April 12, 2011 8:00 PM (PT)
The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.
Today’s VERT Alert addresses 17 new Microsoft Security Bulletins fixing 64 vulnerabilities. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-398 on Wednesday, April 13th.
MS11-018 |
Layouts Handling Memory Corruption Vulnerability | CVE-2011-0094 |
| MSHTML Memory Corruption Vulnerability | CVE-2011-0346 | |
| Frame Tag Information Disclosure Vulnerability | CVE-2011-1244 | |
| Javascript Information Disclosure Vulnerability | CVE-2011-1245 | |
| Object Management Memory Corruption Vulnerability | CVE-2011-1345 | |
MS11-019 |
Browser Pool Corruption Vulnerability | CVE-2011-0654 |
| SMB Client Response Parsing Vulnerability | CVE-2011-0660 | |
MS11-020 |
SMB Transaction Parsing Vulnerability | CVE-2011-0661 |
MS11-021 |
Excel Integer Overrun Vulnerability | CVE-2011-0097 |
| Excel Heap Overflow Vulnerability | CVE-2011-0098 | |
| Excel Record Parsing WriteAV Vulnerability | CVE-2011-0101 | |
| Excel Memory Corruption Vulnerability | CVE-2011-0103 | |
| Excel Buffer Overwrite Vulnerability | CVE-2011-0104 | |
| Excel Data Initialization Vulnerability | CVE-2011-0105 | |
| Excel Array Indexing Vulnerability | CVE-2011-0978 | |
| Excel Linked List Corruption Vulnerability | CVE-2011-0979 | |
| Excel Dangling Pointer Vulnerability | CVE-2011-0980 | |
MS11-022 |
Floating Point Techno-color Time Bandit RCE Vulnerability | CVE-2011-0655 |
| Persist Directory RCE Vulnerability | CVE-2011-0656 | |
| OfficeArt Atom RCE Vulnerability | CVE-2011-0976 | |
MS11-023 |
Office Component Insecure Library Loading Vulnerability | CVE-2011-0107 |
| Microsoft Office Graphic Object Dereferencing Vulnerability | CVE-2011-0977 | |
MS11-024 |
Fax Cover Page Editor Memory Corruption Vulnerability | CVE-2010-3974 |
MS11-025 |
MFC Insecure Library Loading Vulnerability | CVE-2010-3190 |
MS11-026 |
MHTML Mime-Formatted Request Vulnerability | CVE-2011-0096 |
MS11-027 |
Microsoft Internet Explorer 8 Developer Tools Vulnerability | CVE-2010-0811 |
| Microsoft WMITools ActiveX Control Vulnerability | CVE-2010-3973 | |
| Microsoft Windows Messenger ActiveX Control Vulnerability | CVE-2011-1243 | |
MS11-028 |
.NET Framework Stack Corruption Vulnerability | CVE-2010-3958 |
MS11-029 |
GDI+ Integer Overflow Vulnerability | CVE-2011-0041 |
MS11-030 |
DNS Query Vulnerability | CVE-2011-0657 |
MS11-031 |
Scripting Memory Reallocation Vulnerability | CVE-2011-0663 |
MS11-032 |
OpenType Font Stack Overflow Vulnerability | CVE-2011-0034 |
MS11-033 |
WordPad Converter Parsing Vulnerability | CVE-2011-0028 |
MS11-034
|
Win32k Use After Free Vulnerability i | CVE-2011-0662 |
| Win32k Use After Free Vulnerability ii | CVE-2011-0665 | |
| Win32k Use After Free Vulnerability iii | CVE-2011-0666 | |
| Win32k Use After Free Vulnerability iv | CVE-2011-0667 | |
| Win32k Use After Free Vulnerability v | CVE-2011-0670 | |
| Win32k Use After Free Vulnerability vi | CVE-2011-0671 | |
| Win32k Use After Free Vulnerability vii | CVE-2011-0672 | |
| Win32k Use After Free Vulnerability viii | CVE-2011-0674 | |
| Win32k Use After Free Vulnerability ix | CVE-2011-0675 | |
| Win32k Use After Free Vulnerability x | CVE-2011-1234 | |
| Win32k Use After Free Vulnerability xi | CVE-2011-1235 | |
| Win32k Use After Free Vulnerability xii | CVE-2011-1236 | |
| Win32k Use After Free Vulnerability xiii | CVE-2011-1237 | |
| Win32k Use After Free Vulnerability xiv | CVE-2011-1238 | |
| Win32k Use After Free Vulnerability xv | CVE-2011-1239 | |
| Win32k Use After Free Vulnerability xvi | CVE-2011-1240 | |
| Win32k Use After Free Vulnerability xvii | CVE-2011-1241 | |
| Win32k Use After Free Vulnerability xviii | CVE-2011-1242 | |
| Win32k Null Pointer De-reference Vulnerability i | CVE-2011-0673 | |
| Win32k Null Pointer De-reference Vulnerability ii | CVE-2011-0676 | |
| Win32k Null Pointer De-reference Vulnerability iii | CVE-2011-0677 | |
| Win32k Null Pointer De-reference Vulnerability iv | CVE-2011-1225 | |
| Win32k Null Pointer De-reference Vulnerability v | CVE-2011-1226 | |
| Win32k Null Pointer De-reference Vulnerability vi | CVE-2011-1227 | |
| Win32k Null Pointer De-reference Vulnerability vii | CVE-2011-1228 | |
| Win32k Null Pointer De-reference Vulnerability viii | CVE-2011-1229 | |
| Win32k Null Pointer De-reference Vulnerability ix | CVE-2011-1230 | |
| Win32k Null Pointer De-reference Vulnerability x | CVE-2011-1231 | |
| Win32k Null Pointer De-reference Vulnerability xi | CVE-2011-1232 | |
| Win32k Null Pointer De-reference Vulnerability xii | CVE-2011-1233 |
MS11-018
This first bulletin addresses five CVEs all relating to how IE handles objects in memory. The exploits being resolved can allow attackers to gain control of users who visit specially crafted websites. It affects IE versions 6, 7 and 8 on most all versions of Windows. The severity of the advisory is listed as Low to Critical depending on the combination of CVE, IE version and Windows version. Generally Windows Server Operating Systems are affected less due to their Enhanced Security Configuration. As well, IE9 is not affected with any version of Windows. It is worth noting that the CanSecWest Pwn2Own vulnerability affecting IE is patched by this bulletin and Microsoft Security Research & Defense has released a blog post1 discussing the issue.
MS11-019
This is the first of (at least) two bulletins that contain more than simply externally reported vulnerabilities. Microsoft undertook an initiative to secure SMB since it has recently been a target for attackers. The Microsoft Security Research & Defense blog contains more details2 on Microsoft’s specific actions but they definitely fixed more than the 2 CVEs publicly disclosed in this bulletin.
MS11-020
This is the second bulletin to contain additional fixes, also part of Microsoft’s secure SMB initiative. The single CVE in this bulletin though is responsible for the recommendation to apply this patch as soon as possible. This unauthenticated remote has the potential to be as dangerous as MS08-067 and affects all operating systems, including Windows 7 SP1.
MS11-021
This bulletin relates to Microsoft Office and more specifically Excel on all versions of Windows as well as Microsoft Office for Mac. The bulletin addresses 9 CVEs, each one allow for the possibility of complete access to a user’s system through specially crafted Excel documents. A user prompt built into Excel requires more than a single user action to complete the exploit reducing if from a possible Critical status to Important for all versions of affected applications across all operating systems.
MS11-022
As with MS11-021, this bulletin corrects the threat of code executions from specifically crafted Microsoft Office documents, specifically Power Point documents. As with MS11-021 this affects all versions of Microsoft Office across all Windows operating systems as well as Office for Mac. The bulletin however addresses only 3 CVEs. All related updates are listed as Important as well as users are prompted before a potentially harmful document is opened requiring more than a single action from a user.
MS11-023
MS11-023 deals with Microsoft Office and addresses two vulnerabilities. CVE-2011-0107 details the method in which Microsoft Office loads external libraries. Attackers can gain access to a user’s computer by placing a crafted DLL3 file within the same folder as a legitimate office file. CVE-2011-0977 addressed the way Microsoft Office handles graphic objects in office documents. Both vulnerabilities affect only versions of Microsoft Office 2007 and earlier on all Windows operating systems as well as Microsoft Office 2004 and 2008 for Macs. In addition Open XML File Format Converter for Mac is also affected. Aggregate Severity Ratings for all situations are listed as Important.
MS11-024
This bulletin deals with one CVE and effects the built in Windows Fax Cover Page Editor application in all versions of Windows starting with XP and Server 2003. Without the update an attacker can take advantage of the way that the Windows Fax Cover Page Editor improperly parses specially crafted fax cover pages. The Aggregate Severity Rating for all situations is listed as Important. One thing to note is that, by default, there is no application registered to handle *.cov files.
MS11-025
This bulletin fixes a type of vulnerability that we’ve become all too familiar with… a DLL preloading vulnerability. In this case the vulnerability exists in the ATL MFC Trace Tool, which means all Visual Studio products are affected.
MS11-026
This bulletin contains the long awaited patch to CVE-2011-0096, for which a security advisory4 was first released January 28th, 2011. The actual vulnerability here is a Cross Site Scripting (XSS) attack caused by the way in which MHTML interprets MIME-formatted requests. Methods of attacking this vulnerability have been publicly released.
MS11-027
MS11-027 corrects three vulnerabilities, each affecting a different ActiveX Control. The affected applications Microsoft Internet Explorer 8 Developer Tools, Microsoft WMITools and Microsoft Windows Messenger all provide an attacker the opportunity to use a specially crafted webpage to gain access to a users system. Additionally, kill bits are set for several third party applications when this update is applied.
MS11-028
This bulletin addresses a critical vulnerability that affects the .NET Framework versions 2, 3.5 and 4 on all Windows operating systems. Attackers can make use of this vulnerability in 2 different ways. Crafting a webpage and having a user view it using a browser capable of running XAML Browser Applications as well as uploading a crafted ASP.NET Page to a server running IIS and having that server process the page can allow an attacker to gain control of a system. Individual updates were made available for each combination of operating system and .NET version.
MS11-029
This bulletin addresses a critical vulnerability across most versions of Windows. The issue can allow remote code execution when users open specifically crafted EMF image files or when users open a webpage with the crafted EMF image file.
MS11-030
MS11-030 addresses a DNS related issue with most versions of Windows. An attacker could take advantage of this vulnerability by using a created application to send specially crafted LLMNR broadcast queries. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the NetworkService account. It is listed as Important with all XP and Server 2003 and and Critical with all Vista, 7 and Server 2008 systems.
MS11-031
The CVE in MS11-031 is a vulnerability affect VBScript and JScript. The most interesting aspect of this advisory is that while VBScript 5.8 and JScript 5.8 are affected, they are not affected when installed with Internet Explorer 9.
MS11-032
This bulletin addresses a vulnerability in the OpenType Font (OTF) driver. This is becoming a more commonly patched driver, last patched in February and prior to that there was a patch in December.
MS11-033
The vulnerability described by MS11-033 details a vulnerability in Microsoft Wordpad that occurs when opening special crafted Word documents. The vulnerability could allow for code execution.
MS11-034
The final bulletin on this record breaking Patch Tuesday is a record setter itself, 30 of the 64 CVEs patched this month are included in this single bulletin. In addition, all 30 vulnerabilities were discovered by a single individual, Tarjei Mandt of Norman. These vulnerabilities are all local elevation of privilege vulnerabilities affecting all versions of Windows, including Windows 7 Service Pack 1. Microsoft SR&D has released a blog post outlining the classes of vulnerabilities patched by this update.
Automated Exploit |
MS11-025 |
MS11-019 |
|||||
Easy |
MS11-024 |
||||||
Moderate |
MS11-023 |
||||||
Difficult |
|||||||
Extremely Difficult |
MS11-018 |
||||||
No Known Exploit |
MS11-021 |
MS11-030 |
MS11-020 | ||||
Exposure |
Local Availability |
Local Access |
Remote Availability |
Remote Access |
Local Privileged |
Remote Privileged |
As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.
1http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-018-addresses-the-ie8-pwn2own-vulnerability.aspx
2http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-019-and-ms11-020-april-smb-updates.aspx
3http://www.microsoft.com/technet/security/advisory/2501696.mspx
4http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx