Beyondtrust

BeyondTrust Patch Tuesday

October 11, 2011

Microsoft Patch Disclosure

This month, Microsoft released eight patches that repair a total of 23 vulnerabilities. These patches address 13 remote code execution vulnerabilities, three elevation of privilege vulnerabilities, four denial-of-service vulnerabilities, and three cross-site scripting vulnerabilities.

Administrators are advised to patch MS11-078 and MS11-081 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-075, MS11-076, MS11-077, MS11-079, MS11-080, and MS11-082 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday October 12th
    1pm PT / 4pm ET / 8pm GMT

BULLETIN / ADVISORY DETAILS

MS11-075

Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)


Microsoft Rating:

Important

CVE:

CVE-2011-1247

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Active Accessibility. The patch fixes an insecure library loading vulnerability. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

 

MS11-076

Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)


Microsoft Rating:

Important

CVE:

CVE-2011-2009

 

Analysis:

This bulletin addresses a publicly reported remote code execution vulnerability in Windows Media Center. The patch fixes an insecure library loading vulnerability. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

 

MS11-077

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)


Microsoft Rating:

Important

CVE List:

CVE-2011-1985, CVE-2011-2002, CVE-2011-2003, & CVE-2011-2011

 

Analysis:

This bulletin addresses four vulnerabilities in the Windows Kernel, all privately reported. Two vulnerabilities permit privilege escalation, one allows remote code execution, and the remaining vulnerability enables a denial-of-service condition. The patch fixes a null pointer de-reference vulnerability, two font handling vulnerabilities, and a use-after-free vulnerability. In the most severe case, a local attacker that successfully exploited one of these vulnerabilities would gain kernel-level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available for two of the four CVEs. Until the patch can be installed, mitigate CVE-2011-2002 and CVE-2011-2003 by stopping the WebClient service from running.

 

MS11-078

Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)


Microsoft Rating:

Critical

CVE:

CVE-2011-1253

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Silverlight. The patch fixes a failure to properly restrict class inheritance within the .NET Framework. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block XAML browser applications from running in Internet Explorer. Additionally, prevent the Silverlight ActiveX from running in Internet Explorer, and prevent Silverlight from executing within Firefox and/or Chrome.

 

MS11-079

Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)


Microsoft Rating:

Important

CVE List:

CVE-2011-1895, CVE-2011-1896, CVE-2011-1897, CVE-2011-1969, & CVE-2011-2012

 

Analysis:

This bulletin addresses five vulnerabilities in Microsoft Forefront Unified Access Gateway, all privately reported. Three of these are cross-site scripting vulnerabilities, one can lead to remote code execution, and the last one can lead to a denial-of-service condition. An attacker that successfully exploited the RCE vulnerability, which will be the most attractive target for attackers, would be able to reliably execute remote code on the victim's system with the current user's permissions.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available for four of the five CVEs. Until the patches can be installed, the remote code execution vulnerability (CVE-2011-1969) can be mitigated by blacklisting the MicrosoftClient.Jar file in the Javajre6libsecuritylacklist file.

 

MS11-080

Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)


Microsoft Rating:

Important

CVE:

CVE-2011-2005

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in the Microsoft Windows Ancillary Function Driver. The patch fixes a logic vulnerability that occurs when validating data that is received from user mode. An attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Since no mitigation is available, deploy patches as soon as possible.

 

MS11-081

Cumulative Security Update for Internet Explorer (2586448)


Microsoft Rating:

Critical

CVE List:

CVE-2011-1993, CVE-2011-1995, CVE-2011-1996, CVE-2011-1997, CVE-2011-1998, CVE-2011-1999, CVE-2011-2000, & CVE-2011-2001

 

Analysis:

This bulletin addresses eight privately reported remote code execution vulnerabilities in Internet Explorer. All supported versions are affected. The vulnerabilities addressed in this bulletin are exploitable when accessing corrupted data, uninitialized objects, and deleted objects. Most of these vulnerabilities could be leveraged to grant an attacker the ability to execute remote arbitrary code with the same permissions as the user running Internet Explorer.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS11-082

Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)


Microsoft Rating:

Important

CVE List:

CVE-2011-2007 & CVE-2011-2008

 

Analysis:

This bulletin addresses two publicly reported unauthenticated denial-of-service vulnerabilities in the Host Integration Server. No attacks targeting these vulnerabilities have been seen in the wild. The patch fixes the way that input is validated by the server when processing UDP and TCP data. An attacker that successfully exploited this vulnerability would be able to cause the SNA Server service to deny service to all services that rely on it.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block TCP ports 1477 and 1478 and UDP port 1478 using a firewall.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.