Patch Tuesday Security Bulletins February 2011 | eEye Digital Security

Login to the Business Client Portal

Shop for eEye Products

Read the eEye Blog

Subscribe to eEye RSS Feeds

Follow eEye on Twitter

Follow eEye on Facebook

Your Company

Microsoft Patch Disclosure February 8, 2011 Overview This month, Microsoft released 12 patches which repair a total of 22 vulnerabilities. 5 of these patches address Remote Code Execution vulnerabilities, 5 address Elevation of Privilege, 1 addresses Denial of Service, and 1 addresses Information Disclosure.	Live Webinar: Vulnerability Expert Forum Presenter: The eEye Research Team Date/Time: Wednesday February 9th at 11am PST / 2pm EST Register Now >>
Patch Precedence Administrators are advised to patch MS11-003, MS11-004, MS11-006, MS11-007, MS11-011 and MS11-014 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-005, MS11-008, MS11-009, MS11-010, MS11-012 and MS11-013 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team. Register Here >> For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
Bulletin/Advisory Summary Critical MS11-003 - Cumulative Security Update for Internet Explorer (2482017) MS11-006 - Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185) MS11-007 - Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376) Important MS11-004 - Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256) MS11-005 - Vulnerability in Active Directory Could Allow Denial of Service (2478953) MS11-008 - Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879) MS11-009 - Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792) MS11-010 - Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687) MS11-011 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) MS11-012 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628) MS11-013 - Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930) MS11-014 - Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960)
Bulletin/Advisory Details MS11-003 Cumulative Security Update for Internet Explorer (2482017) Microsoft Severity Rating: Critical eEye Severity Rating: Critical Description This security update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user opens a legitimate HTML file that loads a specially crafted library file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, handles Cascading Style Sheets, and loads external libraries. CSS Memory Corruption Vulnerability - CVE-2010-3971 A remote code execution vulnerability exists in the way that Internet Explorer accesses memory while importing a Cascading Style Sheet that refers to itself recursively. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Uninitialized Memory Corruption Vulnerability - CVE-2011-0035 A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Uninitialized Memory Corruption Vulnerability - CVE-2011-0036 A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Internet Explorer Insecure Library Loading Vulnerability - CVE-2011-0038 A remote code execution vulnerability exists in the way that Internet Explorer handles the loading of DLL files. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Analysis Four remote code execution vulnerabilities exist in Internet Explorer, two of which were publicly disclosed. Three of the vulnerabilities exist in Internet Explorer when parsing a crafted Cascading Style Sheet or other specially crafted web content. The fourth vulnerability exists when loading DLLs, causing susceptibility to DLL preloading attacks in e-mail, web, or network scenarios. Successful exploitation of these vulnerabilities allows arbitrary code execution at the logged-in user's privilege level. Recommendations Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled, emails should be read in plain text and the recursive loading of CSS in Internet Explorer should be set to disabled. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open HTML files from untrusted locations. MS11-006 Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185) Microsoft Severity Rating: Critical eEye Severity Rating: Critical Description This security update resolves a publicly disclosed vulnerability in the Windows Shell graphics processor. The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the manner in which the Windows Shell graphics processor parses thumbnail images. Windows Shell Graphics Processing Overrun Vulnerability - CVE-2010-3970 A remote code execution vulnerability exists in the way that the Windows Shell graphics processor handles specially crafted thumbnail images. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Analysis A publically disclosed stack-based buffer overrun vulnerability exists in the Windows Shell graphics processor when parsing a crafted thumbnail image. An attacker that is able to convince a user to view a crafted thumbnail image, either locally or on a network share (e.g. in a UNC or WebDAV location), could execute arbitrary code at the logged-in user's privilege level. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network. Recommendations Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the Access Control List on "shimgvw.dll" should be modified to be more restrictive and the displaying of thumbnails in Windows Explorer should be set to disabled. MS11-007 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910) Microsoft Severity Rating: Critical eEye Severity Rating: Critical Description This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. The security update addresses the vulnerability by correcting the manner in which the Windows OpenType Compact Font Format (CFF) driver validates the parameter values of specially crafted OpenType fonts. OpenType Font Encoded Character Vulnerability - CVE-2011-0033 A remote code execution vulnerability exists in the way that the Windows OpenType Compact Font Format (CFF) driver improperly parses specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Analysis A privately reported vulnerability exists in the Windows OpenType Compact Font Format (CFF) driver when processing an OpenType font containing a crafted parameter value. Successful exploitation of this vulnerability allows remote execution of arbitrary code. Some third-party applications (e.g. web browsers) include native support for rendering OpenType, increasing the attack surface for this vulnerability. Once exploitation is achieved, the attacker would have kernel mode access, allowing them to use the compromised system as a hub to launch more attacks to other systems on the network. Recommendations Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, disable the Preview Pane in Windows Explorer, the Details Pane in Windows Explorer and the WebClient Service. MS11-004 Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves a publicly disclosed vulnerability in Microsoft Internet Information Services (IIS) FTP Service. The vulnerability could allow remote code execution if an FTP server receives a specially crafted FTP command. FTP Service is not installed by default on IIS. The security update addresses the vulnerability by modifying the way that the IIS FTP Service handles specially crafted FTP commands. IIS FTP Service Heap Buffer Overrun Vulnerability - CVE-2010-3972 A vulnerability exists in the FTP Service in Microsoft Internet Information Services (IIS) 7.0 and Microsoft Internet Information Services (IIS) 7.5. The vulnerability could allow remote code execution. Analysis One publicly disclosed heap-based buffer overflow vulnerability exists in the Microsoft IIS FTP Service for Microsoft IIS 7.0 and 7.5 when handling crafted FTP commands. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of the running local system. As a public proof-of-concept was released to demonstrate a denial of service condition, attackers could possibly develop a working exploit and subsequently compromise exposed systems. Recommendations Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, disable or stop the FTP Service on IIS 7.0 and 7.5 systems. MS11-005 Vulnerability in Active Directory Could Allow Denial of Service (2478953) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves a publicly disclosed vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sent a specially crafted packet to an affected Active Directory server. The attacker must have valid local administrator privileges on the domain-joined computer in order to exploit this vulnerability. The security update addresses the vulnerability by correcting the way that the Active Directory server handles service principal name (SPN) update requests. Active Directory SPN Validation Vulnerability - CVE-2011-0040 A denial of service vulnerability exists in implementations of Microsoft Windows Active Directory due to improper validation of service principal names (SPN), which could result in SPN collisions. When this occurs, services that use the SPN will downgrade to NT LAN Manager (NTLM) if configured to negotiate. Services that are not configured to negotiate will become unavailable, resulting in a denial of service condition. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding. Analysis One publically disclosed vulnerability exists in Microsoft Windows Active Directory when processing crafted service principal name (SPN) update requests. An attacker that is an administrator on a domain-joined system could exploit this vulnerability to cause name collisions on the domain thereby causing authentication for SPN dependent services to be downgraded to NTLM. Under specific configurations, if these SPN dependent services are not configured to negotiate then the service will become unavailable and thus cause a denial of service condition. Recommendations Deploy patches as soon as possible as no forms of mitigation are available. MS11-008 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves two privately reported vulnerabilities in Microsoft Visio. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerabilities by correcting the way that Microsoft Visio handles corrupted structures and objects in memory when parsing specially crafted Visio files. Visio Object Memory Corruption Vulnerability - CVE-2011-0092 A remote code execution vulnerability exists in the way that Microsoft Visio validates objects in memory when parsing specially crafted Visio files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. Visio Data Type Memory Corruption Vulnerability - CVE-2011-0093 A remote code execution vulnerability exists in the way that Microsoft Visio parses certain structures when handling specially crafted Visio files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. Analysis Two privately reported memory corruption vulnerabilities exist in Microsoft Visio when parsing Visio files containing crafted objects and structures. An attacker would need to convince the user to open a crafted Visio file, through vectors including a malicious e-mail attachment or on a web page with user-controlled content. Successful exploitation allows arbitrary code execution at the logged-in user's privilege level. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network. Recommendations Deploy patches as soon as possible. Until the patches can be installed, application add-ins for Visio should be disabled. MS11-009 Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. The security update addresses the vulnerability by correcting the manner in which the JScript and VBScript scripting engines process scripts in Web pages. Scripting Engines Information Disclosure Vulnerability - CVE-2011-0031 An information disclosure vulnerability exists in the JScript and VBScript scripting engines due to a memory corruption error. An attacker who successfully exploited this vulnerability could read data not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. Analysis A privately reported information disclosure vulnerability exists in the JScript and VBScript scripting engines when processing crafted scripts. An attacker would need to convince the user to visit a specially crafted web page or open a malicious script in order to exploit the vulnerability. Loading the decoded script into memory can cause a memory corruption scenario. If successfully exploited an attacker could obtain information that could be used to further compromise the system. However, exploitation would not allow arbitrary code execution. Recommendations Deploy patches as soon as possible. Until the patches can be installed, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled. MS11-010 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves a privately reported vulnerability in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server 2003. This security update is rated Important for all supported editions of these operating systems. The security update addresses the vulnerability by correcting the manner in which user processes are terminated upon logoff. CSRSS Elevation of Privilege Vulnerability - CVE-2011-0030 An elevation of privilege vulnerability exists in the way that the Windows Client/Server Run-time Subsystem (CSRSS) terminates a process when a user logs off. An attacker who successfully exploited this vulnerability could run code designed to monitor the actions of a user who subsequently logged on to the system. This could allow the disclosure of sensitive information or access to data on the affected systems that was accessible to the logged-on user. This sensitive data could include the logon credentials of subsequent users, which an attacker might later use for elevation of privilege or to execute code as a different user on the system. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system. If a user with administrative privileges subsequently logs on to the system, the attacker could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights. Analysis A privately reported privilege elevation vulnerability exists in the Windows Client/Server Run-time Subsystem (CSRSS) when terminating a process during user logoff. An attacker that is able to log on locally to the system could leverage this vulnerability to continue execution of an application after logging off. This specially designed application could then monitor all actions performed by newly logged-on users in order to obtain sensitive information such as credentials. The sensitive information could then be further used to elevate privileges or execute code with the privileges of another user on the system. If the information obtained includes a user with administrative privileges, it could be used to execute code with elevated kernel mode privileges or to install malicious software and attack further computers within or outside of the network. Recommendations Deploy patches as soon as possible as no forms of mitigation are available. MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. The security update addresses the vulnerabilities by ensuring that the Windows kernel properly validates user-supplied data before allocating memory. Driver Improper Interaction with Windows Kernel Vulnerability - CVE-2010-4398 An elevation of privilege vulnerability exists due to the improper interaction of drivers with the Windows kernel. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Windows Kernel Integer Truncation Vulnerability - CVE-2011-0045 An elevation of privilege vulnerability exists due to the way that the Windows kernel allocates memory when reading user-supplied data. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Analysis Two privilege escalation vulnerabilities exist in the Windows Kernel when allocating memory and handling user-controlled registry keys. Of the two vulnerabilities, the publically disclosed one allows a local attacker that is both authenticated and on a domain-joined system to send crafted ticket requests to the KDC and obtain elevated system level privileges on the local machine. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time. Recommendations Deploy patches as soon as possible as no forms of mitigation are available. MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. The security update addresses the vulnerabilities by correcting the way the Windows kernel-mode drivers validate input passed from user mode. Win32k Improper User Input Validation Vulnerability - CVE-2011-0086 An elevation of privilege vulnerability exists in the way that Windows kernel-mode drivers validate data supplied from user mode to kernel mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Win32k Insufficient User Input Validation Vulnerability - CVE-2011-0087 An elevation of privilege vulnerability exists in the way that Windows kernel-mode drivers validate data supplied from user mode to kernel mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Win32k Window Class Pointer Confusion Vulnerability - CVE-2011-0088 An elevation of privilege vulnerability exists in the way that Windows kernel-mode drivers validate data supplied from user mode to kernel mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Win32k Window Class Improper Pointer Validation Vulnerability - CVE-2011-0089 CAn elevation of privilege vulnerability exists in the way that Windows kernel-mode drivers validate data supplied from user mode to kernel mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Win32k Memory Corruption Vulnerability - CVE-2011-0090 An elevation of privilege vulnerability exists in the way that Windows kernel-mode drivers validate data supplied from user mode to kernel mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Analysis Five privately reported privilege escalation vulnerabilities exist in the Windows kernel-mode drivers, specifically "Win32k.sys", when handling data supplied from user mode to kernel mode. An attacker that is able to run a crafted application could exploit these vulnerabilities to execute arbitrary code with elevated kernel mode privileges. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time. Recommendations Deploy patches as soon as possible as no forms of mitigation are available. MS11-013 Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if a local, authenticated attacker installs a malicious service on a domain-joined computer. This update addresses the vulnerabilities by preventing the use of weak hashing algorithms in both Windows Kerberos and Windows KDC and by preventing the client from downgrading the encryption standard to DES for Kerberos communication between client and server. Kerberos Unkeyed Checksum Vulnerability - CVE-2011-0043 An elevation of privilege vulnerability exists in implementations of Kerberos. The vulnerability exists because the Microsoft Kerberos implementation supports a weak hashing mechanism, which can allow for certain aspects of a Kerberos service ticket to be forged. A malicious user or attacker who successfully exploited this vulnerability could obtain a token with elevated privileges on the affected system Kerberos Spoofing Vulnerability - CVE-2011-0091 A spoofing vulnerability exists in implementations of Kerberos on Windows 7 and Windows Server 2008 R2. The vulnerability exists because it is possible to downgrade Kerberos authentication to use DES instead of the default, stronger encryption standards included in Windows 7 and Windows Server 2008 R2. Analysis Two vulnerabilities exist in the Microsoft Kerberos implementation in Windows due to weak hashing and encryption algorithms that could facilitate spoofing attacks or grant elevated privileges. One of the two vulnerabilities was publically disclosed, which, if exploited, allows a local attacker that is both authenticated and on a domain-joined system to send crafted ticket requests to the KDC and obtain elevated system level privileges on the local machine. This vulnerability however is not exploitable on domains where the domain controller is running Windows Server 2008 or Windows Server 2008 R2. The other vulnerability is contingent upon an attackers ability to perform man-in-the-middle type attacks, which if successful can be exploited to degrade the default encryption to DES so as to impersonate legitimate users’ credentials or forge all traffic in a compromised session. Recommendations Deploy patches as soon as possible if using Kerberos authentication as no forms of mitigation are available. MS11-014 Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves a privately reported vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows XP and Windows Server 2003. This security update is rated Important for all supported editions of these operating systems. The security update addresses the vulnerability by correcting the manner in which LSASS handles specific values used in the authentication process. LSASS Length Validation Vulnerability - CVE-2011-0039 An elevation of privilege vulnerability exists in the way that the Microsoft Windows Local Security Authority Subsystem Service (LSASS) processes specially crafted authentication requests. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Analysis A privately reported privilege elevation vulnerability exists in Windows Local Security Authority Subsystem Service (LSASS) when handling a crafted authentication request. An attacker that is able to run a crafted application could exploit these vulnerabilities to execute arbitrary code with elevated kernel mode privileges. With these privileges an attacker could further compromise systems and install rootkits or other malware to maintain control over the machine and steal potentially sensitive information, which could be sold or used at a later time. Recommendations Deploy patches immediately to prevent exploitation by attackers as no forms of mitigation are available.
Feedback The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to newsletter@eeye.com. Disclaimer The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Notice Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email newsletter@eeye.com for permission.
www.eeye.com \| sales@eeye.com \| 111 Theory, Suite 250, Irvine, CA 92617 \| 866.339.3732 eEye Email Subscription Management >>

Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732

© 1998 – 2012 eEye Digital Security. All rights reserved.