Bulletin/Advisory Details

MS11-002
Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves two privately reported vulnerabilities in Microsoft Data Access Components. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerabilities by ensuring that MDAC correctly validates string length and memory allocation.

• DSN Overflow Vulnerability - CVE-2011-0026
  A remote code execution vulnerability exists in the way that Microsoft Data Access Components validates third-party API usage. This vulnerability could allow code execution if a user visited a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• ADO Record Memory Vulnerability - CVE-2011-0027
  A remote code execution vulnerability exists in the way that Microsoft Data Access Components validates memory allocation. This vulnerability could allow code execution if a user visited a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  
  

Analysis
There are two vulnerabilities in Microsoft Data Access Components, both allowing for remote code execution in the context of the local user. A user must visit a specially crafted web page in order for the vulnerability to be exploited; once a user has visited a malicious page, an attacker may gain complete control of the system if the user is running as an administrator.

Recommendations
Administrators are urged to patch immediately, however there is one mitigating factor and one workaround to help lessen the impact of these vulnerabilities:

• CVE-2011-0026 is not exploitable under the default Windows configuration: A third-party application that uses ODBC (Open Database Connectivity) APIs in an insecure way must be installed on the system in order to be vulnerable.
• CVE-2011-0027 may be mitigated by setting the Internet and local Intranet zones to “High” within Internet Explorer or by configuring Internet Explorer to prompt the user before running Active Scripting. In Internet Explorer, click the Security Tab --> Internet --> Custom Level.
• Under Settings, in the Scripting section, under Active Scripting click “Prompt or Disable”. Go back to the Security Tab --> Local Intranet --> Custom Level.
• Under Settings, in the Scripting section, under Active Scripting click “Prompt or Disable”.

MS11-001
Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in Windows Backup Manager. The vulnerability could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the legitimate file from that location, which in turn could cause Windows Backup Manager to load the specially crafted library file. The security update addresses the vulnerability by correcting the manner in which Windows Backup Manager loads external libraries.

• Backup Manager Insecure Library Loading Vulnerability - CVE-2010-3145
  A remote code execution vulnerability exists in the way that the Microsoft Windows Backup Manager handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
Windows Backup Manager contains a vulnerability when loading DLLs, causing susceptibility to DLL preloading attacks. Files that are opened with Windows Backup Manager, such as .wbcat, from attacker controlled locations (e.g. a WebDAV server or other untrusted location) could allow the attacker to execute arbitrary code in the context of the local user. This vulnerability only affects Windows Vista (both 32-bit and 64-bit).

Recommendations
Administrators are urged to install the patch; however, there is a workaround that may be used to help mitigate this threat:

• Disable loading of libraries from remote network locations (http://support.microsoft.com/kb/2264107)