Microsoft Patch Tuesday – May 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is very light month —the vendor is releasing two bulletins covering a total of three vulnerabilities.

One of the issues is rated ‘Critical’ and it affects Windows Internet Name Service (WINS). A remote attacker may be able to exploit this issue to completely compromise a vulnerable computer. The remaining issues are rated ‘Important’ and affect PowerPoint. As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the May releases can be found here.

The following is a breakdown of the issues being addressed this month:

1. MS11-035 Vulnerability in WINS Could Allow Remote Code Execution (2524426)

CVE-2011-1248 (BID 47730) Microsoft Windows Internet Name Service (WINS) Failed Response Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.5/10)

A remote code execution vulnerability affects Windows Internet Name Service (WINS) because it fails to sufficiently validate data structures in WINS network packets. An attacker can exploit this issue by sending a specially crafted packet to a vulnerable computer. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the affected service. This may facilitate a complete compromise of the affected computer.

Affects: Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 R2 for x64-based Systems, and Windows Server 2008 R2 for x64-based Systems SP1

2. MS11-036 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)

CVE-2011-1269 (BID 47700) Microsoft PowerPoint (CVE-2011-1269) Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects PowerPoint because it does not properly handle memory during certain function calls. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious PowerPoint file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft PowerPoint 2002 SP3, Microsoft PowerPoint 2003 SP3, Microsoft PowerPoint 2007 SP2, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2

CVE-2011-1270 (BID 47699) Microsoft PowerPoint (CVE-2011-1270) Remote Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects PowerPoint due to a memory-handling error. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious PowerPoint file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft PowerPoint 2002 SP3 and Microsoft PowerPoint 2003 SP3

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.