VERT Alert - February 8, 2011

- Feb 8, 2011 -

February 8, 2011 5:55 PST

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-388 on Wednesday, February 9th.

MS11-003

CSS Memory Corruption Vulnerability

CVE-2010-3971

Internet Explorer Insecure Library Loading Vulnerability

CVE-2011-0038

Uninitialized Memory Corruption Vulnerability

CVE-2011-0035

Uninitialized Memory Corruption Vulnerability

CVE-2011-0036

MS11-004

IIS FTP Service Heap Buffer Overrun Vulnerability

CVE-2010-3972

MS11-005

Active Directory SPN Validation Vulnerability

CVE-2011-0040

MS11-006

Windows Shell Graphics Processing Overrun Vulnerability

CVE-2010-3970

MS11-007

OpenType Font Encoded Character Vulnerability

CVE-2011-0033

MS11-008

Visio Data Type Memory Corruption Vulnerability

CVE-2011-0093

Visio Object Memory Corruption Vulnerability

CVE-2011-0092

MS11-009

Scripting Engines Information Disclosure Vulnerability

CVE-2011-0031

MS11-010

CSRSS Elevation of Privilege Vulnerability

CVE-2011-0030

MS11-011

Driver Improper Interaction with Windows Kernel Vulnerability

CVE-2010-4398

Windows Kernel Integer Truncation Vulnerability

CVE-2011-0045

MS11-012

Win32k Improper User Input Validation Vulnerability

CVE-2011-0086

Win32k Insufficient User Input Validation Vulnerability

CVE-2011-0087

Win32k Memory Corruption Vulnerability

CVE-2011-0090

Win32k Window Class Improper Pointer Validation Vulnerability

CVE-2011-0089

Win32k Window Class Pointer Confusion Vulnerability

CVE-2011-0088

MS11-013

Kerberos Spoofing Vulnerability

CVE-2011-0091

Kerberos Unkeyed Checksum Vulnerability

CVE-2011-0043

MS11-014

LSASS Length Validation Vulnerability

CVE-2011-0039

MS11-003

This bulletin describes the always-expected Internet Explorer patch. This month 4 CVEs are being patched, the most notable being the CSS Memory Corruption vulnerability that has been included in several popular exploit frameworks.

MS11-004

This bulletin resolves a single vulnerability that was previously publicly disclosed. This vulnerability affects the IIS FTP Service. Versioning around IIS FTP Service is a little tricky and doesn’t quite work like one might expect. Due to the likelihood of confusion, Microsoft has released a blog post explaining IIS FTP Service versioning and when the service is vulnerable (IIS FTP Service 7.0 and 7.5). The post is available on the Microsoft SR&D blog1.

MS11-005

The vulnerability described by MS11-005 is probably the least significant vulnerability patched this month. An attacker would require administrative privileges on a domain joined computer to exploit this vulnerability. They would then craft a packet that updates the service principal name (SPN).  If a SPN collision occurs, it could potentially lead to a denial of service.

MS11-006

The CVE patched by this bulletin is the third 0-day patched this month. This one is a vulnerability affecting the Windows Shell graphics processor and would require a user view a malicious thumbnail image.

MS11-007

This bulletin describes a single vulnerability in the Windows OpenType Compact Font Format driver. The Microsoft attack vector would require users browse to a folder containing a malicious OpenType font. It is possible that this would also affect other applications that use OpenType fonts. This vulnerability would ultimately lead to an elevation of privilege.

MS11-008

MS11-008 represents the only Microsoft Office related security bulletin affected this month, and specifically relates to Microsoft Visio. Two memory corruption vulnerabilities that could be exploited by malicious Visio files are patched by this update.

MS11-009

CVE-2011-0031 is patched by MS11-009, a vulnerability affecting JScript and VBScript that could lead to information disclosure.  JScript 5.8 and VBScript 5.8 on Windows 7 and Windows Server 2008 R2 are the only platforms affected by this vulnerability.

MS11-010

The vulnerability patched by MS11-010 is an interesting issue that allows an attacker logged on to a system to leave a program running after they’ve logged out, allowing them to capture data associated with subsequent users of the system.

MS11-011

The two vulnerabilities patched by this bulletin could lead to an elevation of privilege. To exploit these vulnerabilities an attacker would require local access to the system and a custom application designed to trigger the vulnerability.

MS11-012

This bulletin patches 5 vulnerabilities that could lead to elevation of privilege. These vulnerabilities, like those in MS11-011, would require local system access and a custom application to trigger them.

MS11-013

Two Kerberos issues are resolved by MS11-013. The end result of these patches is the prevention of the use of weak hashing algorithms, along with preventing an attacker from downgrading Kerberos encryption to DES. The weak hashing algorithms exist on Windows XP and Server 2003 and could lead to elevation of privilege, while the ability to downgrade encryption to DES, which could effectively lead to a man-in-the-middle attack, affects Windows 7 and Server 2008 R2.

MS11-014

The final patch this month fixes a single vulnerability affecting LSASS that allows for privilege escalation.

Other Information

In addition to today’s security updates, Microsoft has also released KB9769402 which changes the behavior of AutoRun on Windows, disabling it for thumbdrives. This update was available previously via the Download Center, today is the first time it’s available via Windows Update and Microsoft SR&D has released a blog post explaining this change3.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
 
 

MS11-003
MS11-006

 
 
 
 
Easy
 
 
 
 
 
 
 
Moderate
 
 
 
 
 
 
 
Difficult
 
 
 
 
 
 
MS11-004
Extremely Difficult
 
 
 
 
 
 
 
No Known Exploit
 
 

MS11-008
MS11-009
MS11-010

MS11-005
MS11-013

MS11-007
MS11-011
MS11-012
MS11-014

 
  Exposure Local Availability Local Access Remote Availability Remote Access Local Privileged Remote Privileged

All data and commentary is based on information available when the VERT Alert is published.

About Tripwire, Inc.
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their IT infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.