Beyondtrust

BeyondTrust Patch Tuesday

February 08, 2011

Microsoft Patch Disclosure

This month, Microsoft released 12 patches which repair a total of 22 vulnerabilities. 5 of these patches address Remote Code Execution vulnerabilities, 5 address Elevation of Privilege, 1 addresses Denial of Service, and 1 addresses Information Disclosure.

Administrators are advised to patch MS11-003, MS11-004, MS11-006, MS11-007, MS11-011 and MS11-014 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-005, MS11-008, MS11-009, MS11-010, MS11-012 and MS11-013 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
Register Now >>

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday February 9th at
    11am PST / 2pm EST

BULLETIN / ADVISORY DETAILS

MS11-003

Cumulative Security Update for Internet Explorer (2482017)


Microsoft Rating:

Critical

CVE List:

CVE-2010-3971, CVE-2011-0035, CVE-2011-0036, CVE-2011-0038

 

Analysis:

Four remote code execution vulnerabilities exist in Internet Explorer, two of which were publicly disclosed. Three of the vulnerabilities exist in Internet Explorer when parsing a crafted Cascading Style Sheet or other specially crafted web content. The fourth vulnerability exists when loading DLLs, causing susceptibility to DLL preloading attacks in e-mail, web, or network scenarios. Successful exploitation of these vulnerabilities allows arbitrary code execution at the logged-in user's privilege level.

 

Recommendation:

Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled, emails should be read in plain text and the recursive loading of CSS in Internet Explorer should be set to disabled. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open HTML files from untrusted locations.

 

MS11-004

Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)


Microsoft Rating:

Important

CVE:

CVE-2010-3972

 

Analysis:

One publicly disclosed heap-based buffer overflow vulnerability exists in the Microsoft IIS FTP Service for Microsoft IIS 7.0 and 7.5 when handling crafted FTP commands. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of the running local system. As a public proof-of-concept was released to demonstrate a denial of service condition, attackers could possibly develop a working exploit and subsequently compromise exposed systems.

 

Recommendation:

Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, disable or stop the FTP Service on IIS 7.0 and 7.5 systems.

 

MS11-005

Vulnerability in Active Directory Could Allow Denial of Service (2478953)


Microsoft Rating:

Important

CVE:

CVE-2011-0040

 

Analysis:

One publically disclosed vulnerability exists in Microsoft Windows Active Directory when processing crafted service principal name (SPN) update requests. An attacker that is an administrator on a domain-joined system could exploit this vulnerability to cause name collisions on the domain thereby causing authentication for SPN dependent services to be downgraded to NTLM. Under specific configurations, if these SPN dependent services are not configured to negotiate then the service will become unavailable and thus cause a denial of service condition.

 

Recommendation:

Deploy patches as soon as possible as no forms of mitigation are available.

 

MS11-006

Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)


Microsoft Rating:

Critical

CVE:

CVE-2010-3970

 

Analysis:

A publically disclosed stack-based buffer overrun vulnerability exists in the Windows Shell graphics processor when parsing a crafted thumbnail image. An attacker that is able to convince a user to view a crafted thumbnail image, either locally or on a network share (e.g. in a UNC or WebDAV location), could execute arbitrary code at the logged-in user's privilege level. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.

 

Recommendation:

Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the Access Control List on "shimgvw.dll" should be modified to be more restrictive and the displaying of thumbnails in Windows Explorer should be set to disabled.

 

MS11-007

Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)


Microsoft Rating:

Critical

CVE:

CVE-2011-0033

 

Analysis:

A privately reported vulnerability exists in the Windows OpenType Compact Font Format (CFF) driver when processing an OpenType font containing a crafted parameter value. Successful exploitation of this vulnerability allows remote execution of arbitrary code. Some third-party applications (e.g. web browsers) include native support for rendering OpenType, increasing the attack surface for this vulnerability. Once exploitation is achieved, the attacker would have kernel mode access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.

 

Recommendation:

Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, disable the Preview Pane in Windows Explorer, the Details Pane in Windows Explorer and the WebClient Service.

 

MS11-008

Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879)


Microsoft Rating:

Important

CVE List:

CVE-2011-0092, CVE-2011-0093

 

Analysis:

Two privately reported memory corruption vulnerabilities exist in Microsoft Visio when parsing Visio files containing crafted objects and structures. An attacker would need to convince the user to open a crafted Visio file, through vectors including a malicious e-mail attachment or on a web page with user-controlled content. Successful exploitation allows arbitrary code execution at the logged-in user's privilege level. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.

 

Recommendation:

Deploy patches as soon as possible. Until the patches can be installed, application add-ins for Visio should be disabled.

 

MS11-009

Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792)


Microsoft Rating:

Important

CVE:

CVE-2011-0031

 

Analysis:

A privately reported information disclosure vulnerability exists in the JScript and VBScript scripting engines when processing crafted scripts. An attacker would need to convince the user to visit a specially crafted web page or open a malicious script in order to exploit the vulnerability. Loading the decoded script into memory can cause a memory corruption scenario. If successfully exploited an attacker could obtain information that could be used to further compromise the system. However, exploitation would not allow arbitrary code execution.

 

Recommendation:

Deploy patches as soon as possible. Until the patches can be installed, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled.

 

MS11-010

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687)


Microsoft Rating:

Important

CVE:

CVE-2011-0030

 

Analysis:

A privately reported privilege elevation vulnerability exists in the Windows Client/Server Run-time Subsystem (CSRSS) when terminating a process during user logoff. An attacker that is able to log on locally to the system could leverage this vulnerability to continue execution of an application after logging off. This specially designed application could then monitor all actions performed by newly logged-on users in order to obtain sensitive information such as credentials. The sensitive information could then be further used to elevate privileges or execute code with the privileges of another user on the system. If the information obtained includes a user with administrative privileges, it could be used to execute code with elevated kernel mode privileges or to install malicious software and attack further computers within or outside of the network.

 

Recommendation:

Deploy patches as soon as possible as no forms of mitigation are available.

 

MS11-011

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802)


Microsoft Rating:

Important

CVE List:

CVE-2010-4398, CVE-2011-0045

 

Analysis:

Two privilege escalation vulnerabilities exist in the Windows Kernel when allocating memory and handling user-controlled registry keys. Of the two vulnerabilities, the publically disclosed one allows a local attacker that is both authenticated and on a domain-joined system to send crafted ticket requests to the KDC and obtain elevated system level privileges on the local machine. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.

 

Recommendation:

Deploy patches as soon as possible as no forms of mitigation are available.

 

MS11-012

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628)


Microsoft Rating:

Important

CVE List:

CVE-2011-0086, CVE-2011-0087, CVE-2011-0088, CVE-2011-0089, CVE-2011-0090

 

Analysis:

Five privately reported privilege escalation vulnerabilities exist in the Windows kernel-mode drivers, specifically "Win32k.sys", when handling data supplied from user mode to kernel mode. An attacker that is able to run a crafted application could exploit these vulnerabilities to execute arbitrary code with elevated kernel mode privileges. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.

 

Recommendation:

Deploy patches as soon as possible as no forms of mitigation are available.

 

MS11-013

Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930)


Microsoft Rating:

Important

CVE List:

CVE-2011-0043, CVE-2011-0091

 

Analysis:

Two vulnerabilities exist in the Microsoft Kerberos implementation in Windows due to weak hashing and encryption algorithms that could facilitate spoofing attacks or grant elevated privileges. One of the two vulnerabilities was publically disclosed, which, if exploited, allows a local attacker that is both authenticated and on a domain-joined system to send crafted ticket requests to the KDC and obtain elevated system level privileges on the local machine. This vulnerability however is not exploitable on domains where the domain controller is running Windows Server 2008 or Windows Server 2008 R2. The other vulnerability is contingent upon an attackers ability to perform man-in-the-middle type attacks, which if successful can be exploited to degrade the default encryption to DES so as to impersonate legitimate users’ credentials or forge all traffic in a compromised session.

 

Recommendation:

Deploy patches as soon as possible if using Kerberos authentication as no forms of mitigation are available.

 

MS11-014

Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960)


Microsoft Rating:

Important

CVE:

CVE-2011-0039

 

Analysis:

A privately reported privilege elevation vulnerability exists in Windows Local Security Authority Subsystem Service (LSASS) when handling a crafted authentication request. An attacker that is able to run a crafted application could exploit these vulnerabilities to execute arbitrary code with elevated kernel mode privileges. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time.

 

Recommendation:

Deploy patches immediately to prevent exploitation by attackers as no forms of mitigation are available.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.