Hello and welcome to this month’s blog on the Microsoft patch release. This is a quiet month —the vendor is releasing three bulletins covering a total of four vulnerabilities. Only one of the issues is rated ‘Critical’ and it affects Media Player and Media Center. The remaining issues, affecting DirectShow, Groove, and Remote Desktop Client, are rated ‘Important’, and are all due to how the applications load Dynamic Linked Library (DLL) files. As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.
Microsoft’s summary of the March releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-mar.mspx
The following is a breakdown of the issues being addressed this month:
1. MS11-015 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
CVE-2011-0032 (BID 46682) Microsoft DirectShow DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)
A remote code-execution vulnerability affects DirectShow due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.wtv’, ‘.drv-ms’, or ‘.mpg’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, and Windows Media Center TV Pack for Windows Vista 32-bit and 64-bit editions
CVE-2011-0042 (BID 46680) Microsoft Windows Media Player/Windows Media Center '.dvr-ms' File Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Media Player and Media Center due to how they handle ‘DVR-MS’ files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: Windows XP Media Center Edition 2005 SP3, Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, and Windows Media Center TV Pack for Windows Vista 32-bit and 64-bit editions
2. MS11-016 Microsoft Groove 2007 'mso.dll' DLL Loading Arbitrary Code Execution Vulnerability (2494047)
CVE-2010-3146 (BID 42695) Microsoft Groove Insecure Library Loading Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)
A previously public (Aug. 25, 2010) remote code-execution vulnerability affects Groove due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.vcg’ or ‘.gta’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: Office Groove 2007 SP2
3. MS11-017 Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)
CVE-2011-0029 (BID 46678) Microsoft Remote Desktop Connection Client DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)
A remote code-execution vulnerability affects Remote Desktop Client due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.rdp’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0
More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.