BeyondTrust Patch Tuesday
November 08, 2011
Microsoft Patch Disclosure
This month, Microsoft released four patches that repair a total of four vulnerabilities. Two of these patches address remote code execution vulnerabilities, one patch addresses an elevation of privilege vulnerability, and one patch addresses a denial of service vulnerability.
Administrators should patch MS11-083 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-085 and MS11-086 as soon as possible. Lastly, administrators should patch MS11-084 at their earliest convenience. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.
- Web Event: Vulnerability Expert Forum (VEF)
- Presenters: The eEye Research Team
- Date/Time:
Wednesday November 9th
1pm PT / 4pm ET / 8pm GMT
BULLETIN / ADVISORY DETAILS
MS11-083
Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Microsoft Rating:
CVE List:
CVE-2011-2013
Analysis:
This bulletin addresses a privately reported remote code execution vulnerability in the Windows TCP/IP stack. The patch fixes an integer overflow vulnerability that occurs when processing a continuous stream of UDP packets to a closed port. An attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.
Recommendation:
Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, any unused UDP ports should be blocked at the external firewall.
MS11-084
Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
Microsoft Rating:
CVE List:
CVE-2011-2004
Analysis:
This bulletin addresses a privately reported denial of service vulnerability in the Windows Kernel. The patch fixes a failure to properly validate an array index when parsing TrueType files. A local attacker that successfully exploited this vulnerability would cause the affected system to crash and restart.
Recommendation:
Deploy patches at the earliest convenience. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and disable both the Preview and Details Pane in Windows Explorer.
MS11-085
Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
Microsoft Rating:
CVE List:
CVE-2011-2016
Analysis:
This bulletin addresses a privately reported elevation of privilege vulnerability in Active Directory. The patch fixes a logic vulnerability that occurs when Active Directory, using LDAPS, does not properly validate an SSL certificate's revocation status. An attacker that successfully exploited this vulnerability would gain access, with the associated user’s rights, to resources on the network or any other resource that utilizes the affected LDAP server for authentication.
Recommendation:
Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.
MS11-086
Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
Microsoft Rating:
CVE List:
CVE-2011-2014
Analysis:
This bulletin addresses a privately reported elevation of privilege vulnerability in Active Directory. The patch fixes a logic vulnerability that occurs when Active Directory, using LDAPS, does not properly validate an SSL certificate's revocation status. An attacker that successfully exploited this vulnerability would gain access to resources on the network or gain the ability to execute remote arbitrary code with the same permissions as the LDAP user that is associated with the revoked certificate.
Recommendation:
Deploy patches as soon as possible. Until the patch can be installed, remove the user account that is associated with the revoked certificate. Also, use LDAPS along with IPsec-based connections that are in "Always check CRL" mode.
Feedback
The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.
Disclaimer
The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.