Microsoft Patch Tuesday – April 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is by far the largest month —the vendor is releasing 17 bulletins covering a total of 64 vulnerabilities.
Thirteen of the issues are rated ‘Critical’ an…

Hello and welcome to this month’s blog on the Microsoft patch release. This is by far the largest month —the vendor is releasing 17 bulletins covering a total of 64 vulnerabilities.

Thirteen of the issues are rated ‘Critical’ and they affect Internet Explorer, SMB Server, SMB Client, the OpenType Compact File format, and GDI+. One of the bulletins this month addresses a record 30 local privilege-escalation vulnerabilities in the Windows kernel-mode drivers.

 As always, customers are advised to follow these security best practices:

-     Install vendor patches as soon as they are available.

-     Run all software with the least privileges required while still maintaining functionality.

-     Avoid handling files from unknown or questionable sources.

-     Never visit sites of unknown or questionable integrity.

-     Block external access at the network perimeter to all key systems unless specific access is required.
 

Microsoft’s summary of the April releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx

The following is a breakdown of some of the ‘Critical’ issues being addressed this month:

1. MS11-018 Cumulative Security Update for Internet Explorer (2497640)

CVE-2011-0094 (BID 47190) Microsoft Internet Explorer Layout Handling Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10) A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0346 (BID 45639) Microsoft Internet Explorer 'ReleaseInterface()' Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10) A previously public (Jan 1, 2011) remote code-execution vulnerability affects Internet Explorer in the 'ReleaseInterface()' function of the 'MSHTML.DLL' library. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-1345 (BID 46821) Microsoft Internet Explorer Multiple Unspecified Remote Code Execution Vulnerabilities (MS Rating: Critical / Symantec Rating: 8.5/10) A previously public (Mar 9, 2011) remote code-execution vulnerability affects Internet Explorer. This issue was disclosed as part of the Pwn2Own 2011 contest. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

2. MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)

CVE-2011-0661 (BID 47198) Microsoft Windows SMB Transaction Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects SMB Server when handling specially crafted SMB packets. An attacker can exploit this issue by sending a malicious packet to a remotely accessible server. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the affected application. This may facilitate a complete compromise of the affected computer.

3. MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

CVE-2011-0034 (BID 47179) Microsoft Windows OpenType Font (OTF) Driver Stack Overflow Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects the OpenType Compact Font Format (CFF) driver when handling specially formatted

Hello and welcome to this month’s blog on the Microsoft patch release. This is by far the largest month —the vendor is releasing 17 bulletins covering a total of 64 vulnerabilities.

Thirteen of the issues are rated ‘Critical’ and they affect Internet Explorer, SMB Server, SMB Client, the OpenType Compact File format, and GDI+. One of the bulletins this month addresses a record 30 local privilege-escalation vulnerabilities in the Windows kernel-mode drivers.

 As always, customers are advised to follow these security best practices:

-     Install vendor patches as soon as they are available.

-     Run all software with the least privileges required while still maintaining functionality.

-     Avoid handling files from unknown or questionable sources.

-     Never visit sites of unknown or questionable integrity.

-     Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the April releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx

The following is a breakdown of some of the ‘Critical’ issues being addressed this month:

1. MS11-018 Cumulative Security Update for Internet Explorer (2497640)

CVE-2011-0094 (BID 47190) Microsoft Internet Explorer Layout Handling Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10) A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0346 (BID 45639) Microsoft Internet Explorer 'ReleaseInterface()' Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10) A previously public (Jan 1, 2011) remote code-execution vulnerability affects Internet Explorer in the 'ReleaseInterface()' function of the 'MSHTML.DLL' library. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-1345 (BID 46821) Microsoft Internet Explorer Multiple Unspecified Remote Code Execution Vulnerabilities (MS Rating: Critical / Symantec Rating: 8.5/10) A previously public (Mar 9, 2011) remote code-execution vulnerability affects Internet Explorer. This issue was disclosed as part of the Pwn2Own 2011 contest. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

2. MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)

CVE-2011-0661 (BID 47198) Microsoft Windows SMB Transaction Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects SMB Server when handling specially crafted SMB packets. An attacker can exploit this issue by sending a malicious packet to a remotely accessible server. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the affected application. This may facilitate a complete compromise of the affected computer.

3. MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

CVE-2011-0034 (BID 47179) Microsoft Windows OpenType Font (OTF) Driver Stack Overflow Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects the OpenType Compact Font Format (CFF) driver when handling specially formatted fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a specially crafted OpenType font. A successful exploit will result in the execution of arbitrary attacker-supplied code with kernel-level privileges.

4. MS11-028 Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)

CVE-2010-3958 (BID 47223) Microsoft .NET Framework x86 JIT compiler Stack Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10) A remote code-execution vulnerability affects the .NET Framework due to how the x86 JIT compiler handles certain function calls. An attacker can exploit this issue either through a malicious Web site, or through a site that allows the uploading of .NET applications to execute arbitrary code as the currently logged-in user, or the affected site.

5. MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

CVE-2011-0654 (BID 46360) Microsoft Windows 'BROWSER ELECTION' Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating: 9.6/10) A previously public (Feb 14, 2011) remote code-execution vulnerability affects the Common Internet File System (CIFS) browser protocol. An attacker can exploit this issue by sending a specially crafted message to an affected computer. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

CVE-2011-0660 (BID 47239) Microsoft Windows SMB Client Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.8/10) A remote code-execution vulnerability affects the SMB client when validating certain SMB responses. An attacker can exploit this issue by tricking an unsuspecting victim into connecting to a malicious SMB server. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

6. MS11-029 Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

CVE-2011-0041 (BID 47250) Microsoft GDI+ EMF Image Processing Integer Overflow Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10) A remote code-execution vulnerability affects GDI+ when handling integer calculations. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious Enhanced-Metafile (EMF) file image file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

 

fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a specially crafted OpenType font. A successful exploit will result in the execution of arbitrary attacker-supplied code with kernel-level privileges.

4. MS11-028 Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)

CVE-2010-3958 (BID 47223) Microsoft .NET Framework x86 JIT compiler Stack Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10) A remote code-execution vulnerability affects the .NET Framework due to how the x86 JIT compiler handles certain function calls. An attacker can exploit this issue either through a malicious web site, or through a site that allows the uploading of .NET applications to execute arbitrary code as the currently logged-in user, or the affected site.

5. MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

CVE-2011-0654 (BID 46360) Microsoft Windows 'BROWSER ELECTION' Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating: 9.6/10) A previously public (Feb 14, 2011) remote code-execution vulnerability affects the Common Internet File System (CIFS) browser protocol. An attacker can exploit this issue by sending a specially crafted message to an affected computer. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

CVE-2011-0660 (BID 47239) Microsoft Windows SMB Client Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.8/10) A remote code-execution vulnerability affects the SMB client when validating certain SMB responses. An attacker can exploit this issue by tricking an unsuspecting victim into connecting to a malicious SMB server. A successful exploit will result in the execution of arbitrary attacker-supplied code with SYSTEM-level privileges.

6. MS11-029 Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

CVE-2011-0041 (BID 47250) Microsoft GDI+ EMF Image Processing Integer Overflow Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10) A remote code-execution vulnerability affects GDI+ when handling integer calculations. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious Enhanced-Metafile (EMF) file image file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

April 2011 MS Patch Tuesday – 17 patches, 64 vulnerabilities

Microsoft released patches today for Windows XP through Windows 7, Office, .Net, Internet Explorer and more. Learn about the key highlights and our advice on what to do. Read more…

Man with an eye patchMicrosoft released their security update bundle this morning covering a large swath of products. The most critical fixes for most people affect Windows and Microsoft Office.

Fifteen of the updates address Remote Code Execution (RCE) flaws. If exploited, these bugs could allow an attacker to execute arbitrary code on the victim’s system.

Fortunately, all but one of these flaws only allow the code to run in the context of the currently logged in user. Assuming your users are not running as Administrators, this limits the attack to only running code and accessing files on that user’s account.

One exception is MS11-032, a vulnerability in OpenType fonts, which allows kernel-level remote code execution. This flaw was privately disclosed and has not appeared in the wild to date.

Another long awaited fix that Microsoft delivered this month is MS11-026. I wrote about this vulnerability back in January. It is better known as the MHTML vulnerability.

The flaw in Internet Explorer 6, 7 and 8 that was used at this year’s Pwn20wn contest was also fixed. The update is known as MS11-018 and Sophos detects known malware attacking this vulnerability as Troj/ExpJS-BV.

Microsoft has rated nine of these patches as Critical, and as with most security updates, we encourage everyone to apply them as soon as they are able. SophosLabs has analyzed these bulletins as well and gives them a rating of Medium.

SophosLabs have published their findings for this months patches on our Vulnerability Analysis page.

Time to get patching! For a complete view of the threat landscape and the trends we are seeing in SophosLabs, download our 2011 Threat Report.

TA11-102A: Microsoft Updates for Multiple Vulnerabilities

Original release date: April 12, 2011
Last revised: —
Source: US-CERT

Systems Affected
Microsoft WindowsMicrosoft OfficeMicrosoft Internet
ExplorerMicrosoft Visual Studio

Overview
There are multiple vulnerabilities in Microsoft Windows, O…

Original release date: April 12, 2011
Last revised: --
Source: US-CERT

Systems Affected

  • Microsoft Windows
  • Microsoft Office
  • Microsoft Internet Explorer
  • Microsoft Visual Studio

Overview

There are multiple vulnerabilities in Microsoft Windows, Office, Internet Explorer, and Visual Studio. Microsoft has released updates to address these vulnerabilities.


I. Description

The Microsoft Security Bulletin Summary for April 2011 describes multiple vulnerabilities in Microsoft Windows, Office, Internet Explorer, and Visual Studio. Microsoft has released updates to address the vulnerabilities.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2011. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).


IV. References



Feedback can be directed to US-CERT.


Produced 2011 by US-CERT, a government organization. Terms of use


Revision History

April 12, 2011: Initial release

Commodore 64 viruses – time for a comeback?

The classic Commodore 64 is making a comeback!

But what about viruses on these much-loved home computers from the 1980s? Read more…

Commodore 64I can’t be the only nostalgic nerd to feel a flutter of excitement at the news that a home computer from yesteryear is making a comeback.

The Commodore 64, the classic retro home computer which was initially released in 1982, is reportedly making something of a return as the company is squeezing a Windows PC inside the original shell.

The new computer will ship with Ubuntu, but an emulator capable of playing classic games from the 1980s is also promised.

How neat is that!?

So, to all intents and purposes – it looks just like an old Commodore 64 computer…

Commodore 64 - with a Windows PC inside!

..well, until you have a look around the back at least. The USB slots and HD TV connections are a bit of a giveaway in my opinion..

The new Commodore 64 includes USB slots

And memories of the Commodore 64 got me thinking. What about computer viruses?

Although viruses were largely a PC and Mac issue in the latter half of the 1980s, there was also malware written for other types of computers. And the Commodore 64 is no exception.

For instance, the C64/BHP-A virus appeared in 1986. It wasn’t just a virus capable of infecting files on Commodore 64s, it was also fully stealth – effectively exploiting the Commodore 64’s memory structure to “act invisible”.

These were the days before financially-motivated malware, of course, and the BHP virus’s payload was to display a message on the screen surrounded by a colourful border:

Commodore 64 virus, BHP

I’m loathe to suggest that anyone deliberately run a virus on their shiny new computer, but it would be fascinating to know if the emulator being used on the revamped Commodore 64 is capable of running C64/BHP-A.

So, can we expect a revival of Commodore 64 viruses? I seriously doubt it. But it is quite fun to remember the early days of computer viruses, when everything seemed so much more innocent.

If you want to read more about this Commodore 64 virus, I can highly recommend a technical article by security researcher Peter Ferrie, published in Virus Bulletin in January 2005.

And if you want to learn more about the “new” Commodore 64, make sure to visit Commodore’s website.