Overview 
This month, Microsoft released five patches that repair a total of 15 vulnerabilities. Three of these patches address Remote Code Execution vulnerabilities and two patches address Elevation of Privilege vulnerabilities.


Administrators should first patch MS11-071 and MS11-074, as soon as possible, since they patch publicly disclosed vulnerabilities, followed by MS11-070, MS11-072, and MS11-073.

As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team. Register Now >>
                         

Vulnerability Expert Forum (VEF)
 

 

The eEye Research Team

 

Wednesday September 14th 

1pm PT / 4pm ET / 8pm GMT
 

Sneak Peak Podcast:
Listen Now >>


 

 

MS11-070
Vulnerability in WINS Could Allow Elevation of Privilege (2571621)
Microsoft Rating: Important
eEye Rating: Important

CVE: CVE-2011-1984

Analysis
This bulletin addresses 1 privately reported elevation of privilege vulnerability in Windows Internet Name Service (WINS). The patch fixes a local improper validation of malicious packets received on the loopback interface. An attacker that successfully exploited this vulnerability would gain local system privileges on the target machine.

Recommendations
Deploy patches as soon as possible, since no mitigation is available.


MS11-071
Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)
Microsoft Rating: Important
eEye Rating: Important

CVE: CVE-2011-1991

Analysis
This bulletin addresses 1 publicly reported remote code execution vulnerability in Windows Components (deskpan.dll). The patch fixes a DLL hijacking vulnerability that affects .txt, .rtf, and .doc documents. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

Recommendations
Deploy patches as soon as possible. Until the patch can be applied, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.


MS11-072
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)
Microsoft Rating: Important
eEye Rating: Important

CVE List: CVE-2011-1986, CVE-2011-1987, CVE-2011-1988, CVE-2011-1989, & CVE-2011-1990

Analysis
This bulletin addresses 5 privately reported remote code execution vulnerabilities in Microsoft Excel. The patch fixes a use after free vulnerability, a heap corruption vulnerability, two array indexing vulnerabilities, and a logic vulnerability when parsing Excel files. An attacker that successfully exploited these vulnerabilities would gain user level access to the target machine.

Recommendations
Deploy patches as soon as possible. Until the patch can be applied, block Office Excel (2003, 2007, and 2010) files that fail validation, block Excel (2003, 2007, and 2010) files from untrusted sources and use MOICE when opening files that are not from trusted sources.


MS11-073
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)
Microsoft Rating: Important
eEye Rating: Important

CVE List: CVE-2011-1980 & CVE-2011-1982

Analysis
This bulletin addresses 2 privately reported remote code execution vulnerabilities in Microsoft Office. The patch fixes a DLL hijacking vulnerability that affects .doc, .xls, and .ppt file types. Additionally, a null pointer de-reference vulnerability was patched. An attacker that successfully exploited these vulnerabilities would gain user level access to the target machine.

Recommendations
Deploy patches as soon as possible. Until the patch can be applied, block Office Excel, Word, and PowerPoint (2003, 2007, and 2010) files that fail validation, block Excel, Word, and PowerPoint (2003, 2007, and 2010) files from untrusted sources and use MOICE when opening files that are not from trusted sources. Additionally, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.


MS11-074
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)
Microsoft Rating: Important
eEye Rating: Important

CVE List: CVE-2011-0653, CVE-2011-1252, CVE-2011-1890, CVE-2011-1891, CVE-2011-1892, & CVE-2011-1893

Analysis
This bulletin addresses 5 privately and one 1 publicly reported vulnerabilities in Microsoft SharePoint. The patch fixes 5 information disclosure vulnerabilities and 1 remote script execution vulnerability. These are caused by cross-site scripting (XSS) vulnerabilities, a file disclosure vulnerability, and a failure to properly sanitize SafeHTML. An attacker that successfully exploited could gain the ability to execute remote scripts in the user's browser.

Recommendations
Deploy patches as soon as possible. Until the patch can be applied, enable the XSS filter in Internet Explorer (available in versions 8 and higher). Note that no mitigations exist for CVE-2011-1252 and CVE-2011-1892.