Microsoft Patch Tuesday – April 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is by far the largest month —the vendor is releasing 17 bulletins covering a total of 64 vulnerabilities.

Thirteen of the issues are rated ‘Critical’ and they affect Internet Explorer, SMB Server, SMB Client, the OpenType Compact File format, and GDI+. One of the bulletins this month addresses a record 30 local privilege-escalation vulnerabilities in the Windows kernel-mode drivers.

 As always, customers are advised to follow these security best practices:

-     Install vendor patches as soon as they are available.

-     Run all software with the least privileges required while still maintaining functionality.

-     Avoid handling files from unknown or questionable sources.

-     Never visit sites of unknown or questionable integrity.

-     Block external access at the network perimeter to all key systems unless specific access is required.
 

Microsoft’s summary of the April releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx

The following is a breakdown of some of the ‘Critical’ issues being addressed this month:

1. MS11-018 Cumulative Security Update for Internet Explorer (2497640)

CVE-2011-0094 (BID 47190) Microsoft Internet Explorer Layout Handling Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10) A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0346 (BID 45639) Microsoft Internet Explorer 'ReleaseInterface()' Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10) A previously public (Jan 1, 2011) remote code-execution vulnerability affects Internet Explorer in the 'ReleaseInterface()' function of the 'MSHTML.DLL' library. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-1345 (BID 46821) Microsoft Internet Explorer Multiple Unspecified Remote Code Execution Vulnerabilities (MS Rating: Critical / Symantec Rating: 8.5/10) A previously public (Mar 9, 2011) remote code-execution vulnerability affects Internet Explorer. This issue was disclosed as part of the Pwn2Own 2011 contest. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

2. MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)

CVE-2011-0661 (BID 47198) Microsoft Windows SMB Transaction Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects SMB Server when handling specially crafted SMB packets. An attacker can exploit this issue by sending a malicious packet to a remotely accessible server. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the affected application. This may facilitate a complete compromise of the affected computer.

3. MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

CVE-2011-0034 (BID 47179) Microsoft Windows OpenType Font (OTF) Driver Stack Overflow Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects the OpenType Compact Font Format (CFF) driver when handling specially formatted

Hello and welcome to this month’s blog on the Microsoft patch release. This is by far the largest month —the vendor is releasing 17 bulletins covering a total of 64 vulnerabilities.

Thirteen of the issues are rated ‘Critical’ and they affect Internet Explorer, SMB Server, SMB Client, the OpenType Compact File format, and GDI+. One of the bulletins this month addresses a record 30 local privilege-escalation vulnerabilities in the Windows kernel-mode drivers.

 As always, customers are advised to follow these security best practices:

-     Install vendor patches as soon as they are available.

-     Run all software with the least privileges required while still maintaining functionality.

-     Avoid handling files from unknown or questionable sources.

-     Never visit sites of unknown or questionable integrity.

-     Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the April releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx

The following is a breakdown of some of the ‘Critical’ issues being addressed this month:

1. MS11-018 Cumulative Security Update for Internet Explorer (2497640)

CVE-2011-0094 (BID 47190) Microsoft Internet Explorer Layout Handling Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10) A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0346 (BID 45639) Microsoft Internet Explorer 'ReleaseInterface()' Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10) A previously public (Jan 1, 2011) remote code-execution vulnerability affects Internet Explorer in the 'ReleaseInterface()' function of the 'MSHTML.DLL' library. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-1345 (BID 46821) Microsoft Internet Explorer Multiple Unspecified Remote Code Execution Vulnerabilities (MS Rating: Critical / Symantec Rating: 8.5/10) A previously public (Mar 9, 2011) remote code-execution vulnerability affects Internet Explorer. This issue was disclosed as part of the Pwn2Own 2011 contest. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

2. MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)

CVE-2011-0661 (BID 47198) Microsoft Windows SMB Transaction Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects SMB Server when handling specially crafted SMB packets. An attacker can exploit this issue by sending a malicious packet to a remotely accessible server. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the affected application. This may facilitate a complete compromise of the affected computer.

3. MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

CVE-2011-0034 (BID 47179) Microsoft Windows OpenType Font (OTF) Driver Stack Overflow Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects the OpenType Compact Font Format (CFF) driver when handling specially formatted fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a specially crafted OpenType font. A successful exploit will result in the execution of arbitrary attacker-supplied code with kernel-level privileges.

4. MS11-028 Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)

CVE-2010-3958 (BID 47223) Microsoft .NET Framework x86 JIT compiler Stack Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10) A remote code-execution vulnerability affects the .NET Framework due to how the x86 JIT compiler handles certain function calls. An attacker can exploit this issue either through a malicious Web site, or through a site that allows the uploading of .NET applications to execute arbitrary code as the currently logged-in user, or the affected site.

5. MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

CVE-2011-0654 (BID 46360) Microsoft Windows 'BROWSER ELECTION' Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating: 9.6/10) A previously public (Feb 14, 2011) remote code-execution vulnerability affects the Common Internet File System (CIFS) browser protocol. An attacker can exploit this issue by sending a specially crafted message to an affected computer. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

CVE-2011-0660 (BID 47239) Microsoft Windows SMB Client Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.8/10) A remote code-execution vulnerability affects the SMB client when validating certain SMB responses. An attacker can exploit this issue by tricking an unsuspecting victim into connecting to a malicious SMB server. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

6. MS11-029 Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

CVE-2011-0041 (BID 47250) Microsoft GDI+ EMF Image Processing Integer Overflow Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10) A remote code-execution vulnerability affects GDI+ when handling integer calculations. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious Enhanced-Metafile (EMF) file image file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

 

fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a specially crafted OpenType font. A successful exploit will result in the execution of arbitrary attacker-supplied code with kernel-level privileges.

4. MS11-028 Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)

CVE-2010-3958 (BID 47223) Microsoft .NET Framework x86 JIT compiler Stack Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10) A remote code-execution vulnerability affects the .NET Framework due to how the x86 JIT compiler handles certain function calls. An attacker can exploit this issue either through a malicious web site, or through a site that allows the uploading of .NET applications to execute arbitrary code as the currently logged-in user, or the affected site.

5. MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

CVE-2011-0654 (BID 46360) Microsoft Windows 'BROWSER ELECTION' Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating: 9.6/10) A previously public (Feb 14, 2011) remote code-execution vulnerability affects the Common Internet File System (CIFS) browser protocol. An attacker can exploit this issue by sending a specially crafted message to an affected computer. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

CVE-2011-0660 (BID 47239) Microsoft Windows SMB Client Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.8/10) A remote code-execution vulnerability affects the SMB client when validating certain SMB responses. An attacker can exploit this issue by tricking an unsuspecting victim into connecting to a malicious SMB server. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

6. MS11-029 Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

CVE-2011-0041 (BID 47250) Microsoft GDI+ EMF Image Processing Integer Overflow Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10) A remote code-execution vulnerability affects GDI+ when handling integer calculations. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious Enhanced-Metafile (EMF) file image file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.