From Erik\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search

EZSecurity Bulletin for April of 2011

INTRO

April is here and finally Sweden is loose from the winter’s grasp. But Microsoft still has us in its clutches. This month comes with a hefty 17 bulletins. According to ISC SANS, MS11-018 and MS11-026 are being actively exploited as we speak. There’s no need for panic though, as we’ve deemed that patching can wait until the next patching window.

Myself, I’ve just gotten my amateur radio certification and will soon be known to the world as SA0BTZ. Us ham radio folks have all those weird call signs because it’s how it works. This news bulletin will continue to come out every month, but I’m thinking of ditching the news letter format. I’ve not decided to do so yet, though. While it’s certainly funny to write the short essays and comment on the weather every month, I frequently find myself short of time. I’m not sure how to proceed, but I guess most of you read it only for the attached document. And there’s no problem with that. The whole idea with this email is to send you the official advice from us. As you see not everything in life is about security. Only most of it!

MICROSOFT SECURITY BULLETIN SUMMARY FOR APRIL OF 2011

As per usual, Microsoft release their security bulletins the second Tuesday every month. This month comes along with 17 bulletins. Recommendation: patching should be done as soon as possible, which means next patch window.

Critical
MS11-018 - Cumulative Security Update for Internet Explorer (2497640)
MS11-019 - Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
MS11-020 - Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
MS11-027 - Cumulative Security Update of ActiveX Kill Bits (2508272)
MS11-028 - Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
MS11-029 - Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
MS11-030 - Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
MS11-031 - Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
MS11-032 - Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)
Important
MS11-021 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
MS11-022 - Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
MS11-023 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
MS11-024 - Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
MS11-025 - Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
MS11-026 - Vulnerability in MHTML Could Allow Information Disclosure (2503658)
MS11-033 - Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
MS11-034 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)

WHAT’S WHAT IN A BULLETIN?

If you read security bulletins, you’ll probably come across a number of terms that everyone just accepts. But how many of them do you really know? I’ve compiled the explanations from some of my other texts to give you a brief rundown of what you must understand when you read a Microsoft Security bulletin. One bulletin may describe a fix for many vulnerabilities. Maximum Security Impact

This category tells you what is the worst thing an attacker may be able to do to a vulnerable system. “Denial of service”

An attack that causes a system to fail, stop responding or to slow down to a crawl is known as a “denial of service attack”. The most common way to perform this type of attack is to overwhelm the system with a large amount of repeated requests. A vulnerability that allows an attacker to take a whole system or service down by sending a few malformed requests is said to have “Denial of service” as its “Maximum Security Impact”. “Elevation of privilege”

This category contains vulnerabilities which can be used to give an attacker more privileges and permissions on a system. The most common way this happens is when an attacker starts out as anonymous (not authenticated) and then uses an exploit to make himself an administrator. This is sometimes known as “rooting” a system after the Unix super user known as “root”. This category of attack can sometimes also be used to impersonate another user. “Remote Code Execution”

A vulnerability that allows for users to run a program or script on a system when they’re not logged in to it on the console, is known as a “Remote Code execution” vulnerability. “Information Disclosure”

Some vulnerabilities allow you to retrieve information that you normally shouldn’t be allowed to get. An example could be when you can read the contents of an asp-script or read files that require permissions you do not have. Microsoft Exploitability Index

As all of you know, Microsoft rate their vulnerabilities on a scale ranging from low to critical. They call this the "Maximum Severity Rating". But it's far less common knowledge that they also have an "Exploitability Index" rating on every bulletin.

An example: "MS09-036 Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957) CVE-2009-1536 3 - Functioning exploit code unlikely

A denial-of-service tool is likely. However, functioning exploit code for remote code execution is unlikely." The Exploitability index for this vulnerability is 3, which is the lowest rating.

• A rating of 3 means the exploit code is unlikely work. It may cause an effect, but it will probably not work well enough to allow for something like remote code execution.

Example: if the exploit only works 1 time out of 100 when you attack a system, it is not considered a stable exploit.

• A rating of 2 means that the exploit code work but will not be successful often enough to be considered stable.

• A rating of 1 means that the exploit code will work repeatedly.

Here’s the official guide to software updates from Microsoft:
http://support.microsoft.com/kb/824684/en-us

LINKS

The official bulletins from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx

ISC Sans's monthly Microsoft-analysis is always a good read:
http://isc.sans.edu/diary/April+2011+Microsoft+Black+Tuesday+Summary/10693

All back-issues of this newsletter can be found here:
https://secure.ericade.net/security/index.php/SECBulletins

And on the EZSecurity blog at Tieto DF:
http://df.tieto.com/Blogs/EZSecurity/

My private blog:
http://erik.zalitis.se/

Bruce Schneier’s excellent news letter:
http://www.schneier.com/crypto-gram.html

A collection of useful security links:
https://secure.ericade.net/security/index.php/Security_links

A good site to check for known vulnerabilities for your favorite programs:
http://secunia.com/

What's the general state of the Internet?:
http://isc.sans.org/

OWASP Sweden's email list archive:
https://lists.owasp.org/pipermail/owasp-sweden/

Recommended for you developers out there:
http://www.owasp.org/index.php/Main_Page

My own, random knowledge base:
https://secure.ericade.net/security/index.php/portal:Kb

Regards
Erik Zalitis
System Specialist
CISSP
Certified Ethical Hacker
MCITP:EA
MCSE:Security 2003
MCSE:Messaging 2003
Citrix Certified Administrator for PS4.
VMware Certified Professional on VI3
ITIL Foundations
Mobile: + 46 (0)70 673 07 54