Wednesday, 13 April 2011

April Patch Tuesday 2011: Massive Update, Moderate Impact


With this Microsoft Patch Tuesday update, we see a large number of updates, 17 in total, in comparison to the recent small list of updates released by Microsoft for the months of January, February and March. Of these, 9 are rated Critical and 8 are rated Important. Although this is a large update from Microsoft, the potential impact of the updates is likely to be small due to the small number of applications dependent on the changes. Of the all of the Microsoft Security Updates released on this April Patch Tuesday, the ChangeBASE team recommends that the patches MS11-025 (Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution) and MS11-029 (Vulnerability in GDI+ Could Allow Remote Code Execution) are given the highest testing focus for this batch of releases.

As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE team, we have seen only a moderate cause for potential compatibility issues.
Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this April Patch Tuesday release cycle.

Here is an example of the results generated from AOK for the patch MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)



Testing Summary
  • MS11-018 : Cumulative Security Update for Internet Explorer (2497640)
  • MS11-019 : Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
  • MS11-020 : Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
  • MS11-021 : Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
  • MS11-022 : Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)
  • MS11-023 : Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
  • MS11-024 : Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
  • MS11-025 : Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
  • MS11-026 : Vulnerability in MHTML Could Allow Information Disclosure (2503658)
  • MS11-027 : Cumulative Security Update of ActiveX Kill Bits (2508272)
  • MS11-028 : Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
  • MS11-029 : Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
  • MS11-030 : Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
  • MS11-031 : Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
  • MS11-032 : Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)
  • MS11-033 : Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
  • MS11-034 : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)


Patch NameTotal
Issues
Matches
Affected
RebootRatingRAG
Microsoft Security Bulletin MS11-018<1%<1%YESGreen
Microsoft Security Bulletin MS11-019<1%<1%YESGreen
Microsoft Security Bulletin MS11-020<1%<1%YESGreen
Microsoft Security Bulletin MS11-021~1%~1%YESGreen
Microsoft Security Bulletin MS11-022~1%~1%YESGreen
Microsoft Security Bulletin MS11-023~1%~1%YESGreen
Microsoft Security Bulletin MS11-024<1%<1%YESGreen
Microsoft Security Bulletin MS11-02534%3%YESAmber
Microsoft Security Bulletin MS11-026<1%<1%YESGreen
Microsoft Security Bulletin MS11-027<1%<1%YESGreen
Microsoft Security Bulletin MS11-028<1%<1%YESGreen
Microsoft Security Bulletin MS11-02944%4%YESAmber
Microsoft Security Bulletin MS11-030<1%<1%YESGreen
Microsoft Security Bulletin MS11-031~1%~1%YESGreen
Microsoft Security Bulletin MS11-032<1%<1%YESGreen
Microsoft Security Bulletin MS11-033<1%<1%YESGreen
Microsoft Security Bulletin MS11-034<1%<1%YESGreen

Legend:
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

Security Update Detailed Summary
MS11-018Cumulative Security Update for Internet Explorer (2497640)
DescriptionThis security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities.
PayloadBrowseui.dll, Html.iec, Ieencode.dll, Iepeers.dll, Mshtml.dll, Mshtmled.dll, Mstime.dll, Shdocvw.dll, Tdc.ocx, Urlmon.dll, Wininet.dll
ImpactCritical - Remote Code Execution

MS11-019Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
DescriptionThis security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
PayloadMrxsmb.sys
ImpactCritical - Remote Code Execution

MS11-020Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
PayloadSrv.sys, Xpsp4res.dll
ImpactCritical - Remote Code Execution

MS11-021Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
DescriptionThis security update resolves nine privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadExcel.exe
ImpactImportant - Remote Code Execution

MS11-022Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)
DescriptionThis security update resolves three privately reported vulnerabilities in Microsoft PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadVbscript.dll
ImpactImportant - Remote Code Execution

MS11-023Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
DescriptionThis security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or if a user opens a legitimate Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadIetag.dll, Ietag.dll_1033, Mso.dll
ImpactImportant - Remote Code Execution

MS11-024Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
DescriptionThis security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opened a specially crafted fax cover page file (.cov) using the Windows Fax Cover Page Editor. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadFxscover.exe
ImpactImportant - Remote Code Execution

MS11-025Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
DescriptionThis security update resolves a publicly disclosed vulnerability in certain applications built using the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user opens a legitimate file associated with such an affected application, and the file is located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by the affected application.
Payloadappcore.cpp, array_s.cpp, Atl.lib, atl71.dll, atl71.pdb, atlbase.h, atlbuild.h, atlcom.h, atlcomcli.h, ATLComTime.inl, atldload.lib, atlevent.h, atlhost.h, atlmincrt.lib, atlmincrt.pdb, atls.lib, atls.pdb, atlsd.lib, atlsd.pdb, atltime.h, atltime.inl, atlwin.h, bardock.cpp, dbcore.cpp, dlgcore.cpp, dllinit.cpp, docmgr.cpp, eafxis.lib, eafxis.pdb, eafxisd.lib, eafxisd.pdb, filelist.cpp, filest.cpp, isapi.cpp, mfc.bsc, mfc71d.dll, MFC71.dll, mfc71.lib, mfc71.pdb, mfc71.prf, MFC71CHS.DLL, MFC71CHT.DLL, mfc71d.lib, MFC71D.MAP, MFC71d.pdb, MFC71DEU.DLL, MFC71ENU.DLL, MFC71ESP.DLL, MFC71FRA.DLL, MFC71ITA.DLL, MFC71JPN.DLL, MFC71KOR.DLL, MFC71u.dll, mfc71u.lib, MFC71U.MAP, mfc71u.pdb, mfc71u.prf, mfc71ud.dll, mfc71ud.lib, MFC71UD.MAP, mfc71ud.pdb, mfcdload.lib, mfcs71.lib, mfcs71.pdb, mfcs71d.lib, mfcs71d.pdb, mfcs71u.lib, mfcs71u.pdb, mfcs71ud.lib, mfcs71ud.pdb, nafxcw.lib, nafxcw.pdb, nafxcwd.lib, nafxcwd.pdb, nafxis.lib, nafxis.pdb, nafxisd.lib, nafxisd.pdb, objcore.cpp, occcont.cpp, occdlg.cpp, oleasmon.cpp, oledlgs1.cpp, oledobj2.cpp, olefact.cpp, olepset.cpp, olestrm.cpp, oleui2.cpp, statreg.h, uafxcw.lib, uafxcw.pdb, uafxcwd.lib, uafxcwd.pdb, VC_User_ATL71_RTL_X86_---.msm, VC_User_MFC71_Loc_RTL_X86_---.msm, VC_User_MFC71_RTL_X86_---.msm, winctrl3.cpp, winfrm.cpp, winocc.cpp
ImpactImportant - Remote Code Execution

MS11-026Vulnerability in MHTML Could Allow Information Disclosure (2503658)
DescriptionThis security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. In a Web-based attack scenario, a Web site could contain a specially crafted link that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open the specially crafted link.
PayloadInetcomm.dll
ImpactImportant - Information Disclosure

MS11-027Cumulative Security Update of ActiveX Kill Bits (2508272)
DescriptionThis security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft software. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for three third-party ActiveX controls.
Payload
ImpactCritical - Remote Code Execution

MS11-028Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
DescriptionThis security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Payload
ImpactCritical - Remote Code Execution

MS11-029Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows GDI+. The vulnerability could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadGdiplus.dll, Gdiplus.man
ImpactCritical - Remote Code Execution

MS11-030Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
DescriptionThis security update resolves a privately reported vulnerability in Windows DNS resolution. The vulnerability could allow remote code execution if an attacker gained access to the network and then created a custom program to send specially crafted LLMNR broadcast queries to the target systems. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the LLMNR ports should be blocked from the Internet.
PayloadAfd.sys, Dnsapi.dll, Dnsrslvr.dll, Mswsock.dll, System.adm, Tcpip.sys, Tcpip6.sys
ImpactCritical - Remote Code Execution

MS11-031Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
DescriptionThis security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow remote code execution if a user visited a specially crafted Web site. An attacker would have no way to force users to visit the Web site. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
PayloadJscript.dll, Vbscript.dll
ImpactCritical - Remote Code Execution

MS11-032Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)
DescriptionThis security update resolves a privately reported vulnerability in the OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
PayloadAtmfd.dll
ImpactCritical - Remote Code Execution

MS11-033Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
PayloadMswrd8.wpc
ImpactImportant - Remote Code Execution

MS11-034Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)
DescriptionThis security update resolves thirty privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
PayloadWin32k.sys
ImpactImportant - Elevation of Privilege


*All results are based on an AOK Application Compatibility Lab’s test portfolio of over 1,000 applications

No comments: