Microsoft Security Bulletin Summary for April 2011
Number: AV11-026
Date: 29 April 2011
Update
The purpose of this update is to bring attention to a Microsoft PowerPoint 2003 hotfix package that addresses an issue in Microsoft Security Update 2464588 described in MS11-022.
This hotfix applies only to systems with Microsoft Office 2003 Service Pack 3 installed. Microsoft is aware that an error may occur when opening PowerPoint 2003 presentations that contain layouts with background images. An error message will state that some content (text, images, or objects) has been corrupted. The affected content can be determined by viewing the layout (not the slide content). Items that were removed will display a blank box or a box that displays "cleansed".
CCIRC recommends that administrators test and deploy the vendor-released updates to affected applications accordingly. This hotfix replaces Microsoft Security Update 2464588.
References:
http://support.microsoft.com/kb/2543241/en-us
http://www.microsoft.com/technet/security/bulletin/ms11-022.mspx
http://www.microsoft.com/downloads/en/details.aspx?familyid=2ce8349f-79b1-41ef-a1c0-cbe40ccf9f20&displaylang=en
Please see the original CCIRC advisory below for more information.
Purpose
The purpose of this advisory is to bring attention to the monthly Microsoft Security Bulletin Summary, which addresses 17 vulnerabilities (9 Critical and 8 Important) in various Microsoft products.
Assessment
Microsoft has released the following security bulletins:
MS11-018: Cumulative Security Update for Internet Explorer (2497640)
Details: This security update resolves five vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploits any of these vulnerabilities could gain the same user rights as the local user. The update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, content during certain processes, and script during certain processes.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Note: This vulnerability is being exploited in limited, targeted attacks
Affected Software: Microsoft Windows and Internet Explorer versions 6, 7 and 8
CVE References: CVE-2011-0094, CVE-2011-0346, CVE-2011-1244, CVE-2011-1245, CVE-2011-1345
http://www.microsoft.com/technet/security/bulletin/ms11-018.mspx
MS11-019: Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
Details: This security update resolves two vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sends a specially crafted SMB response to a client-initiated SMB request. The security update addresses the vulnerabilities by correcting the manner in which the CIFS Browser handles specially crafted Browser messages and by correcting the manner in which the SMB client validates specially crafted SMB responses.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Note: This vulnerability has been disclosed publicly
Affected Software: Microsoft Windows
CVE References: CVE-2011-0654, CVE-2011-0660
http://www.microsoft.com/technet/security/bulletin/ms11-019.mspx
MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
Details: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker creates a specially crafted SMB packet and sends the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities. The security update addresses the vulnerability by correcting the way that SMB validates fields in malformed SMB requests.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Affected Software: Microsoft Windows
CVE Reference: CVE-2011-0661
http://www.microsoft.com/technet/security/bulletin/ms11-020.mspx
MS11-021: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
Details: This security update resolves nine vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploits any of these vulnerabilities could gain the same user rights as the logged-on user. The update addresses the vulnerabilities by correcting the way that Microsoft Excel manages data structures, validates record information, initializes variables used in memory operations and allocates buffer space when parsing a specially crafted file.
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Affected Software: Microsoft Office
CVE Reference: CVE-2011-0097, CVE-2011-0098, CVE-2011-0101, CVE-2011-0103, CVE-2011-0104, CVE-2011-0105, CVE-2011-0978, CVE-2011-0979, CVE-2011-0980
http://www.microsoft.com/technet/security/bulletin/ms11-021.mspx
MS11-022: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)
Details: This security update resolves three vulnerabilities in Microsoft PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploits any of these vulnerabilities could gain the same user rights as the local user. The update addresses the vulnerabilities by modifying the way that PowerPoint validates records when opening PowerPoint files.
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Affected Software: Microsoft Office and Microsoft Server Software
CVE References: CVE-2011-0655, CVE-2011-0656, CVE-2011-0976
http://www.microsoft.com/technet/security/bulletin/ms11-022.mspx
MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
Details: This security update resolves two vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or if a user opens a legitimate Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploits either of these vulnerabilities could gain the same user rights as the logged-on user. The security update addresses the vulnerability by correcting the way that Microsoft Office handles graphic objects in specially crafted Office files and by correcting the manner in which Microsoft Office loads external libraries.
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Note: This vulnerability has been disclosed publicly
Affected Software: Microsoft Office
CVE Reference: CVE-2011-0107, CVE-2011-0977
http://www.microsoft.com/technet/security/bulletin/ms11-023.mspx
MS11-024: Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
Details: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted fax cover page file (.cov) using the Windows Fax Cover Page Editor. An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-on user. The security update addresses the vulnerability by correcting the manner in which the Windows Fax Page Editor parses fax cover page files.
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 3
Note: This vulnerability has been disclosed publicly
Affected Software: Microsoft Windows
CVE Reference: CVE-2010-3974
http://www.microsoft.com/technet/security/bulletin/ms11-024.mspx
MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
Details: This security update resolves a vulnerability in certain applications built using the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user opens a legitimate file associated with such an affected application, and the file is located in the same network folder as a specially crafted library file. The security update addresses the vulnerability by correcting the manner in which applications built using MFC load external libraries.
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Note: This vulnerability has been disclosed publicly
Affected Software: Microsoft Developer Tools and Software
CVE Reference: CVE-2010-3190
http://www.microsoft.com/technet/security/bulletin/ms11-025.mspx
MS11-026: Vulnerability in MHTML Could Allow Information Disclosure (2503658)
Details: This security update resolves a vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a specially crafted website. In a web-based attack scenario, a website could contain a specially crafted link that is used to exploit this vulnerability. The security update addresses the vulnerability by correcting the way that the MHTML parser handles requests.
Maximum Severity Rating: Important
Vulnerability Impact: Information Disclosure
Exploitability Index Assessment: 3
Note: This vulnerability has been disclosed publicly. This is an information disclosure vulnerability.
Affected Software: Microsoft Windows
CVE Reference: CVE-2011-0096
http://www.microsoft.com/technet/security/bulletin/ms11-026.mspx
MS11-027: Cumulative Security Update of ActiveX Kill Bits (2508272)
Details: This security update resolves three vulnerabilities in Microsoft software. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage that instantiates a specific ActiveX control with Internet Explorer. This update also includes kill bits for three third-party ActiveX controls.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Affected Software: Microsoft Windows
CVE References: CVE-2010-0811, CVE-2011-CVE-2010-3973, CVE-2011-1243
http://www.microsoft.com/technet/security/bulletin/ms11-027.mspx
MS11-028: Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
Details: This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also allow remote code execution on a server system running IIS, if that server allows the processing of ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page. This could be the case in a web-hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. The security update addresses the vulnerability by correcting the manner in which the .NET Framework handles certain types of function calls.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Note: This vulnerability has been disclosed publicly
Affected Software: Microsoft Windows
CVE Reference: CVE-2010-3958
http://www.microsoft.com/technet/security/bulletin/ms11-028.mspx
MS11-029: Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
Details: This security update resolves a vulnerability in Microsoft Windows GDI+. The vulnerability could allow remote code execution if a user views a specially crafted image file using affected software or browses to a website that contains specially crafted content. The security update addresses the vulnerability by modifying the way that GDI+ handles integer calculations when processing EMF files.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Affected Software: Microsoft Windows and Microsoft Office
CVE Reference: CVE-2011-0041
http://www.microsoft.com/technet/security/bulletin/ms11-029.mspx
MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
Details: This security update resolves a vulnerability in Windows DNS resolution. The vulnerability could allow remote code execution if an attacker gains access to the network and then creats a custom program to send specially crafted LLMNR broadcast queries to the target systems. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the LLMNR ports should be blocked from the Internet. The security update addresses the vulnerability by correcting the manner in which the DNS client processes specifically crafted DNS queries.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 2
Affected Software: Microsoft Windows
CVE Reference: CVE-2011-0657
http://www.microsoft.com/technet/security/bulletin/ms11-030.mspx
MS11-031: Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
Details: This security update resolves a vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow remote code execution if a user visits a specially crafted website. The security update addresses the vulnerability by correcting the manner in which the JScript and VBScript scripting engines process scripts in webpages.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 2
Affected Software: Microsoft Windows
CVE Reference: CVE-2011-0663
http://www.microsoft.com/technet/security/bulletin/ms11-031.mspx
MS11-032: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)
Details: This security update resolves a vulnerability in the OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. The security update addresses the vulnerability by correcting the manner in which the OpenType Font (OTF) driver parses a specially crafted OpenType font.
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 1
Affected Software: Microsoft Windows
CVE Reference: CVE-2011-0034
http://www.microsoft.com/technet/security/bulletin/ms11-032.mspx
MS11-033: Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
Details: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted file using WordPad. An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. The security update addresses the vulnerability by changing the way that the WordPad Text Converters handle specially crafted files.
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Exploitability Index Assessment: 3
Affected Software: Microsoft Windows
CVE Reference: CVE-2011-0028
http://www.microsoft.com/technet/security/bulletin/ms11-033.mspx
MS11-034: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)
Details: This security update resolves 30 vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on locally and runs a specially crafted application. The security update addresses the vulnerabilities by correcting the way that kernel-mode drivers manage kernel-mode driver objects and keep track of pointers to kernel-mode driver objects.
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Exploitability Index Assessment: 1
Affected Software: Microsoft Windows
http://www.microsoft.com/technet/security/bulletin/ms11-034.mspx
Suggested action
CCIRC recommends that administrators test and deploy these updates accordingly at the earliest opportunity.
Reference:
http://www.microsoft.com/technet/security/bulletin/MS11-apr.mspx
Supporting Reference:
http://blogs.technet.com/b/srd/archive/2011/04/12/assessing-the-risk-of-the-april-security-updates.aspx
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca