February 14, 2012 4:10 PM (PT)
The nCircle VERT Alert is brought to you by nCircle VERT, nCircle's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.
Today's VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-445 on Wednesday, February 15th.
|GDI Access Violation Vulnerability||CVE-2011-5046|
|Keyboard Layout Use After Free Vulnerability||CVE-2012-0154|
|AfdPoll Elevation of Privilege Vulnerability||CVE-2012-0148|
|Ancillary Function Driver Elevation of Privilege Vulnerability||CVE-2012-0149|
|Copy and Paste Information Disclosure Vulnerability||CVE-2012-0010|
|HTML Layout Remote Code Execution Vulnerability||CVE-2012-0011|
|Null Byte Information Disclosure Vulnerability||CVE-2012-0012|
|VML Remote Code Execution Vulnerability||CVE-2012-0155|
|XSS in inplview.aspx Vulnerability||CVE-2012-0017|
|XSS in themeweb.aspx Vulnerability||CVE-2012-0144|
|XSS in wizardlist.aspx Vulnerability||CVE-2012-0145|
|Color Control Panel Insecure Library Loading Vulnerability||CVE-2012-5082|
|Msvcrt.dll Buffer Overflow Vulnerability||CVE-2012-0150|
|Indeo Codec Insecure Library Loading Vulnerability||CVE-2012-3138|
|VSD File Format Memory Corruption Vulnerability||CVE-2012-0019|
|VSD File Format Memory Corruption Vulnerability||CVE-2012-0020|
|VSD File Format Memory Corruption Vulnerability||CVE-2012-0136|
|VSD File Format Memory Corruption Vulnerability||CVE-2012-0137|
|VSD File Format Memory Corruption Vulnerability||CVE-2012-0138|
|AfdPoll Elevation of Privilege Vulnerability||CVE-2012-0014|
|.NET Framework Unmanaged Objects Vulnerability||CVE-2012-0015|
The first bulletin this month resolves two vulnerabilities affecting the Windows Kernel Mode Drivers. One of these vulnerabilities has been discussed publicly and proof of concept code has been released. Both of these vulnerabilities affect all supported Windows operating systems.
The two vulnerabilities patched by MS12-009 could lead to privilege escalation due to vulnerabilities in the Ancillary Function Driver (AFD.sys). While one of these vulnerabilities (CVE-2012-0149) only affects Windows Server 2003, the other vulnerability (CVE-2012-0148) affects all 64-bit operating systems.
This months Internet Explorer update resolves 4 vulnerabilities. The interesting twist here is that all four vulnerabilities affect Internet Explorer 9, while only one of the four affects IE6.
The fourth bulletin this month fixes three cross-site scripting vulnerabilities affecting SharePoint Server and SharePoint Foundation 2010.
This bulletin is the first of two resolving DLL Preloading issues this month; this one is found in the Color Control Panel.
This bulletin, the most critical after MS12-010, is probably the one that will draw the most attention. Seeing that the C Run-Time is affected is a big deal; luckily the only known attack vector is via Windows Media Player. While that's still a concern, and enough to rank this vulnerability as Critical, it makes it less scary than it could be. Please note that third party software could provide additional attack vectors to hit the vulnerable code. Microsoft has released a blog post that contains additional details as well as guidance for 3rd party application developers.
The second DLL Preloading issue this month affects the Indeo codec, which has been around since 1992 and warranted its own blog post, which is a very interesting read and definitely recommended.
The award for most CVEs in a bulletin this month goes to MS12-015 for five vulnerabilities related to the Visio document format (VSD).
The final bulletin this month affects .NET Framework and Silverlight. One of these two vulnerabilities has been disclosed publicly and the latest versions of this software (.NET 4 and Silverlight 4) are only affected by the other vulnerability.
VERT will also be releasing updates to detect the new Adobe Shockwave vulnerabilities reported in APSB12-02
As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Ease of Use (published exploits) to Risk Table:
No Known Exploit
All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.