October 11, 2011 4:37 PM (PT)
The nCircle VERT Alert is brought to you by nCircle VERT, nCircle's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.
Today's VERT Alert addresses 8 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-425 on Wednesday, October 12th.
|Active Accessibility Insecure Library Loading Vulnerability||CVE-2011-1247|
|Media Center Insecure Library Loading Vulnerability||CVE-2011-2009|
|Win32k Null Pointer De-reference Vulnerability||CVE-2011-1985|
|Win32K TrueType Font Type Translation Vulnerability||CVE-2011-2002|
|Font Library File Buffer overrun Vulnerability||CVE-2011-2003|
|Win32k Use After Free Vulnerability||CVE-2011-2011|
|.NET Framework Class Inheritance Vulnerability||CVE-2011-1253|
|ExcelTable Response Splitting XSS Vulnerability||CVE-2011-1895|
|ExcelTable Reflected XSS Vulnerability||CVE-2011-1896|
|Default Reflected XSS Vulnerability||CVE-2011-1897|
|Poisoned Cup of Code Execution Vulnerability||CVE-2011-1969|
|Null Session Cookie Crash||CVE-2011-2012|
|Ancillary Function Driver Elevation of Privilege Vulnerability||CVE-2011-2005|
|Scroll Event Remote Code Execution Vulnerability||CVE-2011-1993|
|OLEAuto32.dll Remote Code Execution Vulnerability||CVE-2011-1995|
|Option Element Remote Code Execution Vulnerability||CVE-2011-1996|
|OnLoad Event Remote Code Execution Vulnerability||CVE-2011-1997|
|Jscript9.dll Remote Code Execution Vulnerability||CVE-2011-1998|
|Select Element Remote Code Execution Vulnerability||CVE-2011-1999|
|Body Element Remote Code Execution Vulnerability||CVE-2011-2000|
|Virtual Function Table Corruption Remote Code Execution Vulnerability||CVE-2011-2001|
|Endless Loop DoS in snabase.exe Vulnerability||CVE-2011-2007|
|Access of Unallocated Memory DoS Vulnerability||CVE-2011-2008|
MS11-075The first vulnerability patched this month is the commonly patched DLL Preloading attack. This time the vulnerability lies in the Microsoft Active Accessibility component.
MS11-075 is followed by a second DLL Preloading vulnerability, MS11-076. This one affects Windows Media Center.
This bulletin resolves four vulnerabilities in Win32k.sys. The most serious of which leads to code execution when handling malicious font files (.fon), the remainder of these are elevation of privilege vulnerabilities.
The single vulnerability described in MS11-078 affects Silverlight and .NET Framework. According to a blog post released by Microsoft, it is likely that we'll see exploit code for Silverlight 3 in the next 30 days. Even though Silverlight 3 has been identified as being one of the more critical components, there is not a patch available, users should upgrade to Silverlight 4 and apply the patch. There are multiple attack vectors that include local access to a .NET application and a browser-based scenario. There's also a slightly more interesting attack vector regarding web servers that allow custom ASP .NET application uploads. It's never advisable to allow application uploads, but in certain web hosting environments it is required, so this is definitely an attack vector to be aware of.
This bulletin describes vulnerabilities affecting Microsoft Forefront Unified Access Gateway, probably the least known piece of software in today's release. This bulletin fixes several XSS vulnerabilities and a cookie related issue. The finally issue is related to signed java applet and is possibly in the running for best named Microsoft vulnerability of the year, "Poisoned Cup of Code Execution Vulnerability".
The second bulletin related to .sys files today, MS11-080 patches an elevation of privilege vulnerability in the Ancillary Function Driver (AFD.sys).
The second last bulletin this month addresses a number of Internet Explorer related vulnerabilities affecting all versions of IE from 6 to 9. This was probably the most expected bulletin this month, even before the Advanced Notification was released, so it shouldn't come as a surprise that this bulletin is marked critical and should be applied as soon as possible.
The final bulletin this month lists Microsoft Host Integration Server (HIS) as the only affected component, and discusses two denial of service vulnerabilities in HIS 2004, 2006, 2009, and 2010.
As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Ease of Use (published exploits) to Risk Table:
No Known Exploit
All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.