-009, MS11-010, MS11-012 and MS11-013 as soon as possible.
As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
Register Now >>
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time:
Wednesday February 9th at
11am PST / 2pm EST
BULLETIN / ADVISORY DETAILS
MS11-003
Cumulative Security Update for Internet Explorer (2482017)
Microsoft Rating:
CVE List:
CVE-2010-3971, CVE-2011-0035, CVE-2011-0036, CVE-2011-0038
Analysis:
Four remote code execution vulnerabilities exist in Internet Explorer, two of which were publicly disclosed. Three of the vulnerabilities exist in Internet Explorer when parsing a crafted Cascading Style Sheet or other specially crafted web content. The fourth vulnerability exists when loading DLLs, causing susceptibility to DLL preloading attacks in e-mail, web, or network scenarios. Successful exploitation of these vulnerabilities allows arbitrary code execution at the logged-in user's privilege level.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled, emails should be read in plain text and the recursive loading of CSS in Internet Explorer should be set to disabled. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open HTML files from untrusted locations.
MS11-004
Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)
Microsoft Rating:
CVE:
CVE-2010-3972
Analysis:
One publicly disclosed heap-based buffer overflow vulnerability exists in the Microsoft IIS FTP Service for Microsoft IIS 7.0 and 7.5 when handling crafted FTP commands. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of the running local system. As a public proof-of-concept was released to demonstrate a denial of service condition, attackers could possibly develop a working exploit and subsequently compromise exposed systems.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, disable or stop the FTP Service on IIS 7.0 and 7.5 systems.
MS11-005
Vulnerability in Active Directory Could Allow Denial of Service (2478953)
Microsoft Rating:
CVE:
CVE-2011-0040
Analysis:
One publically disclosed vulnerability exists in Microsoft Windows Active Directory when processing crafted service principal name (SPN) update requests. An attacker that is an administrator on a domain-joined system could exploit this vulnerability to cause name collisions on the domain thereby causing authentication for SPN dependent services to be downgraded to NTLM. Under specific configurations, if these SPN dependent services are not configured to negotiate then the service will become unavailable and thus cause a denial of service condition.
Recommendation:
Deploy patches as soon as possible as no forms of mitigation are available.
MS11-006
Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)
Microsoft Rating:
CVE:
CVE-2010-3970
Analysis:
A publically disclosed stack-based buffer overrun vulnerability exists in the Windows Shell graphics processor when parsing a crafted thumbnail image. An attacker that is able to convince a user to view a crafted thumbnail image, either locally or on a network share (e.g. in a UNC or WebDAV location), could execute arbitrary code at the logged-in user's privilege level. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the Access Control List on "shimgvw.dll" should be modified to be more restrictive and the displaying of thumbnails in Windows Explorer should be set to disabled.
MS11-007
Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)
Microsoft Rating:
CVE:
CVE-2011-0033
Analysis:
A privately reported vulnerability exists in the Windows OpenType Compact Font Format (CFF) driver when processing an OpenType font containing a crafted parameter value. Successful exploitation of this vulnerability allows remote execution of arbitrary code. Some third-party applications (e.g. web browsers) include native support for rendering OpenType, increasing the attack surface for this vulnerability. Once exploitation is achieved, the attacker would have kernel mode access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, disable the Preview Pane in Windows Explorer, the Details Pane in Windows Explorer and the WebClient Service.
MS11-008
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879)
Microsoft Rating:
CVE List:
CVE-2011-0092, CVE-2011-0093
Analysis:
Two privately reported memory corruption vulnerabilities exist in Microsoft Visio when parsing Visio files containing crafted objects and structures. An attacker would need to convince the user to open a crafted Visio file, through vectors including a malicious e-mail attachment or on a web page with user-controlled content. Successful exploitation allows arbitrary code execution at the logged-in user's privilege level. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.
Recommendation:
Deploy patches as soon as possible. Until the patches can be installed, application add-ins for Visio should be disabled.
MS11-009
Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792)
Microsoft Rating:
CVE:
CVE-2011-0031
Analysis:
A privately reported information disclosure vulnerability exists in the JScript and VBScript scripting engines when processing crafted scripts. An attacker would need to convince the user to visit a specially crafted web page or open a malicious script in order to exploit the vulnerability. Loading the decoded script into memory can cause a memory corruption scenario. If successfully exploited an attacker could obtain information that could be used to further compromise the system. However, exploitation would not allow arbitrary code execution.
Recommendation:
Deploy patches as soon as possible. Until the patches can be installed, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled.
MS11-010
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687)
Microsoft Rating:
CVE:
CVE-2011-0030
Analysis:
A privately reported privilege elevation vulnerability exists in the Windows Client/Server Run-time Subsystem (CSRSS) when terminating a process during user logoff. An attacker that is able to log on locally to the system could leverage this vulnerability to continue execution of an application after logging off. This specially designed application could then monitor all actions performed by newly logged-on users in order to obtain sensitive information such as credentials. The sensitive information could then be further used to elevate privileges or execute code with the privileges of another user on the system. If the information obtained includes a user with administrative privileges, it could be used to execute code with elevated kernel mode privileges or to install malicious software and attack further computers within or outside of the network.
Recommendation:
Deploy patches as soon as possible as no forms of mitigation are available.
MS11-011
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802)
Microsoft Rating:
CVE List:
CVE-2010-4398, CVE-2011-0045
Analysis:
Two privilege escalation vulnerabilities exist in the Windows Kernel when allocating memory and handling user-controlled registry keys. Of the two vulnerabilities, the publically disclosed one allows a local attacker that is both authenticated and on a domain-joined system to send crafted ticket requests to the KDC and obtain elevated system level privileges on the local machine. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.
Recommendation:
Deploy patches as soon as possible as no forms of mitigation are available.
MS11-012
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628)
Microsoft Rating:
CVE List:
CVE-2011-0086, CVE-2011-0087, CVE-2011-0088, CVE-2011-0089, CVE-2011-0090
Analysis:
Five privately reported privilege escalation vulnerabilities exist in the Windows kernel-mode drivers, specifically "Win32k.sys", when handling data supplied from user mode to kernel mode. An attacker that is able to run a crafted application could exploit these vulnerabilities to execute arbitrary code with elevated kernel mode privileges. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.
Recommendation:
Deploy patches as soon as possible as no forms of mitigation are available.
MS11-013
Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930)
Microsoft Rating:
CVE List:
CVE-2011-0043, CVE-2011-0091
Analysis:
Two vulnerabilities exist in the Microsoft Kerberos implementation in Windows due to weak hashing and encryption algorithms that could facilitate spoofing attacks or grant elevated privileges. One of the two vulnerabilities was publically disclosed, which, if exploited, allows a local attacker that is both authenticated and on a domain-joined system to send crafted ticket requests to the KDC and obtain elevated system level privileges on the local machine. This vulnerability however is not exploitable on domains where the domain controller is running Windows Server 2008 or Windows Server 2008 R2. The other vulnerability is contingent upon an attackers ability to perform man-in-the-middle type attacks, which if successful can be exploited to degrade the default encryption to DES so as to impersonate legitimate users’ credentials or forge all traffic in a compromised session.
Recommendation:
Deploy patches as soon as possible if using Kerberos authentication as no forms of mitigation are available.
MS11-014
Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960)
Microsoft Rating:
CVE:
CVE-2011-0039
Analysis:
A privately reported privilege elevation vulnerability exists in Windows Local Security Authority Subsystem Service (LSASS) when handling a crafted authentication request. An attacker that is able to run a crafted application could exploit these vulnerabilities to execute arbitrary code with elevated kernel mode privileges. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers as no forms of mitigation are available.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.