Microsoft Patch Tuesday, December 2011
This Patch Tuesday, there are 3 new Critical and 10 new Important Bulletins. With this many high-urgency bulletins, it's tough to get a handle on which ones to tackle first. Of course, "all of them" is the standard answer, but these bulletins contain fixes across Windows, Office, and Internet Explorer, so for the WordPerfect and NCSA Mosaic zealots among you, it's gloating time again. You obscurity junkies, you.
File-based Vulnerabilities
These bulletins detail vulnerabilities that will generally be exploited via a specially crafted file. This a broad classification, since these files could be hosted on a web site and downloaded by an unsuspecting victim. The differentiator here is that the user would have to "open" the file, rather than just browsing to the page, so some level of social engineering needs to happen here.
MS11-087 / KB2639417
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
Critical
CVE-2011-3402, TrueType Font Parsing Vulnerability
One of two Top Priority Bulletins for December, this one offers a patch that deals with the Duqu Trojan's favorite method of entry. Actually, the TrueType vulnerability described could be delivered via a document or web page, so it's the most "flexible" of the described vulnerabilities. It was previously disclosed by Microsoft, therefore most vendors, Trustwave included, have already deployed detection logic for this issue.
MS11-092 / KB2648048
Vulnerability in Windows Media Could Allow Remote Code Execution
Critical
CVE-2011-3401, Windows Media Player DVR-MS Memory Corruption
The other Top Bulletin, this one deals with Microsoft Digital Video Recording (.dvr-ms) files. There's a parsing flaw regarding these files that can lead to RCE. An easy counter-measure here is to disallow this extension altogether at the email gateway. I mean, who emails .dvr-ms files? (except people wanting to show you footage from their family vacation, which should be blocked out-of-hand anyway. it's win-win.)
MS11-089 / KB2590602
Vulnerabilities in Microsoft Office could allow for Remote Code Execution
Important
CVE-2011-1983, Word Access Violation Vulnerability
This one deals with malicious Word documents; a successful attack grants full privileges of the user running Word. This Word vulnerability actually works cross-platform, affecting Office 2007/ 2010 for Windows and Office 2011 for Mac. So the next time the Apple fanboy starts up again over lunch, just say "CVE-2011-1983" and you should be able to eat in peace.
MS11-091 / KB2607702
Vulnerabilities in Microsoft Publisher could allow Remote Code Execution
Important
CVE-2011-3410, Publisher out of bounds array index vulnerability
CVE-2011-3411, Publisher Invalid Pointer Vulnerability
CVE-2011-3412, Publisher Memory Corruption Vulnerability
Affects Office 2003 and 2007 versions of Microsoft Publisher only, 2010 is safe. Similar to the Word vulnerability, success here grants an attacker access equivalent to the user opening the infected file.
MS11-094 / KB2639142
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution
Important
CVE-2011-3413, Office Art Shape RCE Vulnerability
Another cross-platform vulnerability, this one affects PowerPoint 2007 / 2010 for Windows and PowerPoint 2008 for Mac. PowerPoint 2007 and 2008 are affected by the Office Art issue, which could be triggered via a malicious file.
CVE-2011-3396, PowerPoint Insecure Library Loading Vulnerability
The latter CVE describes the potential for something also known as "DLL Hijacking", and affects PowerPoint 2007 and 2010. DLL Hijacking is a method that takes advantage of the order in which Windows loads Dynamic Link Library (DLL) files in order to execute malicious code. This requires a malicious copy of a needed DLL to exist in the same directory (Current Working Directory) as the document being opened. The most common attack vector for this attack is a file share, but these need to be "mountable" shares such as Windows File Sharing (SMB) drives or WebDAV locations. The latter, being HTTP, is a bit more concerning since it's difficult to block at the firewall, unlike SMB.
MS11-093 / KB2624667
Vulnerability in Microsoft Windows OLE32 Could Allow Remote Code Execution
Important
CVE-2011-3400, KB2624667, OLE Property Vulnerability
Affecting Windows XP and Windows Server 2003, this vulnerability gives an attacker equivalent access to the victim user through a flaw in Windows' Object Linking and Embedding (OLE) system. OLE is found in many Microsoft Office applications and facilitates embedding and linking functions to external documents and objects. In other words, it's that thing that puts Excel spreadsheets inside a Word doc.
MS11-096 / KB2640241
Vulnerability in Microsoft Excel Could Allow Remote Code Execution
Important
CVE-2011-3403, Record Memory Corruption
Windows and Mac again! This time it's Excel 2003 for Windows and Office 2004 for Mac. Similar to other vulnerabilities, it offers RCE within the user's security context via a malicious file.
Web-based Vulnerabilities
These vulnerabilities target the web browser itself, rather than relying on the user to open a file.
MS11-087 / KB2639417
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
Critical
CVE-2011-3402, TrueType Font Parsing Vulnerability
This makes an appearance here as well due to the fact that a web browser could also call the affected library, T2EMBED.DLL, in order to render content. Malicious web sites are called out in the advisory as potentially problematic, in addition to malicious files.
MS11-090 / KB2618451
Cumulative Security Update for ActiveX Kill Bits
Critical
CVE-2011-3397, Microsoft Time Remote Code Execution Vulnerability
I like the name "Kill Bits", because they do exactly what it sounds like. They kill things. Like ActiveX controls that aren't supported anymore.
Basically, this one updates IE6 (yes, 6) so that it no longer allows the problematic ("#default#time") ActiveX control to be loaded. It's been deprecated for awhile in favor of ("#default#time2"), and after finding an exploitable issue with the 1.0 version, it was getting to be that time. Bit-killing time.
Also included are Kill Bits for a number of other ActiveX controls, old unsupported things from Dell, HP, and Yahoo! which were found to have vulnerabilities.
The following ModSecurity rule, thanks to Ryan Barnett, will help detect pages trying to use the now-defunct ActiveX control:
SecRule RESPONSE_BODY "@pm #default#time" "chain,phase:4,t:none,log,block,msg:'Potential IE6 Time Behavior Attack',tag:'CVE-2011-3397'"
SecRule RESPONSE_BODY "@rx \b#default#time\b"
MS11-099 / KB2618444
Cumulative Security Update for Internet Explorer
Important
CVE-2011-1992, XSS Filter Information Disclosure Vulnerability
The XSS Filter vulnerability is an interesting one – it is similar to "Blind SQL Injection" in that it allows a site to query a client in a trial-by-error fashion for the content of other sites that have been visited. Visiting a malicious website is required to exploit this vulnerability, but this often-ignored caveat from the bulletin reminds us that it's not as tough to pull off as it sounds:
"In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability."
We generally think about forums, especially when dealing with issues like XSS, but advertisements? Score one for no script and friends.
CVE-2011-2019, Internet Explorer Insecure Library Loading Vulnerability
The Insecure Library Loading Vulnerability is similar to the PowerPoint issue described above, only this time it's an html / DLL combo on a network drive that would drive the exploit. It's interesting that this even affects IE9, showing just how foundationally this DLL loading issue affects Windows applications.
Local / Domain Vulnerabilities
These provide elevated privileges to the affected host or domain environment, but require some level of authorization, usually via valid credentials.
MS11-095 / KB2640045
Vulnerability in Active Directory Could Allow Remote Code Execution
Important
CVE-2011-3406, Active Directory Buffer Overflow Vulnerability
This bulletin describes an issue where a user with valid Domain credentials could gain administrative privileges to the Domain itself. The vulnerability affects Servers 2003 and 2008, and also XP when running Active Directory Application Mode (ADAM), and Vista/7 when running Active Directory Lightweight Directory Services (AD LDS). That being said, the vulnerability relies on an existing record that matches a certain criteria. Still worthy of its "important" status however.
MS11-097 / KB2620712
Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege
Important
CVE-2011-3408, CSRSS Local Privilege Elevation Vulnerability
The Client/Server Run-time Subsystem (CSRSS) is an essential subsystem, and it has a flaw that allows privilege escalation. Valid credentials are required, but since CSRSS runs with system privileges, compromise of this component results in the same level of access. This flaw affects the gamut: Windows XP/2003/2008/7.
M11-098 / KB2633171
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
Important
CVE-2011-2018, Windows Kernel Exception Handler Vulnerability
Another Elevation of Privilege vulnerability, this one deals with the Windows kernel itself and how it accesses improperly initialized objects. A local user with the ability to execute code could take advantage of this vulnerability in order to obtain system-level access.
MS11-088 / KB2652016
Disclosure Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
Important
CVE-2011-2010, Pinyin IME Elevation Vulnerability
Microsoft Pinyin (MSPY) Input Method Editor (IME) is a tool that can be used to input characters that are not natively supported by various keyboards. The Chinese IME found in Microsoft Office 2010 exposes configuration options, which could allow an attacker to arbitrarily run code in kernel mode. Even in situations where this software is not commonly in use, an exploit is still possible if this IME can be loaded manually.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.