Microsoft Patch Tuesday – February 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is a fairly busy month —the vendor is releasing 12 bulletins covering a total of 22 vulnerabilities. Five of the issues are rated ‘Critical’ and they affect Internet Explorer, OpenType Fonts, and Windows Shell Graphics processing. The remaining issues are rated ‘Important’ and ‘Moderate’ and affect the Windows kernel, Visio, Active Directory, Internet Explorer, Internet Information Services, and Windows.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the February releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-feb.mspx

The following is a breakdown of some of the notable issues being addressed this month:

1. MS11-003 Cumulative Security Update for Internet Explorer (2482017)

CVE-2010-3971 (BID 45246) Microsoft Internet Explorer CSS Parsing Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10)

A previously public (Dec 8, 2010) remote code-execution vulnerability affects Internet Explorer when parsing Cascading Style Sheet (CSS) expressions. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0035 (BID 46157) Microsoft Internet Explorer CVE-2011-0035 Uninitialized Memory Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0036 (BID 46158) Microsoft Internet Explorer CVE-2011-0036 Uninitialized Memory Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0038 (BID 46159) Microsoft Internet Explorer DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Moderate / Symantec Rating: 8.5/10)

A remote code-execution vulnerability affects Internet Explorer due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening an HTML file from a remote WebDAV or SMB share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

2. MS11-006 Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)

CVE-2010-3970 (BID 45662) Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10)

A previously public (Jan 4, 2011) remote-code execution vulnerability affects the Windows Shell graphics processor. The problem occurs in the 'CreateSizedDIBSECTION()' function of the 'shimgvw.dll' file when handling malformed thumbnails. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious thumbnail image. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

3. MS11-007 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)

CVE-2011-0033 (BID 46106) Microsoft Windows OpenType Compact Font Format Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code-execution vulnerability affects the OpenType Compact Font Format (CFF) driver. An attacker can exploit this issue by hosting a specially malformed OpenType font on a remote share and tricking an unsuspecting victim into navigating to it. When the font is processed, attacker-supplied code will execute in the context of the currently logged-in user.

4. MS11-004 Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)

CVE-2010-3972 (BID 45542) IIS Microsoft IIS FTP Service Remote Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 8.9/10)

A previously public (Dec 21, 2010) buffer-overflow vulnerability affects the Internet Information Service FTP service. The problem occurs in the 'TELNET_STREAM_CONTEXT::OnSendData()' function of the 'ftpsvc.dll' library when processing certain FTP commands. A remote attacker can exploit this issue to execute arbitrary code in the context of the affected application.

5. MS11-008 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879)

CVE-2011-0092 (BID 46137) Microsoft Visio Object Memory Corruption (CVE-2011-0092) Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Visio. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Visio file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0093 (BID 46138) Microsoft Visio Data Type Memory Corruption (CVE-2011-0093) Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Visio when parsing certain structures. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Visio file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.