Microsoft Patch Tuesday, December 2011

This Patch Tuesday, there are 3 new Critical and 10 new Important Bulletins. With this many high-urgency bulletins, it's tough to get a handle on which ones to tackle first. Of course, "all of them" is the standard answer, but these bulletins contain fixes across Windows, Office, and Internet Explorer, so for the WordPerfect and NCSA Mosaic zealots among you, it's gloating time again. You obscurity junkies, you.

File-based Vulnerabilities

These bulletins detail vulnerabilities that will generally be exploited via a specially crafted file. This a broad classification, since these files could be hosted on a web site and downloaded by an unsuspecting victim. The differentiator here is that the user would have to "open" the file, rather than just browsing to the page, so some level of social engineering needs to happen here.

MS11-087 / KB2639417

Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Critical

CVE-2011-3402, TrueType Font Parsing Vulnerability

One of two Top Priority Bulletins for December, this one offers a patch that deals with the Duqu Trojan's favorite method of entry. Actually, the TrueType vulnerability described could be delivered via a document or web page, so it's the most "flexible" of the described vulnerabilities. It was previously disclosed by Microsoft, therefore most vendors, Trustwave included, have already deployed detection logic for this issue.

MS11-092 / KB2648048

Vulnerability in Windows Media Could Allow Remote Code Execution

Critical

CVE-2011-3401, Windows Media Player DVR-MS Memory Corruption

The other Top Bulletin, this one deals with Microsoft Digital Video Recording (.dvr-ms) files. There's a parsing flaw regarding these files that can lead to RCE. An easy counter-measure here is to disallow this extension altogether at the email gateway. I mean, who emails .dvr-ms files? (except people wanting to show you footage from their family vacation, which should be blocked out-of-hand anyway. it's win-win.)

MS11-089 / KB2590602

Vulnerabilities in Microsoft Office could allow for Remote Code Execution

Important

CVE-2011-1983, Word Access Violation Vulnerability

This one deals with malicious Word documents; a successful attack grants full privileges of the user running Word. This Word vulnerability actually works cross-platform, affecting Office 2007/ 2010 for Windows and Office 2011 for Mac. So the next time the Apple fanboy starts up again over lunch, just say "CVE-2011-1983" and you should be able to eat in peace.

MS11-091 / KB2607702

Vulnerabilities in Microsoft Publisher could allow Remote Code Execution

Important

CVE-2011-3410, Publisher out of bounds array index vulnerability

CVE-2011-3411, Publisher Invalid Pointer Vulnerability

CVE-2011-3412, Publisher Memory Corruption Vulnerability

Affects Office 2003 and 2007 versions of Microsoft Publisher only, 2010 is safe. Similar to the Word vulnerability, success here grants an attacker access equivalent to the user opening the infected file.

MS11-094 / KB2639142

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution

Important

CVE-2011-3413, OfficeArt Shape RCE Vulnerability

Another cross-platform vulnerability, this one affects Powerpoint 2007 / 2010 for Windows and Powerpoint 2008 for Mac. Powerpoint 2007 and 2008 are affected by the OfficeArt issue, which could be triggered via a malicious file.

CVE-2011-3396, PowerPoint Insecure Library Loading Vulnerability

The latter CVE describes the potential for something also known as "DLL Hijacking", and affects Powerpoint 2007 and 2010. DLL Hijacking is a method that takes advantage of the order in which Windows loads Dynamic Link Library (DLL) files in order to execute malicious code. This requires a malicious copy of a needed DLL to exist in the same directory (Current Working Directory) as the document being opened. The most common attack vector for this attack is a file share, but these need to be "mountable" shares such as Windows File Sharing (SMB) drives or WebDAV locations. The latter, being HTTP, is a bit more concerning since it's difficult to block at the firewall, unlike SMB.

MS11-093 / KB2624667

Vulnerability in Microsoft Windows OLE32 Could Allow Remote Code Execution

Important

CVE-2011-3400, KB2624667, OLE Property Vulnerability

Affecting Windows XP and Windows Server 2003, this vulnerability gives an attacker equivalent access to the victim user through a flaw in Windows' Object Linking and Embedding (OLE) system. OLE is found in many Microsoft Office applications and facilitates embedding and linking functions to external documents and objects. In other words, it's that thing that puts Excel spreadsheets inside a Word doc.

MS11-096 / KB2640241

Vulnerability in Microsoft Excel Could Allow Remote Code Execution

Important

CVE-2011-3403, Record Memory Corruption

Windows and Mac again! This time it's Excel 2003 for Windows and Office 2004 for Mac. Similar to other vulnerabilities, it offers RCE within the user's security context via a malicious file.

Web-based Vulnerabilities

These vulnerabilities target the web browser itself, rather than relying on the user to open a file.

MS11-087 / KB2639417

Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Critical

CVE-2011-3402, TrueType Font Parsing Vulnerability

This makes an appearance here as well due to the fact that a web browser could also call the affected library, T2EMBED.DLL, in order to render content. Malicious web sites are called out in the advisory as potentially problematic, in addition to malicious files.

MS11-090 / KB2618451

Cumulative Security Update for ActiveX Kill Bits

Critical

CVE-2011-3397, Microsoft Time Remote Code Execution Vulnerability

I like the name "Kill Bits", because they do exactly what it sounds like. They kill things. Like ActiveX controls that aren't supported anymore.

Basically, this one updates IE6 (yes, 6) so that it no longer allows the problematic ("#default#time") ActiveX control to be loaded. It's been deprecated for awhile in favor of ("#default#time2"), and after finding an exploitable issue with the 1.0 version, it was getting to be that time. Bit-killing time.

Also included are Kill Bits for a number of other ActiveX controls, old unsupported things from Dell, HP, and Yahoo! which were found to have vulnerabilities.

The following ModSecurity rule, thanks to Ryan Barnett, will help detect pages trying to use the now-defunct ActiveX control:

SecRule RESPONSE_BODY "@pm #default#time" "chain,phase:4,t:none,log,block,msg:'Potential IE6 Time Behavior Attack',tag:'CVE-2011-3397'"

SecRule RESPONSE_BODY "@rx \b#default#time\b"

MS11-099 / KB2618444

Cumulative Security Update for Internet Explorer

Important

CVE-2011-1992, XSS Filter Information Disclosure Vulnerability

The XSS Filter vulnerability is an interesting one – it is similar to "Blind SQL Injection" in that it allows a site to query a client in a trial-by-error fashion for the content of other sites that have been visited. Visiting a malicious website is required to exploit this vulnerability, but this often-ignored caveat from the bulletin reminds us that it's not as tough to pull off as it sounds:

"In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability."

We generally think about forums, especially when dealing with issues like XSS, but advertisements? Score one for noscript and friends.

CVE-2011-2019, Internet Explorer Insecure Library Loading Vulnerability

The Insecure Library Loading Vulnerability is similar to the Powerpoint issue described above, only this time it's an html / DLL combo on a network drive that would drive the exploit. It's interesting that this even affects IE9, showing just how foundationally this DLL loading issue affects Windows applications.

Local / Domain Vulnerabilities

These provide elevated privileges to the affected host or domain environment, but require some level of authorization, usually via valid credentials.

MS11-095 / KB2640045

Vulnerability in Active Directory Could Allow Remote Code Execution

Important

CVE-2011-3406, Active Directory Buffer Overflow Vulnerability

This bulletin describes an issue where a user with valid Domain credentials could gain administrative privileges to the Domain itself. The vulnerability affects Servers 2003 and 2008, and also XP when running Active Directory Application Mode (ADAM), and Vista/7 when running Active Directory Lightweight Directory Services (AD LDS). That being said, the vulnerability relies on an existing record that matches a certain criteria. Still worthy of its "important" status however.

MS11-097 / KB2620712

Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege

Important

CVE-2011-3408, CSRSS Local Privilege Elevation Vulnerability

The Client/Server Run-time Subsystem (CSRSS) is an essential subsystem, and it has a flaw that allows privilege escalation. Valid credentials are required, but since CSRSS runs with system privileges, compromise of this component results in the same level of access. This flaw affects the gamut: Windows XP/2003/2008/7.

M11-098 / KB2633171

Vulnerability in Windows Kernel Could Allow Elevation of Privilege

Important

CVE-2011-2018, Windows Kernel Exception Handler Vulnerability

Another Elevation of Privilege vulnerability, this one deals with the Windows kernel itself and how it accesses improperly initialized objects. A local user with the ability to execute code could take advantage of this vulnerability in order to obtain system-level access.

MS11-088 / KB2652016

Disclosure Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege

Important

CVE-2011-2010, Pinyin IME Elevation Vulnerability

Microsoft Pinyin (MSPY) Input Method Editor (IME) is a tool that can be used to input characters that are not natively supported by various keyboards. The Chinese IME found in Microsoft Office 2010 exposes configuration options, which could allow an attacker to arbitrarily run code in kernel mode. Even in situations where this software is not commonly in use, an exploit is still possible if this IME can be loaded manually.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.