Microsoft Security Bulletin: December 2011 Release
This month we are releasing 13 security bulletins for new vulnerabilities. Please see the details below and make sure you apply these in your environments where applicable. I’ve provided more technical details below as well.
What is the purpose of this alert?
This alert is to provide you with an overview of the new security bulletin(s) being released on December 13, 2011. Security bulletins are released monthly to resolve critical problem vulnerabilities.
New Security Bulletins
Microsoft is releasing the following thirteen new security bulletins for newly discovered vulnerabilities:
|
|
|
|
|
|
|
|
|
|
| |||
|
|
|
|
| ||
|
|
|
|
| ||
|
|
|
| |||
|
|
|
|
| ||
|
|
|
| |||
|
|
|
|
| ||
|
|
|
|
| ||
|
|
|
| |||
|
|
|
|
| ||
|
|
|
| |||
|
|
|
| |||
|
|
|
| |||
|
| |||||
Summaries for new bulletin(s) may be found at https://technet.microsoft.com/security/bulletin/MS11-dec.
Microsoft Windows Malicious Software Removal Tool
Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center. Information on the Microsoft Windows Malicious Software Removal Tool is available at https://support.microsoft.com/?kbid=890830.
More Technical Details
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
|
|
|
|
|
|
|
|
| |
|
|
| |
|
| ||
Bulletin Identifier |
Microsoft Security Bulletin MS11-088 |
|---|---|
Bulletin Title |
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016) |
Executive Summary |
This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged-on user performed specific actions on a system where an affected version of the Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese is installed. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
The security update addresses the vulnerability by correcting the manner in which the Microsoft Office IME (Chinese) exposes configuration options not designed to run on the secure desktop. |
Severity Ratings and Affected Software |
This security update is rated Important for all supported editions of Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Microsoft Office Pinyin SimpleFast Style 2010, and Microsoft Office Pinyin New Experience Style 2010. |
Attack Vectors |
An attacker who exposes configuration options in Microsoft Office IME (Chinese) can exploit this vulnerability, and perform specific actions utilizing the MSPY IME toolbar to launch Internet Explorer with system-level privileges. |
Mitigating Factors |
· An attacker must have valid logon credentials to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users. · Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
None |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-089 |
|---|---|
Bulletin Title |
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602) |
Executive Summary |
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Word file.
The security update addresses the vulnerability by correcting the way that Microsoft Word parses specially crafted Word files. |
Severity Ratings and Affected Software |
This security update is rated Important for all supported editions of Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office for Mac 2011. |
Attack Vectors |
An attacker could exploit this vulnerability if a user opens a specially crafted Word file. |
Mitigating Factors |
· An attacker could not force a user to visit a specially crafted site. · An attacker cannot exploit this vulnerability automatically through email; instead, the user would have to click on an attachment in an email message. · An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
Office for Mac 2011: MS11-072 |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-090 |
|---|---|
Bulletin Title |
Cumulative Security Update of ActiveX Kill Bits (2618451) |
Executive Summary |
This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted webpage that uses a specific binary behaviour in Internet Explorer.
The security update addresses the vulnerability by setting kill bits so that the vulnerable control does not run in Internet Explorer. This update also includes kill bits for four third-party ActiveX controls. |
Severity Ratings and Affected Software |
This security update is rated Critical for all supported editions of Windows XP and Windows Server 2003. |
Attack Vectors |
An attacker could exploit this vulnerability if a user views a specially crafted webpage that uses a specific binary behaviour in Internet Explorer. |
Mitigating Factors |
· An attacker would have to convince users to visit a website, typically by getting them to click a link in an email or IM message. · Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
MS11-027 |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-091 |
|---|---|
Bulletin Title |
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702) |
Executive Summary |
This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Publisher file.
The security update addresses the vulnerabilities by correcting the way that Microsoft Publisher parses specially crafted Publisher files. |
Severity Ratings and Affected Software |
This security update is rated Important for supported editions of Microsoft Publisher 2003 and Microsoft Publisher 2007. |
Attack Vectors |
· An attacker can exploit this vulnerability by creating a specially crafted Publisher file that could be included as an email attachment, or hosted on a specially crafted/compromised website, and then convince the user to open the specially crafted Publisher file. |
Mitigating Factors |
· An attacker has to convince the user to visit a website or open an attachment. · Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
MS10-103 |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-092 |
|---|---|
Bulletin Title |
Vulnerability in Windows Media Could Allow Remote Code Execution (2648048) |
Executive Summary |
This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.
The security update addresses the vulnerability by modifying the way that Windows Media Player and Windows Media Center open specially crafted .dvr-ms files. |
Severity Ratings and Affected Software |
This security update is rated Critical for all affected editions of Windows XP (including Windows XP Media Center Edition 2005) and all supported editions of Windows Vista and Windows 7. |
Attack Vectors |
The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. |
Mitigating Factors |
In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
None |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-093 |
|---|---|
Bulletin Title |
Vulnerability in OLE Could Allow Remote Code Execution (2624667) |
Executive Summary |
This security update resolves a privately reported vulnerability in all supported editions of Windows XP and Windows Server 2003. The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object.
The security update addresses the vulnerability by modifying the way that OLE objects are handled in memory. |
Severity Ratings and Affected Software |
This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. |
Attack Vectors |
The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object. |
Mitigating Factors |
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
None |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-094 |
|---|---|
Bulletin Title |
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142) |
Executive Summary |
This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of the vulnerabilities could take complete control of an affected system.
The security update addresses the vulnerabilities by correcting the way that PowerPoint loads external libraries and modifying the way that it validates OfficeArt records when opening PowerPoint files. |
Severity Ratings and Affected Software |
This security update is rated Important for Microsoft PowerPoint 2007 Service Pack 2, Microsoft PowerPoint 2010, and Microsoft Office 2008 for Mac. The security update is also rated Important for Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 and Microsoft PowerPoint Viewer 2007 Service Pack 2. |
Attack Vectors |
CVE-2011-3396: · In a network attack scenario, an attacker could place a legitimate file and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file. · In an email attack scenario, an attacker could exploit the vulnerability by sending a legitimate file attachment to a user, and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file. CVE-2011-3413: · In a web-based attack scenario, an attacker would have to convince users to visit the website and open the specially crafted PowerPoint file. · In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted PowerPoint file to the user and convincing the user to open the file. |
Mitigating Factors |
· An attacker cannot force a user to open a malicious file or to place files in a specific directory. · Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
MS11-022, MS11-036, and MS11-072. |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-095 |
|---|---|
Bulletin Title |
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045) |
Executive Summary |
This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application.
The security update addresses the vulnerability by changing the way that Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) handle objects in memory. |
Severity Ratings and Affected Software |
This security update is rated Important for Active Directory, ADAM, and AD LDS when installed on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 (except Itanium), Windows 7, and Windows Server 2008 R2 (except Itanium). |
Attack Vectors |
The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application. |
Mitigating Factors |
To exploit this vulnerability, an attacker would first need to acquire credentials to log on to an Active Directory domain. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
MS11-086 |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-096 |
|---|---|
Bulletin Title |
Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241) |
Executive Summary |
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. The security update addresses the vulnerability by correcting the way that Microsoft Excel manages objects in memory. |
Severity Ratings and Affected Software |
This security update is rated Important for all supported editions of Microsoft Excel 2003 and Microsoft Office 2004 for Mac. |
Attack Vectors |
· In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Excel file to the user and by convincing the user to open the file. · In a web-based attack scenario, an attacker would have to host a website that contains an Excel file that is used to attempt to exploit this vulnerability. |
Mitigating Factors |
· An attacker would have no way to force users to visit these websites or to open malicious files. · An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. · Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-3403. |
Restart Requirement |
This update may require a restart. |
Bulletins Replaced by This Update |
MS11-072 |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-097 |
|---|---|
Bulletin Title |
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712) |
Executive Summary |
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process.
The security update addresses the vulnerability by modifying the way that the Client/Server Run-time Subsystem (CSRSS) evaluates inter-process device event message permissions. |
Severity Ratings and Affected Software |
This security update is rated Important for all supported releases Microsoft Windows. |
Attack Vectors |
The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. |
Mitigating Factors |
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. |
Restart Requirement |
This update requires a restart. |
Bulletins Replaced by This Update |
MS11-010 |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-098 |
|---|---|
Bulletin Title |
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171) |
Executive Summary |
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability.
The security update addresses the vulnerability by helping to ensure that the Windows kernel initializes objects in memory. |
Severity Ratings and Affected Software |
This security update is rated Important for all supported 32-bit editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. |
Attack Vectors |
The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability. |
Mitigating Factors |
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. |
Restart Requirement |
This update requires a restart. |
Bulletins Replaced by This Update |
MS10-047, MS10-021, and MS11-068. |
Full Details |
Bulletin Identifier |
Microsoft Security Bulletin MS11-099 |
|---|---|
Bulletin Title |
Cumulative Security Update for Internet Explorer (2618444) |
Executive Summary |
This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted Dynamic-Link Library (DLL) file.
The update addresses the vulnerabilities by modifying the behavior of Internet Explorer XSS Filter, correcting the manner in which Internet Explorer loads external libraries, and correcting the way that Internet Explorer enforces the content settings supplied by the web server. |
Severity Ratings and Affected Software |
This security update is rated Important for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and for Internet Explorer 9 for Windows Server 2008 R2. This security update is also rated Moderate for Internet Explorer 6 on all supported editions of Windows XP. This security update is also rated Low for Internet Explorer on Windows servers (except Windows Server 2008 R2). |
Attack Vectors |
CVE 2011-1992 & CVE 2011-3404: · Browse and Own: An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. |
Mitigating Factors |
· The Server Message Block (SMB) is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability. · An attacker could not force a user to visit a specially crafted site. |
Restart Requirement |
This update requires a restart. |
Bulletins Replaced by This Update |
MS11-081 |
Full Details |
Jeffa
Technorati Tags: Security Bulletins,Updates,Patching