eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Your Company

Microsoft Patch Disclosure
March 8, 2011

 

Overview
This month, Microsoft released 3 bulletins which repair a total of 4 vulnerabilities.

All 3 of these bulletins address Remote Code Execution vulnerabilities.

 

 Top Sidebar

Live Webinar:
Vulnerability Expert Forum

Presenter:
The eEye Research Team

Date/Time:
Wednesday March 9th at
1pm PST / 4pm EST

Register Now >>

Bottom Sidebar

Patch Precedence
Administrators are advised to patch MS11-015, MS11-016 and MS11-017 immediately to prevent exploitation by attackers.

As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team. Register Here >>

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.

Bulletin/Advisory Summary
 

Critical
MS11-015 - Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)

Important
MS11-016 - Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)
MS11-017 - Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)

Bulletin/Advisory Details

MS11-015
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so. The security update addresses the vulnerabilities by modifying the way library files and Windows media files are opened.

  • CVE-2011-0032 - DirectShow Insecure Library Loading Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft DirectShow handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • CVE-2011-0042 - DVR-MS Vulnerability
    A remote code execution vulnerability exists in the way that Windows Media Player and Windows Media Center handle .dvr-ms files. This vulnerability could allow an attacker to execute arbitrary code if the attacker convinces a user to open a specially crafted .dvr-ms file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Analysis
One publically disclosed DLL hijacking vulnerability and one privately reported remote code execution vulnerability have been identified in Microsoft Windows Media applications. The first vulnerability is a standard insecure library loading error that has been seen in the past with other applications. When a crafted media file (e.g. .wtv, .dvr-ms, .mpg) utilizing Microsoft DirectShow opens, the application will attempt to load a malicious DLL from an attacker-controlled location (e.g. network share, WebDAV server). Upon loading the malicious DLL, the attacker is able to execute arbitrary code with the privileges of the logged in user. The second vulnerability occurs due to improper parsing of Microsoft Digital Video Recording files (i.e. .dvr-ms) handled by Windows Media Player and Windows Media Center. If a user opens a malicious ".dvr-ms" file, an attacker would be able to execute arbitrary code with the privileges of the logged in user. With either of the vulnerabilities if the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.

Recommendations
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the loading of libraries from WebDAV and remote network shares should be disabled, the WebClient Service should be disabled, TCP ports 139 and 445 should be blocked on the external firewall, and strict file permissions on the Stream Buffer Engine (i.e. sbe.dll) should be enforced. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open ".wtv", ".dvr-ms", and ".mpg" files from untrusted sources.

MS11-016
Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in Microsoft Groove that could allow remote code execution if a user opens a legitimate Groove-related file that is located in the same network directory as a specially crafted library file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses this vulnerability by correcting the manner in which Microsoft Groove 2007 loads external libraries.

  • CVE-2010-3146 - Microsoft Groove Insecure Library Loading Vulnerability
    A remote code execution vulnerability exists in the way that Microsoft Groove 2007 handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
One publically disclosed DLL hijacking vulnerability has been identified in Microsoft Groove 2007. This vulnerability is a standard insecure library loading error that has been seen in the past with other applications. When a crafted file associated with Microsoft Groove (e.g. .vcg, .gta) opens, the application will attempt to load a malicious DLL from an attacker-controlled location (e.g. network share, WebDAV server). Upon loading the malicious DLL, the attacker is able to execute arbitrary code with the privileges of the logged in user. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.

Recommendations
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the loading of libraries from WebDAV and remote network shares should be disabled, the WebClient Service should be disabled, and TCP ports 139 and 445 should be blocked on the external firewall. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open ".vcg" and ".gta" files from untrusted sources.

MS11-017
Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)
Microsoft Severity Rating: Important
eEye Severity Rating: Important

Description
This security update resolves a publicly disclosed vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user opens a legitimate Remote Desktop configuration (.rdp) file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. The security update addresses the vulnerability by correcting the manner in which the Windows Remote Desktop Client loads external libraries.

  • CVE-2011-0029 - Remote Desktop Insecure Library Loading Vulnerability
    A remote code execution vulnerability exists in the way that Windows Remote Desktop Client handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Analysis
One publically disclosed DLL hijacking vulnerability has been identified in Microsoft Remote Desktop Connection Client. This vulnerability is a standard insecure library loading error that has been seen in the past with other applications. When a crafted file associated with Microsoft RDC Client (e.g. .rdp) opens, the application will attempt to load a malicious DLL from an attacker-controlled location (e.g. network share, WebDAV server). Upon loading the malicious DLL, the attacker is able to execute arbitrary code with the privileges of the logged in user. If the user is an administrator, the attacker would be able to install malicious software and use the compromised machine to launch more attacks through the internal and external network.

Recommendations
Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, the loading of libraries from WebDAV and remote network shares should be disabled, the WebClient Service should be disabled, and TCP ports 139 and 445 should be blocked on the external firewall. Additionally, as with all DLL Preloading vulnerabilities, disable the WebDAV client and do not open ".rdp" files from untrusted sources.
Feedback
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to newsletter@eeye.com.

Disclaimer
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email newsletter@eeye.com for permission.
www.eeye.com | sales@eeye.com | 111 Theory, Suite 250, Irvine, CA 92617 | 866.339.3732

eEye Email Subscription Management >>

 

Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2012 eEye Digital Security. All rights reserved.