nCircle Resources - VERT Alert - MS11-001

Solutions

Vulnerability Management Configuration Compliance PCI Regulations Government Consensus Audit Guidelines

IT GRC nCircle Technology Small Businesses CSO Center Secure Everywhere
Products

nCircle PureCloud nCircle Benchmark Suite360 Intelligence Hub Configuration Compliance Manager File Integrity Monitoring

nCircle IP360 WebApp360 PCI Scan Service HITRUST Service
Services

VERT Consulting Services Training
Customers

Testimonials Case Studies
Partners

Suite360 Partner Portal
News

Articles Press Releases Awards Certifications Events
Resources

Data Sheets Case Studies White Papers Regulation Mappings Analyst Reports Bellwether Metrics Security Survey Results

Tools Podcasts Webinars Videos VERT Alert Patch Priority Index
Support

Customer Portal Login
Community

Blog Worldwide User Conference nCircle Viewpoint
Company

Board of Directors Investors Employment Job Openings Contact Us Trust Stewardship

February 8, 2011 5:55 PST

The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-388 on Wednesday, February 9th.

MS11-003	CSS Memory Corruption Vulnerability	CVE-2010-3971
	Internet Explorer Insecure Library Loading Vulnerability	CVE-2011-0038
	Uninitialized Memory Corruption Vulnerability	CVE-2011-0035
	Uninitialized Memory Corruption Vulnerability	CVE-2011-0036
MS11-004	IIS FTP Service Heap Buffer Overrun Vulnerability	CVE-2010-3972
MS11-005	Active Directory SPN Validation Vulnerability	CVE-2011-0040
MS11-006	Windows Shell Graphics Processing Overrun Vulnerability	CVE-2010-3970
MS11-007	OpenType Font Encoded Character Vulnerability	CVE-2011-0033
MS11-008	Visio Data Type Memory Corruption Vulnerability	CVE-2011-0093
MS11-008	Visio Object Memory Corruption Vulnerability	CVE-2011-0092
MS11-009	Scripting Engines Information Disclosure Vulnerability	CVE-2011-0031
MS11-010	CSRSS Elevation of Privilege Vulnerability	CVE-2011-0030
MS11-011	Driver Improper Interaction with Windows Kernel Vulnerability	CVE-2010-4398
MS11-011	Windows Kernel Integer Truncation Vulnerability	CVE-2011-0045
MS11-012	Win32k Improper User Input Validation Vulnerability	CVE-2011-0086
	Win32k Insufficient User Input Validation Vulnerability	CVE-2011-0087
	Win32k Memory Corruption Vulnerability	CVE-2011-0090
	Win32k Window Class Improper Pointer Validation Vulnerability	CVE-2011-0089
	Win32k Window Class Pointer Confusion Vulnerability	CVE-2011-0088
MS11-013	Kerberos Spoofing Vulnerability	CVE-2011-0091
MS11-013	Kerberos Unkeyed Checksum Vulnerability	CVE-2011-0043
MS11-014	LSASS Length Validation Vulnerability	CVE-2011-0039

MS11-003

This bulletin describes the always-expected Internet Explorer patch. This month 4 CVEs are being patched, the most notable being the CSS Memory Corruption vulnerability that has been included in several popular exploit frameworks.

MS11-004

This bulletin resolves a single vulnerability that was previously publicly disclosed. This vulnerability affects the IIS FTP Service. Versioning around IIS FTP Service is a little tricky and doesn’t quite work like one might expect. Due to the likelihood of confusion, Microsoft has released a blog post explaining IIS FTP Service versioning and when the service is vulnerable (IIS FTP Service 7.0 and 7.5). The post is available on the Microsoft SR&D blog¹.

MS11-005

The vulnerability described by MS11-005 is probably the least significant vulnerability patched this month. An attacker would require administrative privileges on a domain joined computer to exploit this vulnerability. They would then craft a packet that updates the service principal name (SPN). If a SPN collision occurs, it could potentially lead to a denial of service.

MS11-006

The CVE patched by this bulletin is the third 0-day patched this month. This one is a vulnerability affecting the Windows Shell graphics processor and would require a user view a malicious thumbnail image.

MS11-007

This bulletin describes a single vulnerability in the Windows OpenType Compact Font Format driver. The Microsoft attack vector would require users browse to a folder containing a malicious OpenType font. It is possible that this would also affect other applications that use OpenType fonts. This vulnerability would ultimately lead to an elevation of privilege.

MS11-008

MS11-008 represents the only Microsoft Office related security bulletin affected this month, and specifically relates to Microsoft Visio. Two memory corruption vulnerabilities that could be exploited by malicious Visio files are patched by this update.

MS11-009

CVE-2011-0031 is patched by MS11-009, a vulnerability affecting JScript and VBScript that could lead to information disclosure. JScript 5.8 and VBScript 5.8 on Windows 7 and Windows Server 2008 R2 are the only platforms affected by this vulnerability.

MS11-010

The vulnerability patched by MS11-010 is an interesting issue that allows an attacker logged on to a system to leave a program running after they’ve logged out, allowing them to capture data associated with subsequent users of the system.

MS11-011

The two vulnerabilities patched by this bulletin could lead to an elevation of privilege. To exploit these vulnerabilities an attacker would require local access to the system and a custom application designed to trigger the vulnerability.

MS11-012

This bulletin patches 5 vulnerabilities that could lead to elevation of privilege. These vulnerabilities, like those in MS11-011, would require local system access and a custom application to trigger them.

MS11-013

Two Kerberos issues are resolved by MS11-013. The end result of these patches is the prevention of the use of weak hashing algorithms, along with preventing an attacker from downgrading Kerberos encryption to DES. The weak hashing algorithms exist on Windows XP and Server 2003 and could lead to elevation of privilege, while the ability to downgrade encryption to DES, which could effectively lead to a man-in-the-middle attack, affects Windows 7 and Server 2008 R2.

MS11-014

The final patch this month fixes a single vulnerability affecting LSASS that allows for privilege escalation.

Other Information

In addition to today’s security updates, Microsoft has also released KB976940² which changes the behavior of AutoRun on Windows, disabling it for thumbdrives. This update was available previously via the Download Center, today is the first time it’s available via Windows Update and Microsoft SR&D has released a blog post explaining this change³.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit			MS11-003 MS11-006
Easy
Moderate
Difficult							MS11-004
Extremely Difficult
No Known Exploit			MS11-008 MS11-009 MS11-010	MS11-005	MS11-013	MS11-007 MS11-011 MS11-012 MS11-014
	Exposure	Local Availability	Local Access	Remote Availability	Remote Access	Local Privileged	Remote Privileged

All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.

¹http://blogs.technet.com/b/srd/archive/2011/02/08/regarding-ms11-004-addressing-an-iis-ftp-services-vulnerability.aspx
²http://support.microsoft.com/kb/967940/
³ http://blogs.technet.com/b/msrc/archive/2011/02/08/deeper-insight-into-the-security-advisory-967940-update.aspx


*Email: