Patch Tuesday Security Bulletins May 2011 | eEye Digital Security

Login to the Business Client Portal

Shop for eEye Products

Read the eEye Blog

Subscribe to eEye RSS Feeds

Follow eEye on Twitter

Follow eEye on Facebook

Your Company

Microsoft Patch Disclosure May 10th, 2011 Overview This month, Microsoft released 2 patches which repair a total of 3 vulnerabilities. Both of these patches address Remote Code Execution vulnerabilities.	Live Webinar: Vulnerability Expert Forum Presenter: The eEye Research Team Date/Time: Wednesday May 11th at 1pm PT / 4pm ET Register Now >>
Patch Precedence Administrators are advised to patch MS11-035 immediately to prevent exploitation by attackers. Next, administrators should patch MS11-036 as soon as possible. As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team. Register Here >> For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
Bulletin/Advisory Summary Critical MS11-035 - Vulnerability in WINS Could Allow Remote Code Execution (2524426) Important MS11-036 - Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)
Bulletin/Advisory Details MS11-035 Vulnerability in WINS Could Allow Remote Code Execution (2524426) Microsoft Severity Rating: Critical eEye Severity Rating: Critical Description This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). The vulnerability could allow Remote Code Execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. By default, WINS is not installed on any affected operating system. Only customers who manually installed this component are affected by this issue. The security update addresses the vulnerability by correcting a logic error that occurs when buffers are passed as parameters. WINS Service Failed Response Vulnerability - CVE-2011-1248 A Remote Code Execution vulnerability exists in the Windows Internet Name Service (WINS) due to insufficient validations for the data structures within specially crafted WINS network packets sent to the WINS service. Analysis This bulletin addresses a Remote Code Execution vulnerability within the WINS component of Microsoft Windows Servers. The vulnerability exists because user-supplied values are not cleared from the stack and are later used. An attacker could leverage the vulnerability to execute code with SYSTEM privileges on Windows Server 2003 and Local Service privileges on Windows Server 2008 and Windows Server 2008 R2. With these privileges an attacker could potentially install rootkits or other malware to maintain control over the machine, leverage trust relationships to compromise additional systems, and steal sensitive information to be sold or used at a later time. Recommendations Deploy patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ports TCP/42 and UDP/42 on external-facing firewalls. MS11-036 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814) Microsoft Severity Rating: Important eEye Severity Rating: Important Description This security update resolves two privately reported vulnerabilities in Microsoft PowerPoint. The vulnerabilities could allow Remote Code Execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-1269 and CVE-2011-1270. The update addresses the vulnerabilities by correcting the way that PowerPoint handles memory when parsing specially crafted PowerPoint files. Presentation Memory Corruption RCE Vulnerability - CVE-2011-1269 Presentation Memory Corruption RCE Vulnerability: A Remote Code Execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Presentation Buffer Overrun RCE Vulnerability - CVE-2011-1270 A Remote Code Execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Analysis This bulletin addresses two Remote Code Execution vulnerabilities within Microsoft Office PowerPoint. The vulnerabilities are caused by improper parsing of PowerPoint files which causes memory to become corrupted in such a way that could be leveraged to execute arbitrary code at the logged-in user's privilege level. If the user is an administrator, an attacker could potentially use those privileges to install rootkits or other malware to maintain control over the machine, leverage trust relationships to compromise additional systems, and steal sensitive information to be sold or used at a later time. Recommendations Deploy patches as soon as possible. Until the patches can be installed, Office File Validation should be enabled to prevent the loading of invalid PowerPoint 2003 and 2007 files. Additionally, use Microsoft Office File Block policy and Microsoft Office Isolated Conversion Environment (MOICE) to deter exploitation via Office 2003 and earlier binary files.
Feedback The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to newsletter@eeye.com. Disclaimer The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Notice Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email newsletter@eeye.com for permission.
www.eeye.com \| sales@eeye.com \| 111 Theory, Suite 250, Irvine, CA 92617 \| 866.339.3732 eEye Email Subscription Management >>

Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732

© 1998 – 2012 eEye Digital Security. All rights reserved.