June '11 Patch Tuesday: 16 Bulletins, 34 Vulnerabilities
On the 14th of June 2011, as part of the Patch Tuesday program, Redmond-based software giant Microsoft rolled out a grand total of 16 security bulletins. Out of them all 9 carry the 'critical' rating while the remaining 7 are rated as 'important'.
As a little reminder, the 'critical' rating refers to vulnerabilities whose exploitation could allow the propagation of an Internet worm without user action. The 'important' rating refers to vulnerabilities whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.
The abovementioned bulletins are meant to address 34 vulnerabilities that plague the Windows operating system, the Office productivity suite, the Internet Explorer web browser and other Microsoft products.
Here’s a closer look at the 9 bulletins that have been rated “critical”:
MS11-038 – Vulnerability in OLE Automation Could Allow Remote Code Execution
Description: A privately reported vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user visits a Web site containing a specially crafted Windows Metafile (WMF) image. An attacker would have to convince users to visit a malicious Web site, typically by getting them to click a link in an e-mail message or Instant Messenger request.
Most likely attack vector: Victim browses to a malicious webpage that uses VBScript to load a WMF file from a SMB or WebDAV path.
Affected software: Microsoft Windows.
MS11-039 - Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution
Description: A privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Most likely attack vector: Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions.
Affected software: Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight.
MS11-040 – Vulnerability in Threat Management Gateway Firewall Client Could Allow Remote Code Execution
Description: A privately reported vulnerability in the Microsoft Forefront Threat Management Gateway (TMG) 2010 Client, formerly named the Microsoft Forefront Threat Management Gateway Firewall Client. The vulnerability could allow remote code execution if an attacker leveraged a client computer to make specific requests on a system where the TMG firewall client is used.
Most likely attack vector: Victim running TMG client browses to a malicious webpage that initiates DNS hostname lookup to malicious DNS server. Malicious response is parsed by application that initiated request and could potentially allow code execution in that context.
Affected software: Microsoft Forefront Threat Management Gateway.
MS11-041 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
Description: a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a network share (or visits a web site that points to a network share) containing a specially crafted OpenType font (OTF). An attacker would have to convince a user to visit the web site or network share, typically by getting them to click a link in an e-mail message or Instant Messenger message.
Most likely attack vector: Victim using explorer.exe browses to a folder containing a malicious OTF file.
Affected software: Microsoft Windows.
MS11-042 – Vulnerabilities in Distributed File System Could Allow Remote Code Execution
Description: Two privately reported vulnerabilities in the Microsoft Distributed File System (DFS). The more severe of these vulnerabilities could allow remote code execution when an attacker sends a specially crafted DFS response to a client-initiated DFS request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system.
Most likely attack vector: Victim makes an outbound connection to a malicious DFS server which responds with a malicious DFS packet, potentially executing code on the client in ring0.
Affected software: Microsoft Windows.
MS11-043 – Vulnerability in SMB Client Could Allow Remote Code Execution
Description: A privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
Most likely attack vector: Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0.
Affected software: Microsoft Windows.
MS11-044 – Vulnerability in .NET Framework Could Allow Remote Code Execution
Description: A publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Most likely attack vector: Attack vector is application-dependent and limited to .NET applications relying on a certain kind of check to make security decisions.
Affected software: Microsoft Windows, Microsoft .NET Framework.
MS11-050 – Cumulative Security Update for Internet Explorer
Description: Eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user.
Most likely attack vector: Victim browses to a malicious webpage.
Affected software: Microsoft Windows, Internet Explorer.
MS11-052 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution
Description: A privately reported vulnerability in the Microsoft implementation of Vector Markup Language (VML). The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Internet Explorer 9 is not affected by the vulnerability.
Most likely attack vector: Victim browses to a malicious webpage.
Affected software: Microsoft Windows, Internet Explorer.
Additional information on the security bulletins Microsoft released as part of the June 2011 Patch Tuesday are available here and here.
The Microsoft Security Response Center (MSRC) has provided these visual representations of the June 2011 Patch Tuesday.
As a little reminder, the 'critical' rating refers to vulnerabilities whose exploitation could allow the propagation of an Internet worm without user action. The 'important' rating refers to vulnerabilities whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.
The abovementioned bulletins are meant to address 34 vulnerabilities that plague the Windows operating system, the Office productivity suite, the Internet Explorer web browser and other Microsoft products.
Here’s a closer look at the 9 bulletins that have been rated “critical”:
MS11-038 – Vulnerability in OLE Automation Could Allow Remote Code Execution
Description: A privately reported vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user visits a Web site containing a specially crafted Windows Metafile (WMF) image. An attacker would have to convince users to visit a malicious Web site, typically by getting them to click a link in an e-mail message or Instant Messenger request.
Most likely attack vector: Victim browses to a malicious webpage that uses VBScript to load a WMF file from a SMB or WebDAV path.
Affected software: Microsoft Windows.
MS11-039 - Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution
Description: A privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Most likely attack vector: Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions.
Affected software: Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight.
MS11-040 – Vulnerability in Threat Management Gateway Firewall Client Could Allow Remote Code Execution
Description: A privately reported vulnerability in the Microsoft Forefront Threat Management Gateway (TMG) 2010 Client, formerly named the Microsoft Forefront Threat Management Gateway Firewall Client. The vulnerability could allow remote code execution if an attacker leveraged a client computer to make specific requests on a system where the TMG firewall client is used.
Most likely attack vector: Victim running TMG client browses to a malicious webpage that initiates DNS hostname lookup to malicious DNS server. Malicious response is parsed by application that initiated request and could potentially allow code execution in that context.
Affected software: Microsoft Forefront Threat Management Gateway.
MS11-041 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
Description: a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a network share (or visits a web site that points to a network share) containing a specially crafted OpenType font (OTF). An attacker would have to convince a user to visit the web site or network share, typically by getting them to click a link in an e-mail message or Instant Messenger message.
Most likely attack vector: Victim using explorer.exe browses to a folder containing a malicious OTF file.
Affected software: Microsoft Windows.
MS11-042 – Vulnerabilities in Distributed File System Could Allow Remote Code Execution
Description: Two privately reported vulnerabilities in the Microsoft Distributed File System (DFS). The more severe of these vulnerabilities could allow remote code execution when an attacker sends a specially crafted DFS response to a client-initiated DFS request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system.
Most likely attack vector: Victim makes an outbound connection to a malicious DFS server which responds with a malicious DFS packet, potentially executing code on the client in ring0.
Affected software: Microsoft Windows.
MS11-043 – Vulnerability in SMB Client Could Allow Remote Code Execution
Description: A privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
Most likely attack vector: Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0.
Affected software: Microsoft Windows.
MS11-044 – Vulnerability in .NET Framework Could Allow Remote Code Execution
Description: A publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Most likely attack vector: Attack vector is application-dependent and limited to .NET applications relying on a certain kind of check to make security decisions.
Affected software: Microsoft Windows, Microsoft .NET Framework.
MS11-050 – Cumulative Security Update for Internet Explorer
Description: Eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user.
Most likely attack vector: Victim browses to a malicious webpage.
Affected software: Microsoft Windows, Internet Explorer.
MS11-052 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution
Description: A privately reported vulnerability in the Microsoft implementation of Vector Markup Language (VML). The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Internet Explorer 9 is not affected by the vulnerability.
Most likely attack vector: Victim browses to a malicious webpage.
Affected software: Microsoft Windows, Internet Explorer.
Additional information on the security bulletins Microsoft released as part of the June 2011 Patch Tuesday are available here and here.
The Microsoft Security Response Center (MSRC) has provided these visual representations of the June 2011 Patch Tuesday.
