eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Your Company

Microsoft Patch Disclosure
April 12, 2011

Overview
This month, Microsoft released 17 patches which address a total of 64 vulnerabilities. 15 of these patches address Remote Code Execution vulnerabilities, 1 addresses an Information Disclosure vulnerability, and 1 addresses an Elevation of Privilege vulnerability.

 Top Sidebar

Live Webinar:
Vulnerability Expert Forum

Presenter:
The eEye Research Team

Date/Time:
Wednesday April 13th at
1pm PT / 4pm ET

Register Now >>

Bottom Sidebar

Patch Precedence
Administrators are urged to patch MS11-018, MS11-019, MS11-020, and MS11-028 immediately. MS11-018 is being used in the wild, MS11-019 and MS11-020 are a dangerous combination when used in conjunction, and MS11-028 because .NET has historically been a target for attackers. Next, MS11-027, MS11-021, MS11-022, MS11-029, MS11-024, and MS11-030 should be patched as soon as possible. Lastly, MS11-023, MS11-025, MS11-026, MS11-034, MS11-033, MS11-031, and MS11-032 should be patched at the administrators' earliest convenience.

As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team. Register Here >>

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.

Bulletin/Advisory Summary

Critical

MS11-018 - Cumulative Security Update for Internet Explorer (2497640)
MS11-019 - Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
MS11-020 - Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
MS11-027 - Cumulative Security Update of ActiveX Kill Bits (2508272)
MS11-028 - Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
MS11-029 - Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
MS11-030 - Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
MS11-031 - Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
MS11-032 - Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

Important

MS11-021 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
MS11-022 - Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
MS11-023 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
MS11-024 - Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
MS11-025 - Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
MS11-026 - Vulnerability in MHTML Could Allow Information Disclosure (2503658)
MS11-033 - Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
MS11-034 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)

Bulletin/Advisory Details

MS11-018
Cumulative Security Update for Internet Explorer (2497640)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, content during certain processes, and script during certain processes.

  • CVE-2011-0094 - Layouts Handling Memory Corruption Vulnerability
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0346 - MSHTML Memory Corruption Vulnerability
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-1244 - Frame Tag Information Disclosure Vulnerability
    An information disclosure vulnerability exists in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page disguised as legitimate content. The user's actions on the page could allow information disclosure or clickjacking, whereby the user's clicks perform unwanted actions.
  • CVE-2011-1245 - JavaScript Information Disclosure Vulnerability
    An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.
  • CVE-2011-1345 - Object Management Memory Corruption Vulnerability
    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses three memory corruption vulnerabilities, as well as two information disclosure vulnerabilities. To exploit any of these vulnerabilities, the attacker would simply have to convince a user to open a malicious web page (by sending them a link through email, instant messaging, etc.). Upon opening the malicious page, the memory corruption would occur, granting the attacker the ability to execute arbitrary code within the context of the current user.

Recommendations
Install the patch immediately, as this patches the pwn2own vulnerability that was disclosed. Until this is possible, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones. 


MS11-019
Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server. The security update addresses the vulnerabilities by correcting the manner in which the CIFS Browser handles specially crafted Browser messages, and correcting the manner in which the SMB client validates specially crafted SMB responses.

  • CVE-2011-0654 - Browser Pool Corruption Vulnerability
    An unauthenticated remote code execution vulnerability exists in the way that the Common Internet File System (CIFS) Browser Protocol implementation parses malformed browser messages. An attempt to exploit the vulnerability would not require authentication. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0660 - SMB Client Response Parsing Vulnerability
    An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block (SMB) client validates specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses a memory corruption vulnerability and an SMB parsing vulnerability. Both of these could permit an attacker to execute remote arbitrary code on a vulnerable system, granting the attacker full system control, with the memory corruption vulnerability granting system-level access. Neither vulnerability requires authentication to be exploited. To exploit one of the vulnerabilities, the attacker would simply need to send a malicious Browser request to a vulnerable system, which would permit them to execute remote code on that system.

Recommendations
Install the patch immediately, as attackers will be seeking to combine the vulnerabilities in this patch with those in MS11-020, which can make for a very malicious worm. Until this is possible, block TCP ports 138, 139, and 445 with a firewall.

 

MS11-020
Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities. The security update addresses the vulnerability by correcting the way that SMB validates fields in malformed SMB requests.

  • CVE-2011-0661 - SMB Transaction Parsing Vulnerability
    An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB packet to a computer running the Server service. An attacker who successfully exploited this vulnerability could take complete control of the system.

Analysis
This bulletin addresses a parsing vulnerability in the SMB protocol implementation. This could permit an attacker to execute remote arbitrary code on a vulnerable system, granting them full control of the compromised system. This vulnerability requires no authentication to be exploited. To exploit this vulnerability, the attacker would simply need to send a malicious SMB packet to a vulnerable system, which would permit them to execute remote code on that system.

Recommendations
Install the patch immediately, as attackers will be seeking to combine the vulnerabilities in this patch with those in MS11-019, which can make for a very malicious worm. Until this is possible, block TCP ports 139 and 445 with a firewall.

 

MS11-021
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves nine privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by correcting the way that Microsoft Excel manages data structures, validates record information, initializes variables used in memory operations, and allocates buffer space when parsing a specially crafted file.

  • CVE-2011-0097 - Excel Integer Overrun Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0098 - Excel Heap Overflow Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0101 - Excel Record Parsing WriteAV Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0103 - Excel Memory Corruption Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0104 - Excel Buffer Overwrite Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0105 - Excel Data Initialization Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0978 - Excel Array Indexing Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0979 - Excel Linked List Corruption Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2011-0980 - Excel Dangling Pointer Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
This bulletin addresses nine various memory corruption vulnerabilities in Microsoft Excel, that when exploited, could permit an attacker to execute remote arbitrary code on a system that is vulnerable. A user would simply have to open a malicious Excel file, to be exploited, granting the attacker the same rights as the user. The attacker might send this Excel file via email, instant message, via a link to a malicious file hosted on a web site, or other similar methods.

Recommendations
Install the patch as soon as possible since consistent code execution is likely. Until this is possible, block Office Excel 2003 files from untrusted sources and use MOICE when opening files that are not from trusted sources. It should be noted that no realistic mitigation exists for CVE-2011-0105 or CVE-2011-0101, so patching is the only way to block against these vulnerabilities.

 

MS11-022
Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves three privately reported vulnerabilities in Microsoft PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by modifying the way that PowerPoint validates records when opening PowerPoint files.

  • CVE-2011-0655 - Floating Point Techno-color Time Bandit RCE Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.
  • CVE-2011-0656 - Persist Directory RCE Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.
  • CVE-2011-0976 - OfficeArt Atom RCE Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint files. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Analysis
This bulletin addresses three various memory corruption vulnerabilities in Microsoft PowerPoint, which occur, due to improperly handling errors in a malformed PowerPoint file. If a user were to open a malicious file, it would grant the attacker the ability to execute remote arbitrary code with the same rights as the user. The attacker might send this PowerPoint file via email, instant message, via a link to a malicious file hosted on a web site, or other similar methods.

Recommendations
Install the patch as soon as possible since consistent code execution is likely. Until this is possible, prevent editing documents in protected mode, using Office File Validation, for PowerPoint 2010. Additionally, block Office PowerPoint 2003 files from untrusted sources and use MOICE when opening files that are not from trusted sources.


MS11-023
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Office file or if a user opens a legitimate Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the way that Microsoft Office handles graphic objects in specially crafted Office files and by correcting the manner in which Microsoft Office loads external libraries.

  • CVE-2011-0107 - Office Component Insecure Library Loading Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Office handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • CVE-2011-0977 - Microsoft Office Graphic Object Dereferencing Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Office handles graphic objects when parsing a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This bulletin addresses two remote code execution vulnerabilities in Microsoft Office: a DLL hijacking vulnerability and a memory object dereferencing vulnerability. An attacker seeking to exploit the DLL hijacking vulnerability would merely need to convince a user to open a file on a WebDav share, which would cause attacker's malicious DLL to be loaded and the arbitrary code inside would be executed. Alternatively, the attacker could send the user a malicious file (or a link to the malicious file hosted on a web site), which the user would need to be convinced to open. Upon opening the file, the vulnerability would be exploited, permitting the attacker to execute remote arbitrary code in the context of the current user.

Recommendations
Install the patch at the earliest possible convenience.  Administrators should install the patch at their earliest convenience. Until this is possible, DLLs should blocked from being loaded off of WebDAV shares, the WebClient service should be disabled, and TCP ports 139 and 445 should be blocked with a firewall.   

 

MS11-024
Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opened a specially crafted fax cover page file (.cov) using the Windows Fax Cover Page Editor. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the manner in which the Windows Fax Page Editor parses fax cover page files.

  • CVE-2010-3974 - Fax Cover Page Editor Memory Corruption Vulnerability
    A remote code execution vulnerability in the way that the Windows Fax Cover Page Editor improperly parses specially crafted fax cover pages. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.  

Analysis
This bulletin addresses a remote code execution vulnerability in the Windows Fax Cover Page Editor. To exploit this vulnerability, an attacker would need to convince a user to open a malicious .cov file, which could be sent via email, instant messenger, hosted on a web site, etc. Once the user opened this malicious .cov file in Windows Fax Cover Page Editor, a memory corruption would occur, granting the attacker the ability to execute remote arbitrary code in the context of the current user.

Recommendations
Install the patch as soon as possible, as it has been publicly disclosed and it has been found that consistent code execution is likely. Until this is possible, disassociate the .cov file extension from the Windows Fax Cover Page Editor on Windows XP and Server 2003. The other operating systems do not have mitigations provided, so patching is the only way to protect those systems against this vulnerability.

 

MS11-025
Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in certain applications built using the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user opens a legitimate file associated with such an affected application, and the file is located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by the affected application. The security update addresses the vulnerability by correcting the manner in which applications built using MFC load external libraries.

  • CVE-2010-3190 - MFC Insecure Library Loading Vulnerability
    A remote code execution vulnerability exists in the way that certain applications built Microsoft Foundation Classes (MFC) handle the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
This bulletin addresses a remote code execution vulnerability in how MFC loads DLL files. To exploit this, an attacker would need to convince a user to open a file on a WebDAV share that was associated with any application that used MFC, which would result in the attacker's malicious DLL being loaded and the arbitrary code inside would be executed. This is a far broader range than the normal DLL loading vulnerability, as they generally target only specific applications, whereas this DLL loading vulnerability targets any application that was built to use the MFC.

Recommendations
Administrators should install the patch at their earliest convenience. Until this is possible, DLLs should be blocked from being loaded off of WebDAV shares, the WebClient service should be disabled and block TCP ports 139 and 445 with a firewall.


MS11-026
Vulnerability in MHTML Could Allow Information Disclosure (2503658)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. In a Web-based attack scenario, a Web site could contain a specially crafted link that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open the specially crafted link. The security update addresses the vulnerability by correcting the way that the MHTML parser handles requests.

  • CVE-2011-0096 - MHTML Mime-Formatted Request Vulnerability
    An information disclosure vulnerability exists in the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to run a client-side script in the wrong security context. Similar to server-side cross-site scripting (XSS) vulnerabilities, it is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response to a Web request run in the context of the user's instance of Internet Explorer.

Analysis
This bulletin addresses an information disclosure vulnerability in MHTML. Attackers could convince a user to view a web page that contained the malicious MIME-formatted request that existed in a permitted security context, but accessed data that is in a security context that the script should be unable to access. At this point, the attacker would be able to access data that should not be accessible for scripts running in the attacker's security context.

Recommendations
Administrators should install the patch at their earliest convenience. Until this is possible, either disable or lock down the MHTML protocol. Additionally, block/disable ActiveX controls and Active Scripting in both Internet and Local Internet zones.  

 

MS11-027
Cumulative Security Update of ActiveX Kill Bits (2508272)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft software. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for three third-party ActiveX controls. The security update addresses the vulnerabilities by setting kill bits so that the vulnerable controls do not run in Internet Explorer.

  • CVE-2010-0811 - Microsoft Internet Explorer 8 Developer Tools Vulnerability
    A remote code execution vulnerability exists in the ActiveX control, Microsoft Internet Explorer 8 Developer Tools. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
  • CVE-2010-3973 - Microsoft WMITools ActiveX Control Vulnerability
    A remote code execution vulnerability exists in one of the Microsoft WMITools ActiveX controls. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
  • CVE-2011-1243 - Microsoft Windows Messenger ActiveX Control Vulnerability
    A remote code execution vulnerability exists in the Microsoft Windows Messenger ActiveX Control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

Analysis
This bulletin addresses three remote code execution vulnerabilities, by issuing kill-bits for the affected products. Three kill-bits were set on Microsoft files and fourteen third-party kill-bits. To exploit these vulnerabilities, an attacker would need to convince a user to visit a malicious page that they control. When the user visited the site, the page would load a malicious ActiveX control, exploiting one of the vulnerabilities, providing the attacker with the ability to execute remote arbitrary code.

Recommendations
Install the patch as soon as possible since consistent code execution is likely. Until this is possible, disable COM objects in Internet Explorer, block/disable ActiveX Controls and Active Scripting in both Internet and Local Internet zones.

 

MS11-028
Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. The security update addresses the vulnerability by correcting the manner in which the .NET Framework handles certain types of function calls.

  • CVE-2010-3958 - .NET Framework Stack Corruption Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft .NET Framework handles certain function calls. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
A remote code execution vulnerability exists in the .NET framework Just-In-Time (JIT) compiler. If an attacker were to be able to convince a user to visit a malicious site controlled by the attacker, they would be able to exploit the vulnerability, causing a stack corruption to occur on the user's machine, granting the attacker the ability to execute remote arbitrary code within the context of either the current user or the ASP.NET account.

Recommendations
Install the patch immediately since this vulnerability has been publicly disclosed. Until this is possible, prevent use of Microsoft .NET partially trusted applications and prevent the use of XAML applications in Internet Explorer.

 

MS11-029
Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Microsoft Windows GDI+. The vulnerability could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by modifying the way that GDI+ handles integer calculations when processing EMF files.

  • CVE-2011-0041 - GDI+ Integer Overflow Vulnerability
    A remote code execution vulnerability exists in the way that GDI+ handles integer calculations. The vulnerability could allow remote code execution if a user opens a specially crafted EMF image file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.  

Analysis
This bulletin addresses a remote code execution vulnerability in GDI+. An attacker seeking to exploit this on someone's machine would simply have to convince a user to load a malicious page, controlled by the attacker, which would load the malicious EMF image file, causing an integer overflow to occur, giving the attacker the ability to exploit remote arbitrary code with the same rights as the current user. The attacker could direct the user to this page by sending them a link via email, instant message, or other similar methods.

Recommendations
Install the patch as soon as possible since consistent code execution is likely. Until this is possible, prevent metafiles from being processed, and prevent gdiplus.dll from being accessed. 

 

MS11-030
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Windows DNS resolution. The vulnerability could allow remote code execution if an attacker gained access to the network and then created a custom program to send specially crafted LLMNR broadcast queries to the target systems. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the LLMNR ports should be blocked from the Internet. The security update addresses the vulnerability by correcting the manner in which the DNS client processes specifically crafted DNS queries.

  • CVE-2011-0657 - DNS Query Vulnerability
    A remote code execution vulnerability exists in the way that the DNS client service handles specially crafted LLMNR queries. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the NetworkService account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  

Analysis
This bulletin addresses a vulnerability in the Windows DNS client. When it handles LLMNR queries that are malicious, an unauthenticated attacker on the network could exploit the vulnerability on the target machine. For Windows Vista, Server 2008, 7, and Server 2008 R2, the attacker could remotely execute arbitrary code by sending a malicious LLMNR broadcast to vulnerable systems. If the target OS is Windows XP or Server 2003, the attacker would need to locally authenticate, but would be able to elevate their privileges to gain network NetworkService rights, by executing a maliciously crafted application.

Recommendations
Install the patch as soon as possible since consistent code execution is likely. Until this is possible, block TCP/UDP port 5355, use group policy to disable the Link-Local Multicast Name Resolution, and disable Network Discovery.

 

MS11-031
Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow remote code execution if a user visited a specially crafted Web site. An attacker would have no way to force users to visit the Web site. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. The security update addresses the vulnerability by correcting the manner in which the JScript and VBScript scripting engines process scripts in Web pages.

  • CVE-2011-0663 - Scripting Memory Reallocation Vulnerability
    A remote code execution vulnerability exists in the JScript and VBScript scripting engines due to a memory corruption error. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  

Analysis
An information disclosure vulnerability exists in the JScript and VBScript scripting engines when processing crafted scripts. An attacker would need to convince the user to visit a specially crafted web page or open a malicious script in order to exploit the vulnerability. Loading the decoded script into memory can cause a integer overflow to occur, allowing the attacker to execute remote code in the context of the current user.

Recommendations
Administrators should install the patch at their earliest convenience. Until this is possible, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled. 

 

MS11-032
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in the OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. The security update addresses the vulnerability by correcting the manner in which the OpenType Font (OTF) driver parses a specially crafted OpenType font.

  • CVE-2011-0034 - OpenType Font Stack Overflow Vulnerability
    A remote code execution vulnerability exists in the way that the OpenType Font (OTF) driver improperly parses specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  

Analysis
A vulnerability exists in the Windows OpenType Compact Font Format (OTF) driver when processing an OpenType font containing a crafted parameter value. Successful exploitation of this vulnerability allows remote execution of arbitrary code. Some third-party applications (e.g. web browsers) include native support for rendering OpenType, increasing the attack surface for this vulnerability. Once exploitation is achieved, the attacker would have kernel mode access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network.

Recommendations
Administrators should install the patch at their earliest convenience. Until this is possible, disable the preview and details pane in Windows Explorer. Additionally, disable the WebClient service.   

MS11-033
Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Microsoft Windows.  The vulnerability could allow remote code execution if a user opened a specially crafted file using WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by changing the way that the WordPad Text Converters handle specially crafted files.

  • CVE-2011-0028 - WordPad Converter Parsing Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft WordPad parses specially crafted Word documents. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed structure. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  

Analysis
This bulletin addresses a remote code execution vulnerability in WordPad. A user would need to simply open a malicious file to have their system exploited, which would grant the attacker the same rights as the user, when executing arbitrary code.

Recommendations
Administrators should install the patch at their earliest convenience. Until this is possible, use CACLS to prevent access to mswrd8.wpc (and mswrd864.wpc on x64 bit systems).

 

MS11-034
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves thirty privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. The security update addresses the vulnerabilities by correcting the way that kernel-mode drivers manage kernel-mode driver objects and keep track of pointers to kernel-mode driver objects.

Vulnerability Type 1: Win32k Use After Free Vulnerability - An elevation of privilege vulnerability exists due to the way that Windows Kernel-mode drivers manage kernel-mode driver objects. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  • CVE-2011-0662
  • CVE-2011-0665
  • CVE-2011-0666
  • CVE-2011-0667
  • CVE-2011-0670
  • CVE-2011-0671
  • CVE-2011-0672
  • CVE-2011-0674
  • CVE-2011-0675
  • CVE-2011-1234
  • CVE-2011-1235
  • CVE-2011-1236
  • CVE-2011-1237
  • CVE-2011-1238
  • CVE-2011-1239
  • CVE-2011-1240
  • CVE-2011-1241
  • CVE-2011-1242


Vulnerability Type 2: Win32k Null Pointer De-reference Vulnerability - An elevation of privilege vulnerability exists due to the way that Windows Kernel-mode drivers manage pointers to kernel-mode driver objects. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  • CVE-2011-0673
  • CVE-2011-0676
  • CVE-2011-0677
  • CVE-2011-1225
  • CVE-2011-1226
  • CVE-2011-1227
  • CVE-2011-1228
  • CVE-2011-1229
  • CVE-2011-1230
  • CVE-2011-1231
  • CVE-2011-1232
  • CVE-2011-1233

Analysis
This bulletin addresses thirty local code execution vulnerabilities that exist in the Windows Kernel. These permit a locally authenticated attacker to run a crafted application that would grant the attacker local system rights.

Recommendations
Administrators should install the patch at their earliest convenience. There are no mitigations to these vulnerabilities provided by Microsoft.
Feedback
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to newsletter@eeye.com.

Disclaimer
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email newsletter@eeye.com for permission.
www.eeye.com | sales@eeye.com | 111 Theory, Suite 250, Irvine, CA 92617 | 866.339.3732

eEye Email Subscription Management >>

Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2012 eEye Digital Security. All rights reserved.