July 12, 2011 4:45 PM (PT)
The nCircle VERT Alert is brought to you by nCircle VERT, nCircle's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.
Today's VERT Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-411 on Wednesday, July 13th.
| Bluetooth Stack Vulnerability | CVE-2011-1265 | |
| Win32k Use After Free Vulnerability | CVE-2011-1874 | |
| Win32k Use After Free Vulnerability | CVE-2011-1875 | |
| Win32k Use After Free Vulnerability | CVE-2011-1876 | |
| Win32k Use After Free Vulnerability | CVE-2011-1877 | |
| Win32k Use After Free Vulnerability | CVE-2011-1878 | |
| Win32k Use After Free Vulnerability | CVE-2011-1879 | |
| Win32k Null Pointer De-reference Vulnerability | CVE-2011-1880 | |
| Win32k Null Pointer De-reference Vulnerability | CVE-2011-1881 | |
| Win32k Use After Free Vulnerability | CVE-2011-1882 | |
| Win32k Use After Free Vulnerability | CVE-2011-1883 | |
| Win32k Use After Free Vulnerability | CVE-2011-1884 | |
| Win32k Null Pointer De-reference Vulnerability | CVE-2011-1885 | |
| Win32k Incorrect Parameter Allows Information Disclosure Vulnerability | CVE-2011-1886 | |
| Win32k Null Pointer De-reference Vulnerability | CVE-2011-1887 | |
| Win32k Null Pointer De-reference Vulnerability | CVE-2011-1888 | |
| Microsoft Visio Insecure Library Loading Vulnerability | CVE-2010-3148 | |
| CSRSS Local EOP AllocConsole Vulnerability | CVE-2011-1281 | |
| CSRSS Local EOP SrvSetConsoleLocalEUDC Vulnerability | CVE-2011-1282 | |
| CSRSS Local EOP SrvSetConsoleNumberOfCommand Vulnerability | CVE-2011-1283 | |
| CSRSS Local EOP SrvWriteConsoleOutput Vulnerability | CVE-2011-1284 | |
| CSRSS Local EOP SrvWriteConsoleOutputString Vulnerability | CVE-2011-1270 |
MS11-053
The first vulnerability patched this month is interesting because it affects the Windows Bluetooth 2.1 stack. Vista and Windows 7 users are affected, however Vista Service Pack 1 users are only affected if they've installed the 'Windows Vista Feature Pack for Wireless'. Microsoft has released an excellent blog post documenting the issue and the reasons why it isn't as critical as a proximity based code execution vulnerability could be. See http://blogs.technet.com/b/srd/archive/2011/07/12/ms11-053-vulnerability-in-the-bluetooth-stack-could-allow-remote-code-execution.aspx.MS11-054
The 15 CVEs patched in MS11-054 are representative of a new patching trend from Microsoft. The bulletin replaces two other bulletins, both of which were also released this year, one of which replaces another bulletin from this year. The first bulletin of this year affecting this software fixed a bulletin from December 2010, meaning that in 8 rounds of Patch Tuesday we've seen 5 patches for Win32k. As always, these are local elevation of privilege vulnerabilities.
MS11-055
There's not much to say this, it's another DLL Preloading attack vector that's being resolved. This one is in Microsoft Visio.
MS11-056
There are 5 privilege escalation issues affecting the Windows Client/Server Run-time Subsystem in this bulletin. We saw similar issues patched in February. It's safe to assume that privilege escalation vulnerabilities are becoming more popular, as the quantity found continues to rise.
As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Ease of Use (published exploits) to Risk Table:
Automated Exploit |
|||||||
Easy |
|||||||
Moderate |
|||||||
Difficult |
|||||||
Extremely Difficult |
|||||||
No Known Exploit |
|||||||
Exposure |
Local Availability |
Local Access |
Remote Availability |
Remote Access |
Local Privileged |
Remote Privileged |
All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.