Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft June 2011 Black Tuesday Overview SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft June 2011 Black Tuesday Overview

Overview of the June 2011 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating ISC rating(*)
clients servers
MS11-037 The MHTML (Mime encapsulated HTML) protocol handler is vulnerable to information disclosure through an XSS like problem.
Replaces MS11-026.
MHTML

CVE-2011-1894		 KB 2544893 Publicly known vulnerability. Severity:Important
Exploitability:3		 Important Low
MS11-038 WMF processing by OLE allows for arbitrary code execution with the rights of the logged on user.
Replaces MS08-008.
OLE - WMF

CVE-2011-0658		 KB 2476490 No known exploits Severity:Critical
Exploitability:1		 Critical Important
MS11-039 Input validation vulnerabilities in the .NET framework and the Silverlight implementations allow for arbitrary code execution with the rights of the logged on user.
.NET - silverlight

CVE-2011-0664		 KB 2514842 No known exploits Severity:Critical
Exploitability:1		 Critical Important
MS11-040 Improper bounds checking in Microsoft Forefront Threat Management Gateway 2010 Client allows for arbitrary code execution in the context of the service.
Forefront TMG

CVE-2011-1889		 KB 2520426 No known exploits Severity:Critical
Exploitability:1		 Critical Important
MS11-041 An input validation problem in the parsing of OTF (OpenType Font) fonts in in 64bit kernels allows for arbitrary code execution in kernel mode. This is remotely exploitable though file sharing, webdav, websites, email and more.
Replaces MS11-034.
OTF

CVE-2011-1873		 KB 2525694 No known exploits Severity:Critical
Exploitability:2		 Critical Important
MS11-042 Input validation problems in the Distributed File System (DFS) implementation allow for arbitrary code execution in the context of the service or denial of service (DoS) conditions.
DFS (Distributed File System)

CVE-2011-1868
CVE-2011-1869		 KB 2535512 No known exploits Severity:Critical
Exploitability:1-3		 Critical Critical
MS11-043 An input validation problem in the parsing of the responses to SMB requests allows for arbitrary code execution in the context of the service.
Replaces MS11-019 and MS11-020.
SMB

CVE-2011-1268		 KB 2536276 No known exploits Severity:Critical
Exploitability:1		 Critical Important
MS11-044 An input validation problem in the JIT optimization of the .NET framework allows for arbitrary code execution in the context of the logged on user, and bypass security measures such as the CAS (Code Access Security) restrictions.
Replaces MS11-028 and MS10-060.
.NET

CVE-2011-1271		 KB 2538814 Publicly disclosed vulnerability. Severity:Critical
Exploitability:2		 Critical Critical
MS11-045 Multiple vulnerabilities in Excel allow for arbitrary code execution in the context of the logged on user.
Office for Mac versions are also affected.
Replaces MS11-021 and MS11-022.
Excel

CVE-2011-1272
CVE-2011-1273
CVE-2011-1274
CVE-2011-1275
CVE-2011-1276
CVE-2011-1277
CVE-2011-1278
CVE-2011-1279		 KB 2537146 No known exploits Severity:Important
Exploitability:1-3		 Critical Important
MS11-046 An input validation vulnerability in AFD (Ancillary Function Driver) allows for privilege escalation and arbitrary code execution in kernel mode for logged on users.
Replaces MS10-066.
AFD

CVE-2011-1249		 KB 2503665 Publicly disclosed vulnerability, Microsoft claims "limited, targeted attacks attempting to exploit the vulnerability" Severity:Important
Exploitability:1		 Critical Critical
MS11-047 A Denial of Service (DoS) condition is possible where an authenticated user of a guest system can cause a denial of service on the host system.
Replaces MS10-102.
Hyper-V

CVE-2011-1872		 KB 2525835 No known exploits. Severity:Important
Exploitability:3		 Low Important
MS11-048 A parsing error in the SMB server can be used to cause a Denial of Service (DoS) condition.
Replaces MS09-050.
SMB server

CVE-2011-1267		 KB 2525835 No known exploits. Severity:Important
Exploitability:3		 Low Important
MS11-049 XML editor can leak file content though XML external entities that are nested. XML editor is part of Infopath, SQL server, and Visual Studio.
Replaces MS10-039 and MS09-062.
XML editor

CVE-2011-1280		 KB 2543893 No known exploits. Severity:Important
Exploitability:3		 Important Important
MS11-050 Multitude of vulnerabilities in MSIE.
Replaces MS11-018.
MSIE

CVE-2011-1246
CVE-2011-1250
CVE-2011-1251
CVE-2011-1252
CVE-2011-1254
CVE-2011-1255
CVE-2011-1256
CVE-2011-1258
CVE-2011-1260
CVE-2011-1261
CVE-2011-1262		 KB 2543893 No known exploits. Severity:Critical
Exploitability:1-3		 Critical Important
MS11-051 Active Directory Certificate Services Web Enrollment allows for a reflected XSS issue.
Active Directory Certificate Services Web Enrollment

CVE-2011-1264		 KB 2518295 No known exploits. Severity:Important
Exploitability:1		 N/A Important
MS11-052 A VML memory corruption allows arbitrary code execution in MSIE with the rights of the logged on user. IE9 is not affected.
VML - MSIE

CVE-2011-1266		 KB 2544521 No known exploits. Severity:Critical
Exploitability:1		 Critical Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Section 66

 Swa

760 Posts
Jun 14th 2011
Subscribe Jun 14th 2011
9 years ago
MS11-043 (SMB client) replaces MS10-020 and MS11-019, not MS11-020 (SMB server). By my reading, MS11-020 is still current as is still extremely critical.
 Conrad

15 Posts
Quote Jun 14th 2011
9 years ago
@Conrad: MS10-020 indeed, fixed.
 Swa

760 Posts
Quote Jun 14th 2011
9 years ago
Misprint in KB number: Microsoft Security Bulletin MS11-048 Vulnerability in SMB Server Could Allow Denial of Service (2536275)
 daem0n647

6 Posts
Quote Jun 15th 2011
9 years ago
@daem0n647: KB 2536275 indeed, fixed.
 Swa

760 Posts
Quote Jun 17th 2011
9 years ago
For MS11-050 there existed a 0-day prior to the patch, see here: http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html
On the website, a public metasploit exploit is available.
 Swa
9 Posts
Quote Jun 17th 2011
9 years ago
- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated... On June 16, 2011, one of the issues fixed in Microsoft's June update, CVE-2011-1255, described in MS11-050 was found to be exploited in-the-wild. Customers are advised to install all applicable updates as soon as possible..."

MS11-050 - Critical - Cumulative Security Update for Internet Explorer (2530548)
- http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx
.
 Jack

160 Posts
Quote Jun 17th 2011
9 years ago
Re: MS11-044 - why have you rated the server-side as critical? It seems that a user needs to browse to a specially crafted web page as a client to be compromised; the MS KB and other sources don't not seem present this as remote server exploit.
 Jack
3 Posts
Quote Jun 17th 2011
9 years ago
@Alessandro:

It's a nightmare scenario for e.g. shared webhosting, or where e.g. a webmaster isn't fully trusted by the system administration.

To quote Microsoft: "The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario."
 Swa

760 Posts
Quote Jun 18th 2011
9 years ago

Sign Up for Free or Log In to start participating in the conversation!