VERT Alert - April 12, 2011

- Apr 12, 2011 -

April 12, 2011 8:00 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 17 new Microsoft Security Bulletins fixing 64 vulnerabilities. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-398 on Wednesday, April 13th.

td width="385" nowrap="nowrap" valign="bottom">Win32k Use After Free Vulnerability ii


Layouts Handling Memory Corruption Vulnerability CVE-2011-0094
MSHTML Memory Corruption Vulnerability CVE-2011-0346
Frame Tag Information Disclosure Vulnerability CVE-2011-1244
Javascript Information Disclosure Vulnerability CVE-2011-1245
Object Management Memory Corruption Vulnerability CVE-2011-1345
Browser Pool Corruption Vulnerability  CVE-2011-0654
SMB Client Response Parsing Vulnerability CVE-2011-0660
SMB Transaction Parsing Vulnerability CVE-2011-0661
Excel Integer Overrun Vulnerability CVE-2011-0097
Excel Heap Overflow Vulnerability CVE-2011-0098
Excel Record Parsing WriteAV Vulnerability CVE-2011-0101
Excel Memory Corruption Vulnerability CVE-2011-0103
Excel Buffer Overwrite Vulnerability CVE-2011-0104
Excel Data Initialization Vulnerability CVE-2011-0105
Excel Array Indexing Vulnerability CVE-2011-0978
Excel Linked List Corruption Vulnerability CVE-2011-0979
Excel Dangling Pointer Vulnerability CVE-2011-0980
Floating Point Techno-color Time Bandit RCE Vulnerability CVE-2011-0655
Persist Directory RCE Vulnerability CVE-2011-0656
OfficeArt Atom RCE Vulnerability CVE-2011-0976
Office Component Insecure Library Loading Vulnerability CVE-2011-0107
Microsoft Office Graphic Object Dereferencing Vulnerability CVE-2011-0977
Fax Cover Page Editor Memory Corruption Vulnerability CVE-2010-3974
MFC Insecure Library Loading Vulnerability CVE-2010-3190
MHTML Mime-Formatted Request Vulnerability CVE-2011-0096
Microsoft Internet Explorer 8 Developer Tools Vulnerability CVE-2010-0811
Microsoft WMITools ActiveX Control Vulnerability CVE-2010-3973
Microsoft Windows Messenger ActiveX Control Vulnerability CVE-2011-1243
.NET Framework Stack Corruption Vulnerability CVE-2010-3958
GDI+ Integer Overflow Vulnerability CVE-2011-0041
DNS Query Vulnerability CVE-2011-0657
Scripting Memory Reallocation Vulnerability CVE-2011-0663
OpenType Font Stack Overflow Vulnerability CVE-2011-0034
WordPad Converter Parsing Vulnerability CVE-2011-0028


Win32k Use After Free Vulnerability i






Win32k Use After Free Vulnerability iii




Win32k Use After Free Vulnerability iv




Win32k Use After Free Vulnerability v




Win32k Use After Free Vulnerability vi




Win32k Use After Free Vulnerability vii




Win32k Use After Free Vulnerability viii




Win32k Use After Free Vulnerability ix




Win32k Use After Free Vulnerability x




Win32k Use After Free Vulnerability xi




Win32k Use After Free Vulnerability xii




Win32k Use After Free Vulnerability xiii




Win32k Use After Free Vulnerability xiv




Win32k Use After Free Vulnerability xv




Win32k Use After Free Vulnerability xvi




Win32k Use After Free Vulnerability xvii




Win32k Use After Free Vulnerability xviii




Win32k Null Pointer De-reference Vulnerability i




Win32k Null Pointer De-reference Vulnerability ii




Win32k Null Pointer De-reference Vulnerability iii




Win32k Null Pointer De-reference Vulnerability iv




Win32k Null Pointer De-reference Vulnerability v




Win32k Null Pointer De-reference Vulnerability vi




Win32k Null Pointer De-reference Vulnerability vii




Win32k Null Pointer De-reference Vulnerability viii




Win32k Null Pointer De-reference Vulnerability ix




Win32k Null Pointer De-reference Vulnerability x




Win32k Null Pointer De-reference Vulnerability xi




Win32k Null Pointer De-reference Vulnerability xii





This first bulletin addresses five CVEs all relating to how IE handles objects in memory.  The exploits being resolved can allow attackers to gain control of users who visit specially crafted websites.  It affects IE versions 6, 7 and 8 on most all versions of Windows.  The severity of the advisory is listed as Low to Critical depending on the combination of CVE, IE version and Windows version.  Generally Windows Server Operating Systems are affected less due to their Enhanced Security Configuration.  As well, IE9 is not affected with any version of Windows. It is worth noting that the CanSecWest Pwn2Own vulnerability affecting IE is patched by this bulletin and Microsoft Security Research & Defense has released a blog post1 discussing the issue.


This is the first of (at least) two bulletins that contain more than simply externally reported vulnerabilities. Microsoft undertook an initiative to secure SMB since it has recently been a target for attackers. The Microsoft Security Research & Defense blog contains more details2 on Microsoft’s specific actions but they definitely fixed more than the 2 CVEs publicly disclosed in this bulletin.


This is the second bulletin to contain additional fixes, also part of Microsoft’s secure SMB initiative. The single CVE in this bulletin though is responsible for the recommendation to apply this patch as soon as possible. This unauthenticated remote has the potential to be as dangerous as MS08-067 and affects all operating systems, including Windows 7 SP1.


This bulletin relates to Microsoft Office and more specifically Excel on all versions of Windows as well as Microsoft Office for Mac.  The bulletin addresses 9 CVEs, each one allow for the possibility of complete access to a user’s system through specially crafted Excel documents.  A user prompt built into Excel requires more than a single user action to complete the exploit reducing if from a possible Critical status to Important for all versions of affected applications across all operating systems.


As with MS11-021, this bulletin corrects the threat of code executions from specifically crafted Microsoft Office documents, specifically Power Point documents.  As with MS11-021 this affects all versions of Microsoft Office across all Windows operating systems as well as Office for Mac.  The bulletin however addresses only 3 CVEs.  All related updates are listed as Important as well as users are prompted before a potentially harmful document is opened requiring more than a single action from a user.


MS11-023 deals with Microsoft Office and addresses two vulnerabilities.  CVE-2011-0107 details the method in which Microsoft Office loads external libraries.  Attackers can gain access to a user’s computer by placing a crafted DLL3 file within the same folder as a legitimate office file.  CVE-2011-0977 addressed the way Microsoft Office handles graphic objects in office documents.  Both vulnerabilities affect only versions of Microsoft Office 2007 and earlier on all Windows operating systems as well as Microsoft Office 2004 and 2008 for Macs.  In addition Open XML File Format Converter for Mac is also affected.  Aggregate Severity Ratings for all situations are listed as Important.


This bulletin deals with one CVE and effects the built in Windows Fax Cover Page Editor application in all versions of Windows starting with XP and Server 2003.  Without the update an attacker can take advantage of the way that the Windows Fax Cover Page Editor improperly parses specially crafted fax cover pages.  The Aggregate Severity Rating for all situations is listed as Important.  One thing to note is that, by default, there is no application registered to handle *.cov files.


This bulletin fixes a type of vulnerability that we’ve become all too familiar with… a DLL preloading vulnerability.  In this case the vulnerability exists in the ATL MFC Trace Tool, which means all Visual Studio products are affected.


This bulletin contains the long awaited patch to CVE-2011-0096, for which a security advisory4 was first released January 28th, 2011.  The actual vulnerability here is a Cross Site Scripting (XSS) attack caused by the way in which MHTML interprets MIME-formatted requests. Methods of attacking this vulnerability have been publicly released.


MS11-027 corrects three vulnerabilities, each affecting a different ActiveX Control. The affected applications Microsoft Internet Explorer 8 Developer Tools, Microsoft WMITools and Microsoft Windows Messenger all provide an attacker the opportunity to use a specially crafted webpage to gain access to a users system. Additionally, kill bits are set for several third party applications when this update is applied.


This bulletin addresses a critical vulnerability that affects the .NET Framework versions 2, 3.5 and 4 on all Windows operating systems.  Attackers can make use of this vulnerability in 2 different ways.  Crafting a webpage and having a user view it using a browser capable of running XAML Browser Applications as well as uploading a crafted ASP.NET Page to a server running IIS and having that server process the page can allow an attacker to gain control of a system.  Individual updates were made available for each combination of operating system and .NET version.


This bulletin addresses a critical vulnerability across most versions of Windows.  The issue can allow remote code execution when users open specifically crafted EMF image files or when users open a webpage with the crafted EMF image file. 


MS11-030 addresses a DNS related issue with most versions of Windows.  An attacker could take advantage of this vulnerability by using a created application to send specially crafted LLMNR broadcast queries. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the NetworkService account.  It is listed as Important with all XP and Server 2003 and and Critical with all Vista, 7 and Server 2008 systems.


The CVE in MS11-031 is a vulnerability affect VBScript and JScript. The most interesting aspect of this advisory is that while VBScript 5.8 and JScript 5.8 are affected, they are not affected when installed with Internet Explorer 9.


This bulletin addresses a vulnerability in the OpenType Font (OTF) driver. This is becoming a more commonly patched driver, last patched in February and prior to that there was a patch in December.


The vulnerability described by MS11-033 details a vulnerability in Microsoft Wordpad that occurs when opening special crafted Word documents. The vulnerability could allow for code execution.


The final bulletin on this record breaking Patch Tuesday is a record setter itself, 30 of the 64 CVEs patched this month are included in this single bulletin. In addition, all 30 vulnerabilities were discovered by a single individual, Tarjei Mandt of Norman. These vulnerabilities are all local elevation of privilege vulnerabilities affecting all versions of Windows, including Windows 7 Service Pack 1. Microsoft SR&D has released a blog post outlining the classes of vulnerabilities patched by this update.

Automated Exploit




Extremely Difficult
No Known Exploit




Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

All data and commentary is based on information available when the VERT Alert is published.

About Tripwire, Inc.
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses, government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA™, the integrated compliance and security software platform delivers best-of-breed file integrity, policy compliance and log and event management solutions, paving the way for organizations to proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at and @TripwireInc on Twitter.