Beyondtrust

BeyondTrust Patch Tuesday

February 14, 2012

Microsoft Patch Summary

This month, Microsoft released nine patches that fix a total of 21 vulnerabilities. Of these vulnerabilities, thirteen remote code execution vulnerabilities, three elevation of privilege vulnerabilities, and five information disclosure vulnerabilities were patched.

Patch MS12-008, MS12-010, MS12-013, and MS12-016 immediately to prevent exploitation by attackers. Patch MS12-009, MS12-011, MS12-012, MS12-014, and MS12-015 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Wednesday, February 15th
    1pm PT / 4pm ET / 9pm GMT

BULLETIN / ADVISORY DETAILS

MS12-008

Vulnerability in Windows Kernel Could Allow Remote Code Execution (2660465)


Microsoft Rating:

Critical

CVE List:

CVE-2011-5046 and CVE-2012-0154

 

Analysis:

This bulletin addresses a publicly reported remote code execution vulnerability (CVE-2011-5046) and a privately reported elevation of privilege vulnerability (CVE-2012-0154) in the Windows kernel (win32k.sys). The patch fixes how GDI validates user input that is passed from usermode to the kernel. It also fixes how the windows kernel handles certain keyboard layout errors. An attacker that successfully exploited either of these vulnerabilities would gain the ability to execute arbitrary code in the context of the kernel.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, read emails in plain text format.

 

MS12-009

Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640)


Microsoft Rating:

Important

CVE List:

CVE-2012-0148 and CVE-2012-0149

 

Analysis:

This bulletin addresses two privately reported elevation of privilege vulnerabilities in the afd.sys component of the Windows kernel. The patch fixes how data is validated when it is received from usermode. A local attacker that successfully exploited either of these vulnerabilities would be able to elevate their code execution context to kernel level.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available.

 

MS12-010

Cumulative Security Update for Internet Explorer (2647516)


Microsoft Rating:

Critical

CVE List:

CVE-2012-0010, CVE-2012-0011, CVE-2012-0012, and CVE-2012-0155

 

Analysis:

This bulletin addresses four privately reported vulnerabilities, which include two remote code execution vulnerabilities and two information disclosure vulnerabilities in Internet Explorer. The patch fixes two memory corruptions that occur when deleted objects are accessed, a data validation issue related to copy/paste operations, and an issue that allows attackers to read process memory. An attacker that successfully exploited either of the memory corruption vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS12-011

Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2663841)


Microsoft Rating:

Important

CVE List:

CVE-2012-0017, CVE-2012-0144, and CVE-2012-0145

 

Analysis:

This bulletin addresses three privately reported information disclosure vulnerabilities in SharePoint 2010. The patch fixes information disclosure vulnerabilities in inplview.aspx, themeweb.aspx, and wizardlist.aspx, which occur when opening specially crafted URLs. An attacker that successfully exploited these vulnerabilities would be able to execute arbitrary scripts in the current SharePoint user's context.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, enable the XSS filter in Internet Explorer (available in versions 8 and higher).

 

MS12-012

Vulnerability in Color Control Panel Could Allow Remote Code Execution (2643719)


Microsoft Rating:

Important

CVE:

CVE-2010-5082

 

Analysis:

This bulletin addresses a publicly reported remote code execution vulnerability in Color Control Panel. The patch fixes an insecure library loading vulnerability that occurs when opening files with a CAMP, CDMP, GMMP, ICM, or ICC file extension. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 at the perimeter firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

 

MS12-013

Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428)


Microsoft Rating:

Critical

CVE:

CVE-2012-0150

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in the Microsoft Windows C Run-Time Library (msvcrt.dll). The patch fixes a buffer overflow vulnerability that occurs when calculating the size of certain in-memory data structures. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible, since no mitigation is available.

 

MS12-014

Vulnerability in Indeo Codec Could Allow Remote Code Execution (2661637)


Microsoft Rating:

Important

CVE:

CVE-2010-3138

 

Analysis:

This bulletin addresses a publicly reported remote code execution vulnerability in Windows Media Player Classic, formerly missing the Indeo Codec file. The patch fixes an insecure library loading vulnerability that occurs when opening files with an AVI, MKA, RA, or RAM file extension. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 at the perimeter firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

 

MS12-015

Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2663510)


Microsoft Rating:

Important

CVE List:

CVE-2012-0019, CVE-2012-0020, CVE-2012-0136, CVE-2012-0137, and CVE-2012-0138

 

Analysis:

This bulletin addresses five privately reported remote code execution vulnerabilities in Microsoft Visio Viewer 2010. Each issue addressed is a memory corruption vulnerability that occurs when parsing Visio files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS12-016

Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026)


Microsoft Rating:

Critical

CVE List:

CVE-2012-0014 and CVE-2012-0015

 

Analysis:

This bulletin addresses two remote code execution vulnerabilities in the .NET Framework; one was publicly reported and the other was privately reported. The patch fixes how unmanaged objects are used in the .NET Framework and Silverlight, and also fixes a heap corruption that occurs when calculating the length of a buffer. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block XAML browser applications from running in Internet Explorer. Additionally, prevent Silverlight from running in Internet Explorer, Firefox, or Chrome.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.