Patch Tuesday, Feb 2012: What I did this Valentine's Day

Heart_ms12-010

I have to admit, poring over Microsoft Security Bulletins on Valentine's Day, it tends to make you stop and think about where you're at in life. I mean this is pretty awesome, sure beats last year when I had to watch a chick flick and buy expensive flowers.

So we have 5 Important patches and 4 of the Critical variety. That makes 9 total. That's because 5+4 = 9. Feel the learn.

Let's start with the two "top priority" bulletins for February. These are like the piece of solid chocolate in the middle of the box, if you will. Except that they are more like vitamins, so you don't get sick. Or maybe inoculations. So they are like 2 hypodermic needles in the middle of a chocolate box. I think this analogy is starting to break a little.

MS12-010 / KB2647516

Cumulative Security Update for Internet Explorer

Critical

Four CVE's here, the most significant appears to be CVE-2011-011. Strangely IE6 is the least affected, only information disclosure for you IE6 fans. But let's face it, a User-Agent string with IE6 is itself an information disclosure finding; i.e. 9-6 = 3. I'm just giving these away today.

CVE-2012-0010, Copy and Paste Information Disclosure Vulnerability

I read this one several times. I read it to the other SpiderLabs researchers (out loud), and even to Nick's voice-mail when he wouldn't pick up the phone. Here's what I've come up with so far:

1. An attacker tricks you into copying something into the clipboard

2. An attacker tricks you into pasting it onto their site

I'm sure I'm missing something, it's probably a subtle control that is supposed to prevent this type of thing - information crossing domain boundaries have a lot to do with it. But if I were you, I'd spend a lot more time thinking about the next one.

CVE-2012-0011, HTML Layout Remote Code Execution Vulnerability

When IE tries to access an object that has been deleted - it's "use after free" kind of issue. Kind of like what always seems to happen to the VHS tape of a couple's wedding on those sitcoms. If you record a football game over it, and sitcom wife tries to show her mom the wedding, it will take the remaining 20 minutes for you to fix it before the credits roll. BTW who records football games anyway?

This one is actually a bit tricky to detect, because it's a very specific issue somewhere in the guts of IE, and there hasn't been a known public release of an exploit yet. Without a patch, the only workaround involves disabling Active Scripting and ActiveX, at which point we're reminded that a lot of sites use these technologies. Agreed, if you use the Wayback Machine a lot, you should really stop and think about ActiveX. But the other one, Active Scripting, includes Javascript, and that might break the Internet a bit. Probably best just to patch this one.

Or, upgrade to IE6 (?)

CVE-2012-0012, Null Byte Information Disclosure Vulnerability

Process memory can be exposed in this one, so we might be looking at aut0-complete values like credentials - hard to say, it depends on what they can access and how much without seeing a public exploit. This one affects IE9 only.

CVE-2012-0155, VML Remote Code Execution Vulnerability

Vector Markup Language was the future we were promised. I was supposed to be walking through the Internet by now while my flying car auto-navigated me to the oxygen bar. Instead we got VML and its standardized cousin VRML, taking up space in our browser's closet of misfit toys. For those of you who have never seen VML, make an airplane out of solid-color construction paper, take a picture of it with a black background, now reduce the resolution to 320x240. You still have a bit of a graphical advantage but it's not that far off.

Anyway, there's a vulnerability in IE9's VML implementation, and it can result in code execution. One thing to consider is just how rare this technology is – blocking it altogether is certainly an option. Some quick Googling uncovered the following common VML tags:

<HTML xmlns:v="urn:schemas-microsoft-com:vml">

<v:rect style="width:150pt;height:50pt" fillcolor="yellow"></v:rect>

You might miss out on some 1998 tech demos, but you're probably better off for that anyway. Just watch Lawnmower Man or something.

MS12-013 / KB2654428

Vulnerability in C Run-Time Library Could Allow Remote Code Execution

Critical

CVE-2012-0150, Msvcrt.dll Buffer Overflow Vulnerability

This bulletin focuses on media files, which suggests that the flaw occurs when dealing with large heaps of data. It affects Server 2008, Windows 7, and Windows Vista, but not XP and Server 2003. Seems like there's a Tortoise and the Hare joke in there somewhere.

msvcrt.dll is pretty foundational. The patch fixes the instance located in the Windows system directory, but unfortunately this file gets repackaged a lot. What that means is that software developers who want to make sure that their app works on a target machine will tend to include a specific build of this file with their program. So this issue potentially affects every application written in Visual C up to this point.

The good news is that there isn't a public exploit for this yet, and there could be many considerations that could limit its exploit-ability. Anyone who has written proof-of-concept (or, um, not proof-of-concept) exploits will tell you, buffer overflows do not always equal code execution. That being said, with a file as common as this one and as widespread, you can bet a lot of people will try.

The remaining vulnerabilities, while not considered "top threats" are also significant; two of them are also labeled "critical"

MS12-008 / KB2660465

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Critical

CVE-2011-5046, GDI Access Violation Vulnerability

The Graphics Device Interface (GDI) is the Windows software component that is responsible for displaying images on the monitor and also sending content to the printer. An exploit here can take many forms, as the bulletin points out – it could be a website, an email, even something in the preview panel.

It's almost like that thing in Snow Crash, where you were toast if you even looked at it. I bet it's a picture of a guy wearing two different types of plaid. I bet you it is.

The vulnerability affects XP, all the way up to Windows 7 and is usable in both remote and local contexts. Unlike many of this Patch Tuesday's vulnerabilities, this one was previously disclosed. Late last year, this was published:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5046

Along with a tweet about BSoD's happening when a particular iFrame height was used:

https://twitter.com/#%21/w3bd3vil/status/148454992989261824

It's good to see that Microsoft dug into this a bit, but what they found looks to be larger in scope than originally thought. Might see a bit more malware attention on this one in the future.

CVE-2012-0154, Keyboard Layout Use After Free Vulnerability

Another driver attack, this one is limited in scope to local attackers that already have an account. It deals with the driver that manages keyboard layouts and gives full system access to someone that successfully exploits it. It also affects XP and newer.

MS12-012 / KB2643719

Vulnerability in Color Control Panel Could Allow Remote Code Execution

Important

CVE-2010-5082, Color Control Panel Insecure Library Loading Vulnerability

One of those "DLL Injection" attacks, this one affects the Color Control Panel in Server 2008 only.

I think the fact that we're seeing a patch for this might be a good sign. Look at the date on the CVE and also think about the attack vector. It came out in 2010 and to use it, you have to convince someone to open an .icc or .icm file on a share with a DLL file next to it that mimics one used by Server 2008. Here's the original post:

http://shinnai.altervista.org/exploits/SH-006-20100914.html

It's completely valid from a vulnerability standpoint, but it just seems like the kind of thing that they'd fix "when they got around to it". Which is now, but at least it's happening. Is their queue starting to slim down? Or was this some kind of "easy one" that they threw at the intern?

This is the best thing to happen to the Bakersfield Color Control Panel Users Group in a long, long time.

MS12-009 / KB2645640

Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege

Important

Finally a killer app for 64-bit platforms: if you're going to get your AFD knocked over, you better be on x64. You 32-bit slowpokes with your tiny address space are just going to have to sit this one out.

CVE-2012-0148, AfdPoll Elevation of Privilege Vulnerability

CVE-2012-0149, Ancillary Function Driver Elevation of Privilege Vulnerability

We're learning about all kinds of Windows internals today. The Ancillary Function Driver is closely tied to the TCP/IP stack and facilitates socket communication to applications via Winsock. You would think this would be a remote vulnerability, being TCP/IP and all, but since the vuln deals with calls directly to the afd.sys file it's actually a local privilege escalation.

Both of these CVE's look very similar, though the second only affects 64-bit versions of Windows 2003. The first one affects 64-bit Windows versions from XP to 7, including Server 2003 and 2008.

MS12-011 / KB2663841

Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

Important

CVE-2012-0017, XSS in inplview.aspx Vulnerability

CVE-2012-0144, XSS in themeweb.aspx Vulnerability

CVE-2012-0145, XSS in wizardlist.aspx Vulnerability

Found in Sharepoint 2010 including SP1, these XSS vulnerabilities could be coupled with social engineering attacks to gain administrative access. Note that the affected parameter is not disclosed in the bulletin, so don't expect a lot of help with that "New Fonzie Theme installed!" email you're preparing for your IT guy.

MS12-016 / KB2651026

Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution

Important

CVE-2012-0014, Microsoft .NET Framework and the Silverlight Framework Remote Code Execution

Silverlight is a cross-platform web-plugin that allows flexibility of defining an application's visual elements with the use of the Extensible Application Markup Language (XAML). The plugin can be used to view dynamic websites built specifically for Silverlight or viewing the most popular movies on Netflix website (such as "Hackers").

Those who need a daily dose of Silverlight should beware of CVE-2012-0014 based on the potential of an attacker luring users to a malicious application that uses these vulnerabilities to perform remote code execution. Possible attack vectors include an attacker providing a URL link to a malicious Silverlight application from a email, website or document.

CVE-2012-0015 - Microsoft .NET Framework Remote Code Execution

Unlike Silverlight applications, XBAP are Windows only applications and requires the .NET Framework to be installed. CVE-2012-0015 specifically targets XBAP applications and allows remote code execution. Similarly to CVE-2012-0014, an attacker may use social engineering techniques to trick users to launch a malicious application.

Both CVE-2012-0014 and CVE-2012-0015 are serious vulnerabilities based on the fact that attackers can execute malicious code to install programs, modify data or even create new accounts with full user rights. Users can reduce the outcome of exploitation by using non-administrative windows accounts.

MS12-015 / KB2663510

Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution

Important

CVE-2012-0019, VSD File Format Memory Corruption Vulnerability

CVE-2012-0020, VSD File Format Memory Corruption Vulnerability

CVE-2012-0136, VSD File Format Memory Corruption Vulnerability

CVE-2012-0137, VSD File Format Memory Corruption Vulnerability

CVE-2012-0138, VSD File Format Memory Corruption Vulnerability

There are five CVE's issued for MS12-015. Visio is a software solution for use of diagraming a network topology or simply to display information graphically. Specifically, all of these vulnerabilities have been found in the Visio Viewer, which is a free to use for the purpose of opening "VSD" files, but doesn't allow modifying. However, licensed versions of Visio, such as Visio 2010 Service Pack 1 are not affected by these vulnerabilities.

The concern for MS12-015 is based on an attacker can use these vulnerabilities for remote code execution. An attacker could possibly craft a Visio "VSD" file and then distribute the file (NEW ORG CHART.vsd) for malicious purposes. This can allow the attacker to gain access to the machine or the ability to modify data on the system.

MS12-014 / CVE-2010-3138

The Indeo Codec remote code execution vulnerability was originally released at the end of August 2010, but until now there hasn't been a fix for it. Microsoft Windows uses the Indeo filter (iac25_32.ax) for the loading of .DLL files in products, such as the Windows Media player. However, due to a flaw in the Indeo filter, an attacker can place a crafted DLL in the folder of the media file for remote code execution. Another "DLL Injection" situation here.

Windows XP is the only operating system affected by this vulnerability. However, this is a serious threat for users running this operating system since an attacker can gain complete control over a operating system. Attackers can potentially entice users to download and open a media file containing the malicious DLL. Furthermore, users on the same network could potentially become infected if the media file was opened if access via a Samba shared drive.

Special thanks to Robert Foggia, Ryan Barnett, Mike Ryan, and John Miller for their help making this the best Valentine's Patch Tuesday ever.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.