BeyondTrust Patch Tuesday
June 14, 2011
Microsoft Patch Disclosure
This month, Microsoft released 16 patches which repair a total of 34 vulnerabilities.
Administrators are advised to patch MS11-038, MS11-039, MS11-040, MS11-042, MS11-043, MS11-045, MS11-046, MS11-050, and MS11-052 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-041, MS11-044, and MS11-048 as soon as possible. Lastly, administrators should patch MS11-037, MS11-047, MS11-049, and MS11-051 at their earliest convenience.
As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
Register Now >>
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time:
Wednesday June 15th at
1pm PT / 4pm ET
BULLETIN / ADVISORY DETAILS
MS11-037
Vulnerability in MHTML Could Allow Information Disclosure (2544893)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses an information disclosure vulnerability in MHTML. Attackers could convince a user to view a web page that contained the malicious MIME-formatted request. The request would exist in a permitted security context but access data that is in a different security context. At this point, the attacker would be able to access data that should not be accessible for scripts running in the attacker's security context.
Recommendation:
Deploy patches at the earliest convenience. Until the patches can be installed, disable the MHTML handler by deleting the HKCR\PROTOCOLS\Handler\mhtml registry key.
MS11-038
Vulnerability in OLE Automation Could Allow Remote Code Execution (2476490)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a remote code execution vulnerability in how Windows OLE Automation parses WMF image files. Because of the file format affected by this vulnerability, it is likely that this will be exploited through attacker controlled webpages or servers hosting user-supplied content. An attacker that successfully exploits this vulnerability would gain the ability to execute arbitrary code in the context of the current user. Attackers may further leverage this vulnerability in drive-by scenarios to install malicious software and gain a foothold into the network.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, prevent access to vbscript.dll, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones.
MS11-039
Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2514842)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a remote code execution vulnerability in Microsoft Silverlight and the .NET Framework, which would permit an attacker to execute arbitrary code within the user's context. In the most likely exploitation situation, an attacker would need to host the malicious content on a web site and convince a user to view the attacker's content. Servers hosting user-controlled ASP.NET applications are also at an elevated risk since an attacker could break out of sandbox restrictions and further compromise the system.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, prevent partially trusted .NET applications from running, by using the caspol command. Prevent Internet Explorer, Firefox, and Chrome from running XAML applications.
MS11-040
Vulnerability in Threat Management Gateway Firewall Client Could Allow Remote Code Execution (2520426)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a remote code execution vulnerability in the Forefront TMG Client. When the Forefront client evaluates a crafted request, the client would be exposed to this vulnerability. Since the client does not check specific requests, an attacker could exploit this vulnerability, corrupting the memory of the TMG Client, which would permit the attacker to execute remote arbitrary code on the client system.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, prevent the TMG Client from being used by disabling it.
MS11-041
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a remote code execution vulnerability that exists in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability occurs when validating pointers, during the processing of an OpenType font on 64-bit systems. Successful exploitation of this vulnerability allows remote execution of arbitrary code. Some third-party applications (e.g. web browsers) include native support for rendering OpenType, thus increasing the attack surface for this vulnerability. Once the system is exploited, the attacker would have kernel mode access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.
Recommendation:
Deploy patches as soon as possible. Until the patches can be installed, disable the Preview Pane in Windows Explorer, the Details Pane in Windows Explorer, and the WebClient Service.
MS11-042
Vulnerabilities in Distributed File System Could Allow Remote Code Execution (2535512)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses two denial of service vulnerabilities in the Microsoft Distributed File System (DFS). An attacker could exploit these vulnerabilities by responding to a DFS request with a malicious response, which would cause the client system to stop responding until a user manually restarted the machine.
Recommendation:
Deploy patches immediately as no forms of mitigation are available.
MS11-043
Vulnerability in SMB Client Could Allow Remote Code Execution (2536276)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses an unauthenticated remote code execution vulnerability that exists in the Windows SMB client. To exploit this vulnerability, an attacker would set up a malicious SMB server and, e.g. by sending links via email, convince users to access that server. The server would then respond with malicious response packets, which would most likely crash the client, but potentially allow the attacker to execute remote arbitrary code on the client's machine.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, block ports 139 and 445 at the network perimeter.
MS11-044
Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a remote code execution vulnerability in the .NET Framework. Successful exploitation would permit an attacker to execute arbitrary code within the user's context or the context of the ASP.NET account. The vulnerability is due to the fact that the .NET Framework fails to properly validate certain values in an in-memory object. In the most likely exploitation scenario, an attacker would need to host the malicious content on a web site and convince a user to view the attacker's content.
Recommendation:
Deploy patches as soon as possible. Until the patches can be installed, prevent partially trusted .NET applications from running, by using the caspol command. Prevent Internet Explorer, Firefox, and Chrome from running XAML applications.
MS11-045
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2537146)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses eight remote code execution vulnerabilities in Microsoft Excel that occur when parsing specially crafted Excel files. Opening a maliciously crafted Excel file would allow remote code execution with the same rights as the user. If the user is an administrator, attackers may be able to leverage this vulnerability to further compromise the system and gain a foothold into the network.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, administrators can set a Microsoft Office File Block Policy to block all files from Office 2003 and earlier from unknown and untrusted sources. Additionally, files that do not pass Office File validation should be prevented from opening. CVE-2011-1275, CVE-2011-1277, and CVE-2011-1278 have no reasonable mitigations, so patching is the only way to protect against these vulnerabilities.
MS11-046
Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a privilege elevation vulnerability that exists in the Ancillary Function Driver (AFD). To exploit this vulnerability, an attacker would already need to be able to execute code on the target system. Upon launching a malicious application on the target system, the attacker would gain the ability to execute arbitrary code in kernel mode. Although the ability to execute code on the system is required, attackers that are able to leverage client-side exploits could potentially combine this vulnerability in a way that could be used to gain elevated privileges. From this point, attackers would be able to install rootkits and maintain access to the system.
Recommendation:
Deploy patches immediately as no forms of mitigation are available.
MS11-047
Vulnerability in Hyper-V Could Allow Denial of Service (2525835)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a locally authenticated denial of service vulnerability that exists in Hyper-V. An attacker would need to be able to log into a Hyper-V guest and run a malicious application, which would send a specially crafted packet to the VMBus. This would cause both the host system, as well as all guest systems, to stop responding, thereby affecting the availability of all services; if a guest system is a core server such as a domain-controller or security gateway this could possibly disrupt the integrity of the network as well.
Recommendation:
Deploy patches at the earliest convenience as no forms of mitigation are available.
MS11-048
Vulnerability in SMB Server Could Allow Denial of Service (2536275)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a parsing vulnerability in the SMB protocol implementation. This vulnerability requires no authentication to be exploited. To exploit this vulnerability, the attacker would simply need to send a malicious SMB packet to a vulnerable system, which would cause the system to stop responding until it was restarted manually.
Recommendation:
Deploy patches as soon as possible. Until the patches can be installed, block ports 139 and 445 at the network perimeter.
MS11-049
Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses an information disclosure vulnerability that exists in the Microsoft XML editor. To exploit this vulnerability, an attacker would need to convince a user to open a malicious .DISCO file with one of the affected applications. This would permit the attacker to remotely read files from the victim's system that would otherwise be unavailable to the attacker.
Recommendation:
Deploy patches at the earliest convenience as no forms of mitigation are available.
MS11-050
Cumulative Security Update for Internet Explorer (2530548)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses eight remote code execution vulnerabilities and three information disclosure vulnerabilities in Internet Explorer. The most likely attack vector would require that an attacker convince a user to visit malicious internet content, which could cause memory corruption in a way that permitted the attacker to execute remote arbitrary code within the context of the current user.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones.
MS11-051
Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege (2518295)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a non-persistent XSS vulnerability that exists in Active Directory Certificate Services Web Enrollment. An attacker attempting to exploit this vulnerability would likely send a link to target user via email or instant message. Upon clicking the link, the attacker would be able to execute a custom script with the same permissions that only the user would have under normal circumstances.
Recommendation:
Deploy patches at the earliest convenience. Until the patches can be installed, turn on the IE8/9 XSS filter for the Intranet Zone.
MS11-052
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2544521)
Microsoft Rating:
CVE List:
(none)
Analysis:
This bulletin addresses a memory corruption vulnerability that exists in the Vector Markup Language (VML) implementation on Windows. To exploit this vulnerability, an attacker would likely send a link to the target user and convince them to open it, taking them to the attacker's malicious content. At this point, the IE rendering engine would attempt to show the specially crafted VML content, which would exploit the vulnerability, granting the attacker the ability to execute remote arbitrary code within the context of the current user.
Recommendation:
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.