Microsoft Patch Tuesday – October 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is an average month — the vendor is releasing 8 bulletins covering a total of 23 vulnerabilities.

Nine of the issues are rated ‘Critical’ and they affect Internet Explorer, .NET, and Silverlight. The remaining issues are rated ‘Important’ and affect Windows, the kernel, Forefront Unified Access Gateway, and Host Integration Server. Of note this month: all Internet Explorer issues being patched are rated ‘Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the October releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms11-oct

The following is a breakdown of some of the issues being addressed this month:

  1. MS11-081 Cumulative Security Update for Internet Explorer (2586448)

    CVE-2011-1993 (BID 49947) Microsoft Internet Explorer Uninitalized Object CVE-2011-1993 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, 8, and 9

    CVE-2011-1995 (BID 49960)  Microsoft Internet Explorer 'OLEAuto32.dll' CVE-2011-1995 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, 8, and 9

    CVE-2011-1996 (BID 49961) Microsoft Internet Explorer Option Element CVE-2011-1996 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, and 8

    CVE-2011-1997 (BID 49962) Microsoft Internet Explorer OnLoad Event CVE-2011-1997 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6

    CVE-2011-1998 (BID 49963) Microsoft Internet Explorer 'Jscript9.dll' CVE-2011-1998 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 9

    CVE-2011-1999 (BID 49964) Microsoft Internet Explorer Select Element CVE-2011-1999 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer when it attempts to access a dereferenced memory address. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 8

    CVE-2011-2000 (BID 49965) Microsoft Internet Explorer Body Element CVE-2011-2000 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, 8, and 9

    CVE-2011-2001 (BID 49966) Microsoft Internet Explorer Virtual Function Table CVE-2011-2001 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer when it accesses a virtual function table that has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, 8, and 9

  2. MS11-078 Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

    CVE-2011-1253 (BID 49999) Microsoft Silverlight & .NET Framework Inheritance Restriction Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency 7.5/10)

    A remote code-execution vulnerability affects .NET and Silverlight due to how they handle class inheritance. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious webpage. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

    Affects: Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5.1, 4, and Microsoft Silverlight 4

  3. MS11-077 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

    CVE-2011-1985 (BID 49968) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1985) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency 6.6/10)

    A local privilege-escalation vulnerability occurs because the kernel fails to properly validate user-supplied data between user-mode and kernel-mode. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer.

    CVE-2011-2002 (BID 49973) Microsoft Windows Kernel 'Win32k.sys' TrueType Font File Remote Denial of Service Vulnerability (MS Rating: Moderate / Symantec Urgency 6.7/10)

    A denial-of-service vulnerability affects the Windows kernel when handling a specially crafted TrueType font file. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malformed font file. Successful exploits will cause the affected computer to stop responding.

    CVE-2011-2003 (BID 49975) Microsoft Windows Kernel '.fon' Font File Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency 7.8/10)

    A remote code-execution vulnerability affects the Windows kernel when handling a specially crafted ‘.fon’ font file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malformed font file from a remote WebDAV or SMB share or as an email attachment. A successful exploit will result in the execution of arbitrary attacker-supplied code with kernel-level privileges. This may facilitate a complete system compromise.

    CVE-2011-2011 (BID 49981) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-2011) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency 6.6/10)

    A local privilege-escalation vulnerability occurs because of the way the kernel handles kernel-mode driver objects. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.