Beyondtrust

BeyondTrust Patch Tuesday

May 10, 2011

Microsoft Patch Disclosure

This month, Microsoft released 2 patches which repair a total of 3 vulnerabilities. Both of these patches address Remote Code Execution vulnerabilities.

Administrators are advised to patch MS11-035 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-036 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
Register Now >>

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday May 11th at
    1pm PT / 4pm ET

BULLETIN / ADVISORY DETAILS

MS11-035

Vulnerability in WINS Could Allow Remote Code Execution (2524426)


Microsoft Rating:

Critical

CVE:

CVE-2011-1248

 

Analysis:

This bulletin addresses a Remote Code Execution vulnerability within the WINS component of Microsoft Windows Servers. The vulnerability exists because user-supplied values are not cleared from the stack and are later used. An attacker could leverage the vulnerability to execute code with SYSTEM privileges on Windows Server 2003 and Local Service privileges on Windows Server 2008 and Windows Server 2008 R2. With these privileges an attacker could potentially install rootkits or other malware to maintain control over the machine, leverage trust relationships to compromise additional systems, and steal sensitive information to be sold or used at a later time.

 

Recommendation:

Deploy patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ports TCP/42 and UDP/42 on external-facing firewalls.

 

MS11-036

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)


Microsoft Rating:

Important

CVE List:

CVE-2011-1269, CVE-2011-1270

 

Analysis:

This bulletin addresses two Remote Code Execution vulnerabilities within Microsoft Office PowerPoint. The vulnerabilities are caused by improper parsing of PowerPoint files which causes memory to become corrupted in such a way that could be leveraged to execute arbitrary code at the logged-in user's privilege level. If the user is an administrator, an attacker could potentially use those privileges to install rootkits or other malware to maintain control over the machine, leverage trust relationships to compromise additional systems, and steal sensitive information to be sold or used at a later time.

 

Recommendation:

Deploy patches as soon as possible. Until the patches can be installed, Office File Validation should be enabled to prevent the loading of invalid PowerPoint 2003 and 2007 files. Additionally, use Microsoft Office File Block policy and Microsoft Office Isolated Conversion Environment (MOICE) to deter exploitation via Office 2003 and earlier binary files.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.