Microsoft June 2011 Black Tuesday Overview

Overview of the June 2011 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating	clients	servers
MS11-037	The MHTML (Mime encapsulated HTML) protocol handler is vulnerable to information disclosure through an XSS like problem. Replaces MS11-026.
MS11-037	MHTML CVE-2011-1894	KB 2544893	Publicly known vulnerability.	Severity:Important Exploitability:3	Important	Low
MS11-038	WMF processing by OLE allows for arbitrary code execution with the rights of the logged on user. Replaces MS08-008.
MS11-038	OLE - WMF CVE-2011-0658	KB 2476490	No known exploits	Severity:Critical Exploitability:1	Critical	Important
MS11-039	Input validation vulnerabilities in the .NET framework and the Silverlight implementations allow for arbitrary code execution with the rights of the logged on user.
MS11-039	.NET - silverlight CVE-2011-0664	KB 2514842	No known exploits	Severity:Critical Exploitability:1	Critical	Important
MS11-040	Improper bounds checking in Microsoft Forefront Threat Management Gateway 2010 Client allows for arbitrary code execution in the context of the service.
MS11-040	Forefront TMG CVE-2011-1889	KB 2520426	No known exploits	Severity:Critical Exploitability:1	Critical	Important
MS11-041	An input validation problem in the parsing of OTF (OpenType Font) fonts in in 64bit kernels allows for arbitrary code execution in kernel mode. This is remotely exploitable though file sharing, webdav, websites, email and more. Replaces MS11-034.
MS11-041	OTF CVE-2011-1873	KB 2525694	No known exploits	Severity:Critical Exploitability:2	Critical	Important
MS11-042	Input validation problems in the Distributed File System (DFS) implementation allow for arbitrary code execution in the context of the service or denial of service (DoS) conditions.
MS11-042	DFS (Distributed File System) CVE-2011-1868 CVE-2011-1869	KB 2535512	No known exploits	Severity:Critical Exploitability:1-3	Critical	Critical
MS11-043	An input validation problem in the parsing of the responses to SMB requests allows for arbitrary code execution in the context of the service. Replaces MS11-019 and MS11-020.
MS11-043	SMB CVE-2011-1268	KB 2536276	No known exploits	Severity:Critical Exploitability:1	Critical	Important
MS11-044	An input validation problem in the JIT optimization of the .NET framework allows for arbitrary code execution in the context of the logged on user, and bypass security measures such as the CAS (Code Access Security) restrictions. Replaces MS11-028 and MS10-060.
MS11-044	.NET CVE-2011-1271	KB 2538814	Publicly disclosed vulnerability.	Severity:Critical Exploitability:2	Critical	Critical
MS11-045	Multiple vulnerabilities in Excel allow for arbitrary code execution in the context of the logged on user. Office for Mac versions are also affected. Replaces MS11-021 and MS11-022.
MS11-045	Excel CVE-2011-1272 CVE-2011-1273 CVE-2011-1274 CVE-2011-1275 CVE-2011-1276 CVE-2011-1277 CVE-2011-1278 CVE-2011-1279	KB 2537146	No known exploits	Severity:Important Exploitability:1-3	Critical	Important
MS11-046	An input validation vulnerability in AFD (Ancillary Function Driver) allows for privilege escalation and arbitrary code execution in kernel mode for logged on users. Replaces MS10-066.
MS11-046	AFD CVE-2011-1249	KB 2503665	Publicly disclosed vulnerability, Microsoft claims "limited, targeted attacks attempting to exploit the vulnerability"	Severity:Important Exploitability:1	Critical	Critical
MS11-047	A Denial of Service (DoS) condition is possible where an authenticated user of a guest system can cause a denial of service on the host system. Replaces MS10-102.
MS11-047	Hyper-V CVE-2011-1872	KB 2525835	No known exploits.	Severity:Important Exploitability:3	Low	Important
MS11-048	A parsing error in the SMB server can be used to cause a Denial of Service (DoS) condition. Replaces MS09-050.
MS11-048	SMB server CVE-2011-1267	KB 2525835	No known exploits.	Severity:Important Exploitability:3	Low	Important
MS11-049	XML editor can leak file content though XML external entities that are nested. XML editor is part of Infopath, SQL server, and Visual Studio. Replaces MS10-039 and MS09-062.
MS11-049	XML editor CVE-2011-1280	KB 2543893	No known exploits.	Severity:Important Exploitability:3	Important	Important
MS11-050	Multitude of vulnerabilities in MSIE. Replaces MS11-018.
MS11-050	MSIE CVE-2011-1246 CVE-2011-1250 CVE-2011-1251 CVE-2011-1252 CVE-2011-1254 CVE-2011-1255 CVE-2011-1256 CVE-2011-1258 CVE-2011-1260 CVE-2011-1261 CVE-2011-1262	KB 2543893	No known exploits.	Severity:Critical Exploitability:1-3	Critical	Important
MS11-051	Active Directory Certificate Services Web Enrollment allows for a reflected XSS issue.
MS11-051	Active Directory Certificate Services Web Enrollment CVE-2011-1264	KB 2518295	No known exploits.	Severity:Important Exploitability:1	N/A	Important
MS11-052	A VML memory corruption allows arbitrary code execution in MSIE with the rights of the logged on user. IE9 is not affected.
MS11-052	VML - MSIE CVE-2011-1266	KB 2544521	No known exploits.	Severity:Critical Exploitability:1	Critical	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Section 66

Swa

760 Posts

Jun 14th 2011

MS11-043 (SMB client) replaces MS10-020 and MS11-019, not MS11-020 (SMB server). By my reading, MS11-020 is still current as is still extremely critical.

Conrad

15 Posts

@Conrad: MS10-020 indeed, fixed.

Swa

760 Posts

Misprint in KB number: Microsoft Security Bulletin MS11-048 Vulnerability in SMB Server Could Allow Denial of Service (2536275)

daem0n647

6 Posts

@daem0n647: KB 2536275 indeed, fixed.

Swa

760 Posts

For MS11-050 there existed a 0-day prior to the patch, see here: http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html
On the website, a public metasploit exploit is available.

Swa
9 Posts

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated... On June 16, 2011, one of the issues fixed in Microsoft's June update, CVE-2011-1255, described in MS11-050 was found to be exploited in-the-wild. Customers are advised to install all applicable updates as soon as possible..."

MS11-050 - Critical - Cumulative Security Update for Internet Explorer (2530548)
- http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx
.

Jack

160 Posts

Re: MS11-044 - why have you rated the server-side as critical? It seems that a user needs to browse to a specially crafted web page as a client to be compromised; the MS KB and other sources don't not seem present this as remote server exploit.

Jack
3 Posts

@Alessandro:

It's a nightmare scenario for e.g. shared webhosting, or where e.g. a webmaster isn't fully trusted by the system administration.

To quote Microsoft: "The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario."

Swa

760 Posts