Beyondtrust

BeyondTrust Patch Tuesday

March 08, 2011

Microsoft Patch Disclosure

This month, Microsoft released 3 bulletins which repair a total of 4 vulnerabilities. All 3 of these bulletins address Remote Code Execution vulnerabilities.

Administrators are advised to patch MS11-015, MS11-016 and MS11-017 immediately to prevent exploitation by attackers. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
Register Now >>

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday March 9th at
    1pm PST / 4pm EST

BULLETIN / ADVISORY DETAILS

MS11-015

Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)


Microsoft Rating:

Critical

CVE List:

CVE-2011-0032, CVE-2011-0042

 

Analysis:

One publically disclosed DLL hijacking vulnerability and one privately reported remote code execution vulnerability have been identified in Microsoft Windows Media applications. The first vulnerability is a standard insecure library loading error that has been seen in the past with other applications. When a crafted media file (e.g. .wtv, .dvr-ms, .mpg) utilizing Microsoft DirectShow opens, the application will attempt to load a malicious DLL from an attacker-controlled location (e.g. network share, WebDAV server). Upon loading the malicious DLL, the attacker is able to execute arbitrary code with the privileges of the logged in user. The second vulnerability occurs due to improper parsing of Microsoft Digital Video Recording files (i.e. .dvr-ms) handled by Windows Media Player and Windows Media Center. If a user opens a malicious ".dvr-ms" file, an attacker would be able to execute arbitrary code with the privileges of the logged in user. With either of the vulnerabilities if the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.

 

Recommendation:

Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the loading of libraries from WebDAV and remote network shares should be disabled, the WebClient Service should be disabled, TCP ports 139 and 445 should be blocked on the external firewall, and strict file permissions on the Stream Buffer Engine (i.e. sbe.dll) should be enforced. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open ".wtv", ".dvr-ms", and ".mpg" files from untrusted sources.

 

LEARN MORE

MS11-016

Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)


Microsoft Rating:

Important

CVE:

CVE-2010-3146

 

Analysis:

One publically disclosed DLL hijacking vulnerability has been identified in Microsoft Groove 2007. This vulnerability is a standard insecure library loading error that has been seen in the past with other applications. When a crafted file associated with Microsoft Groove (e.g. .vcg, .gta) opens, the application will attempt to load a malicious DLL from an attacker-controlled location (e.g. network share, WebDAV server). Upon loading the malicious DLL, the attacker is able to execute arbitrary code with the privileges of the logged in user. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.

 

Recommendation:

Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the loading of libraries from WebDAV and remote network shares should be disabled, the WebClient Service should be disabled, and TCP ports 139 and 445 should be blocked on the external firewall. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open ".vcg" and ".gta" files from untrusted sources.

 

LEARN MORE

MS11-017

Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)


Microsoft Rating:

Important

CVE:

CVE-2011-0029

 

Analysis:

One publically disclosed DLL hijacking vulnerability has been identified in Microsoft Remote Desktop Connection Client. This vulnerability is a standard insecure library loading error that has been seen in the past with other applications. When a crafted file associated with Microsoft RDC Client (e.g. .rdp) opens, the application will attempt to load a malicious DLL from an attacker-controlled location (e.g. network share, WebDAV server). Upon loading the malicious DLL, the attacker is able to execute arbitrary code with the privileges of the logged in user. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.

 

Recommendation:

Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the loading of libraries from WebDAV and remote network shares should be disabled, the WebClient Service should be disabled, and TCP ports 139 and 445 should be blocked on the external firewall. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open ".rdp" files from untrusted sources.

 

LEARN MORE
Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.