MS Tuesday - February 2011

System administrators and security experts are focusing on Patch Tuesday every month (also known as Microsoft Black Tuesday or MS Tuesday). This time Microsoft patched many important vulnerabilities, but have they fixed all currently known zero days? Let's find out. 

This time, on February 8th, Microsoft released 12 security bulletins fixing various vulnerabilities, including three critical ones. Possibly the most important is the 0-day found recently in the Graphics Rendering Engine (GRE) and another 0-day that affects the Cascading Style Sheet (CSS) handler in Internet Explorer. The software giant also fixed a critical vulnerability in their OpenType Compact Font Format (CFF) driver.  

A further 9 important bulletins were also included in this update, therefore it is highly recommended that users update all servers and workstations to avoid becoming a victim of an online crime.

Some of the vulnerabilities included in this Tuesday Patch can be remotely exploited, while others need local access to the computer by the attacker. As the cyber criminal does not need to physically meet the victim for a remote exploit, a user is more vulnerable to this type of attack. Websense ThreatSeeker Network detects thousands of compromised Web sites every day, leading to one of these malicious sites which then exploits unpatched vulnerabilities and gains full access to the unaware user's computer.  Websense Security Gateway and Websense Hosted Services are protecting customers against this type of attack; however, it is very good practice to keep servers and workstations up to date.

The bulletins and vulnerabilities in detail:   

Three critical vulnerabilities have been patched:

• MS11-003: Cumulative update which fixes four vulnerabilities in Internet Explorer. These vulnerabilities could allow an attacker to run any code on a computer without the user's consent while browsing a malicious or compromised Web site. The four vulnerabilities include:
  • CVE-2010-3971 - CSS Memory Corruption Vulnerability (0-day)
  • CVE-2011-0035 - Uninitialized Memory Corruption Vulnerability
  • CVE-2011-0036 - Uninitialized Memory Corruption Vulnerability
  • CVE-2011-0038 - Internet Explorer Insecure Library Loading Vulnerability

• MS11-006: Fixes a full disclosed critical vulnerability in Graphics Rendering Engine (GRE) in many Windows versions, including Windows XP, Server, and Vista. The vulnerability could allow an attacker to execute arbitrary code on a computer while the user is viewing a specifically-crafted thumbnail image. See this blog for further details. The following vulnerability has been patched:
  • CVE-2010-3970 - Windows Shell Graphics Processing Overrun Vulnerability (0-day)

• MS11-007: Security update for a non-disclosed vulnerability in the Compact Font Format (CFF), which affects Windows versions, including Windows XP, Server, and Windows 7. The vulnerability could allow an attacker to execute arbitrary code on a computer while the user is viewing content which includes a specifically-crafted OpenType font. The following vulnerability has been patched:
  • CVE-2011-0033 - OpenType Font Encoded Character Vulnerability

Nine non-critical, but important security patches:

• MS11-004: This bulletin patches a vulnerability in Microsoft Internet Information Services (IIS) FTP Service, which could allow an attacker to execute a code on the FTP server using a malicious FTP command. Since FTP Service is not installed by default on IIS, this update was categorized as "Important" only. The following vulnerability has been patched:
  • CVE-2010-3972 - IIS FTP Service Heap Buffer Overrun Vulnerability (0-day)

• MS11-005: This is a security update for the vulnerability found in Active Directory. The vulnerability could allow a cyber criminal to attack an Active Directory server causing Denial of Service, however, the attacker needs to join their domain first and must have administrator privileges on that domain. Because of this, this vulnerability is not critical.
  • CVE-2011-0040 - Active Directory SPN Validation Vulnerability

• MS11-008: This bulletin resolves two non-disclosed vulnerabilities in Microsoft Visio. The vulnerability could allow an attacker to execute arbitrary code on the computer while the user is viewing a specifically crafted Visio file. The following vulnerabilities have been patched:
  • CVE-2011-0092 - Visio Object Memory Corruption Vulnerability
  • CVE-2011-0093 - Visio Data Type Memory Corruption Vulnerability

• MS11-009: This one fixes a non-disclosed vulnerability in the JScript and VBScript Scripting Engines. The vulnerability could allow an attacker to gather information from the user's computer while the user is visiting a malicious Web site. A typical trick to get a user to visit one of these Web sites is sending a spam or phishing e-mail with the link. The following vulnerability has been patched:
  • CVE-2011-0031 - Scripting Engines Information Disclosure Vulnerability

•  MS11-010: Another non-disclosed vulnerability which affects the Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server 2003. This vulnerability could allow a criminal an Elevation of Privilege type of attack on a local computer by retrieving sensitive logon information from the user while they are logging on and off. Doing this, an attacker could gain privileges from other users including the administrator. The following vulnerability has been patched:
• CVE-2011-0030 - CSRSS Elevation of Privilege Vulnerability

•  MS11-011: This is a cumulative update correcting two different vulnerabilities. Both of them could allow a criminal an Elevation of Privilege type of attack on a local computer by running a specifically-crafted application. The following vulnerabilities have been patched:
  • CVE-2010-4398 - Driver Improper Interaction with Windows Kernel Vulnerability
  • CVE-2011-0045 - Windows Kernel Integer Truncation Vulnerability

• MS11-012: This cumulative update fixes another Elevation of Privilege type of vulnerability, where the attacker could gain privileges from other users including the administrator. For this the attacker needs to be able to log on to the computer and run a specifically-crafted application. The following vulnerabilities have been patched:
  • CVE-2011-0086 - Win32k Improper User Input Validation Vulnerability
  • CVE-2011-0087 - Win32k Insufficient User Input Validation Vulnerability
  • CVE-2011-0088 - Win32k Window Class Pointer Confusion Vulnerability
  • CVE-2011-0089 - Win32k Window Class Improper Pointer Validation Vulnerability
  • CVE-2011-0090 - Win32k Memory Corruption Vulnerability

• MS11-013: This bulletin patches Windows Kerberos.  The vulnerability could allow a cyber criminal to attack and forge service tickets in Kerberos server, gaining privileges from other users including the administrator. However, the attacker needs to join their domain first and must have administrator privileges on that domain. Because of this, this vulnerability is not critical. The following vulnerabilities have been patched:
  • CVE-2011-0043 - Kerberos Unkeyed Checksum Vulnerability
  • CVE-2011-0091 - Kerberos Spoofing Vulnerability

• MS11-014: This non-disclosed vulnerability is a yet another Elevation of Privilege type, that affects the Local Security Authority Subsystem Service (LSASS) in Windows XP and Windows Server 2003. The vulnerability could allow an attack on a local computer by running a specifically-crafted application on it. For this the attacker first needs valid credentials to be able to log on to the computer and run applications. The following vulnerability has been patched:
  • CVE-2011-0039 - LSASS Length Validation Vulnerability

As we have seen a couple of times in previous MS Tuesday bulletins, once again we have a very important security patch set. It contains many critical and high severity fixes, resolving many vulnerabilities used by ongoing attacks actively. WebsenseLabs therefore highly recommends applying the patches as soon as you can to improve immunity against these kinds of strikes.