VERT Alert - April 12, 2011

- Apr 12, 2011 -

April 12, 2011 8:00 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 17 new Microsoft Security Bulletins fixing 64 vulnerabilities. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-398 on Wednesday, April 13th.

td width="385" nowrap="nowrap" valign="bottom">Win32k Use After Free Vulnerability ii

 

MS11-018
Layouts Handling Memory Corruption Vulnerability CVE-2011-0094
MSHTML Memory Corruption Vulnerability CVE-2011-0346
Frame Tag Information Disclosure Vulnerability CVE-2011-1244
Javascript Information Disclosure Vulnerability CVE-2011-1245
Object Management Memory Corruption Vulnerability CVE-2011-1345
MS11-019
Browser Pool Corruption Vulnerability  CVE-2011-0654
SMB Client Response Parsing Vulnerability CVE-2011-0660
MS11-020
SMB Transaction Parsing Vulnerability CVE-2011-0661
MS11-021
Excel Integer Overrun Vulnerability CVE-2011-0097
Excel Heap Overflow Vulnerability CVE-2011-0098
Excel Record Parsing WriteAV Vulnerability CVE-2011-0101
Excel Memory Corruption Vulnerability CVE-2011-0103
Excel Buffer Overwrite Vulnerability CVE-2011-0104
Excel Data Initialization Vulnerability CVE-2011-0105
Excel Array Indexing Vulnerability CVE-2011-0978
Excel Linked List Corruption Vulnerability CVE-2011-0979
Excel Dangling Pointer Vulnerability CVE-2011-0980
MS11-022
Floating Point Techno-color Time Bandit RCE Vulnerability CVE-2011-0655
Persist Directory RCE Vulnerability CVE-2011-0656
OfficeArt Atom RCE Vulnerability CVE-2011-0976
MS11-023
Office Component Insecure Library Loading Vulnerability CVE-2011-0107
Microsoft Office Graphic Object Dereferencing Vulnerability CVE-2011-0977
MS11-024
Fax Cover Page Editor Memory Corruption Vulnerability CVE-2010-3974
MS11-025
MFC Insecure Library Loading Vulnerability CVE-2010-3190
MS11-026
MHTML Mime-Formatted Request Vulnerability CVE-2011-0096
MS11-027
Microsoft Internet Explorer 8 Developer Tools Vulnerability CVE-2010-0811
Microsoft WMITools ActiveX Control Vulnerability CVE-2010-3973
Microsoft Windows Messenger ActiveX Control Vulnerability CVE-2011-1243
MS11-028
.NET Framework Stack Corruption Vulnerability CVE-2010-3958
MS11-029
GDI+ Integer Overflow Vulnerability CVE-2011-0041
MS11-030
DNS Query Vulnerability CVE-2011-0657
MS11-031
Scripting Memory Reallocation Vulnerability CVE-2011-0663
MS11-032
OpenType Font Stack Overflow Vulnerability CVE-2011-0034
MS11-033
WordPad Converter Parsing Vulnerability CVE-2011-0028
MS11-034

 

Win32k Use After Free Vulnerability i

 

CVE-2011-0662

 

CVE-2011-0665

 

Win32k Use After Free Vulnerability iii

 

CVE-2011-0666

 

Win32k Use After Free Vulnerability iv

 

CVE-2011-0667

 

Win32k Use After Free Vulnerability v

 

CVE-2011-0670

 

Win32k Use After Free Vulnerability vi

 

CVE-2011-0671

 

Win32k Use After Free Vulnerability vii

 

CVE-2011-0672

 

Win32k Use After Free Vulnerability viii

 

CVE-2011-0674

 

Win32k Use After Free Vulnerability ix

 

CVE-2011-0675

 

Win32k Use After Free Vulnerability x

 

CVE-2011-1234

 

Win32k Use After Free Vulnerability xi

 

CVE-2011-1235

 

Win32k Use After Free Vulnerability xii

 

CVE-2011-1236

 

Win32k Use After Free Vulnerability xiii

 

CVE-2011-1237

 

Win32k Use After Free Vulnerability xiv

 

CVE-2011-1238

 

Win32k Use After Free Vulnerability xv

 

CVE-2011-1239

 

Win32k Use After Free Vulnerability xvi

 

CVE-2011-1240

 

Win32k Use After Free Vulnerability xvii

 

CVE-2011-1241

 

Win32k Use After Free Vulnerability xviii

 

CVE-2011-1242

 

Win32k Null Pointer De-reference Vulnerability i

 

CVE-2011-0673

 

Win32k Null Pointer De-reference Vulnerability ii

 

CVE-2011-0676

 

Win32k Null Pointer De-reference Vulnerability iii

 

CVE-2011-0677

 

Win32k Null Pointer De-reference Vulnerability iv

 

CVE-2011-1225

 

Win32k Null Pointer De-reference Vulnerability v

 

CVE-2011-1226

 

Win32k Null Pointer De-reference Vulnerability vi

 

CVE-2011-1227

 

Win32k Null Pointer De-reference Vulnerability vii

 

CVE-2011-1228

 

Win32k Null Pointer De-reference Vulnerability viii

 

CVE-2011-1229

 

Win32k Null Pointer De-reference Vulnerability ix

 

CVE-2011-1230

 

Win32k Null Pointer De-reference Vulnerability x

 

CVE-2011-1231

 

Win32k Null Pointer De-reference Vulnerability xi

 

CVE-2011-1232

 

Win32k Null Pointer De-reference Vulnerability xii

 

CVE-2011-1233

 


MS11-018

This first bulletin addresses five CVEs all relating to how IE handles objects in memory.  The exploits being resolved can allow attackers to gain control of users who visit specially crafted websites.  It affects IE versions 6, 7 and 8 on most all versions of Windows.  The severity of the advisory is listed as Low to Critical depending on the combination of CVE, IE version and Windows version.  Generally Windows Server Operating Systems are affected less due to their Enhanced Security Configuration.  As well, IE9 is not affected with any version of Windows. It is worth noting that the CanSecWest Pwn2Own vulnerability affecting IE is patched by this bulletin and Microsoft Security Research & Defense has released a blog post1 discussing the issue.

MS11-019

This is the first of (at least) two bulletins that contain more than simply externally reported vulnerabilities. Microsoft undertook an initiative to secure SMB since it has recently been a target for attackers. The Microsoft Security Research & Defense blog contains more details2 on Microsoft’s specific actions but they definitely fixed more than the 2 CVEs publicly disclosed in this bulletin.

MS11-020

This is the second bulletin to contain additional fixes, also part of Microsoft’s secure SMB initiative. The single CVE in this bulletin though is responsible for the recommendation to apply this patch as soon as possible. This unauthenticated remote has the potential to be as dangerous as MS08-067 and affects all operating systems, including Windows 7 SP1.

MS11-021

This bulletin relates to Microsoft Office and more specifically Excel on all versions of Windows as well as Microsoft Office for Mac.  The bulletin addresses 9 CVEs, each one allow for the possibility of complete access to a user’s system through specially crafted Excel documents.  A user prompt built into Excel requires more than a single user action to complete the exploit reducing if from a possible Critical status to Important for all versions of affected applications across all operating systems.

MS11-022

As with MS11-021, this bulletin corrects the threat of code executions from specifically crafted Microsoft Office documents, specifically Power Point documents.  As with MS11-021 this affects all versions of Microsoft Office across all Windows operating systems as well as Office for Mac.  The bulletin however addresses only 3 CVEs.  All related updates are listed as Important as well as users are prompted before a potentially harmful document is opened requiring more than a single action from a user.

MS11-023

MS11-023 deals with Microsoft Office and addresses two vulnerabilities.  CVE-2011-0107 details the method in which Microsoft Office loads external libraries.  Attackers can gain access to a user’s computer by placing a crafted DLL3 file within the same folder as a legitimate office file.  CVE-2011-0977 addressed the way Microsoft Office handles graphic objects in office documents.  Both vulnerabilities affect only versions of Microsoft Office 2007 and earlier on all Windows operating systems as well as Microsoft Office 2004 and 2008 for Macs.  In addition Open XML File Format Converter for Mac is also affected.  Aggregate Severity Ratings for all situations are listed as Important.

MS11-024

This bulletin deals with one CVE and effects the built in Windows Fax Cover Page Editor application in all versions of Windows starting with XP and Server 2003.  Without the update an attacker can take advantage of the way that the Windows Fax Cover Page Editor improperly parses specially crafted fax cover pages.  The Aggregate Severity Rating for all situations is listed as Important.  One thing to note is that, by default, there is no application registered to handle *.cov files.

MS11-025

This bulletin fixes a type of vulnerability that we’ve become all too familiar with… a DLL preloading vulnerability.  In this case the vulnerability exists in the ATL MFC Trace Tool, which means all Visual Studio products are affected.

MS11-026

This bulletin contains the long awaited patch to CVE-2011-0096, for which a security advisory4 was first released January 28th, 2011.  The actual vulnerability here is a Cross Site Scripting (XSS) attack caused by the way in which MHTML interprets MIME-formatted requests. Methods of attacking this vulnerability have been publicly released.

MS11-027

MS11-027 corrects three vulnerabilities, each affecting a different ActiveX Control. The affected applications Microsoft Internet Explorer 8 Developer Tools, Microsoft WMITools and Microsoft Windows Messenger all provide an attacker the opportunity to use a specially crafted webpage to gain access to a users system. Additionally, kill bits are set for several third party applications when this update is applied.

MS11-028

This bulletin addresses a critical vulnerability that affects the .NET Framework versions 2, 3.5 and 4 on all Windows operating systems.  Attackers can make use of this vulnerability in 2 different ways.  Crafting a webpage and having a user view it using a browser capable of running XAML Browser Applications as well as uploading a crafted ASP.NET Page to a server running IIS and having that server process the page can allow an attacker to gain control of a system.  Individual updates were made available for each combination of operating system and .NET version.

MS11-029

This bulletin addresses a critical vulnerability across most versions of Windows.  The issue can allow remote code execution when users open specifically crafted EMF image files or when users open a webpage with the crafted EMF image file. 

MS11-030

MS11-030 addresses a DNS related issue with most versions of Windows.  An attacker could take advantage of this vulnerability by using a created application to send specially crafted LLMNR broadcast queries. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the NetworkService account.  It is listed as Important with all XP and Server 2003 and and Critical with all Vista, 7 and Server 2008 systems.

MS11-031

The CVE in MS11-031 is a vulnerability affect VBScript and JScript. The most interesting aspect of this advisory is that while VBScript 5.8 and JScript 5.8 are affected, they are not affected when installed with Internet Explorer 9.

MS11-032

This bulletin addresses a vulnerability in the OpenType Font (OTF) driver. This is becoming a more commonly patched driver, last patched in February and prior to that there was a patch in December.

MS11-033

The vulnerability described by MS11-033 details a vulnerability in Microsoft Wordpad that occurs when opening special crafted Word documents. The vulnerability could allow for code execution.

MS11-034

The final bulletin on this record breaking Patch Tuesday is a record setter itself, 30 of the 64 CVEs patched this month are included in this single bulletin. In addition, all 30 vulnerabilities were discovered by a single individual, Tarjei Mandt of Norman. These vulnerabilities are all local elevation of privilege vulnerabilities affecting all versions of Windows, including Windows 7 Service Pack 1. Microsoft SR&D has released a blog post outlining the classes of vulnerabilities patched by this update.

Automated Exploit
 
 

MS11-025

 
MS11-019
 
 
Easy
 
 

MS11-024
MS11-026
MS11-027

 
 
 
 
Moderate
 
 
MS11-023
 
   
 
Difficult
 
 
 
 
 
 
 
Extremely Difficult
 
 
MS11-018
 
 
 
 
No Known Exploit
 
 

MS11-021
MS11-022
MS11-028
MS11-029
MS11-031
MS11-033

 
 

MS11-030
MS11-032
MS11-034

MS11-020
 
Exposure
Local Availability
Local
Access
Remote Availability
Remote Access
Local Privileged
Remote Privileged

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

All data and commentary is based on information available when the VERT Alert is published.

About Tripwire, Inc.
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses, government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA™, the integrated compliance and security software platform delivers best-of-breed file integrity, policy compliance and log and event management solutions, paving the way for organizations to proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.