Microsoft Security Bulletin: December 2011 Release


securitybulletin

This month we are releasing 13 security bulletins for new vulnerabilities.  Please see the details below and make sure you apply these in your environments where applicable.  I’ve provided more technical details below as well.

What is the purpose of this alert?

This alert is to provide you with an overview of the new security bulletin(s) being released on December 13, 2011. Security bulletins are released monthly to resolve critical problem vulnerabilities.

New Security Bulletins

Microsoft is releasing the following thirteen new security bulletins for newly discovered vulnerabilities:

Bulletin ID

Bulletin Title

Max Severity Rating

Vulnerability Impact

Restart Requirement

Affected Software

MS11-087

Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)

Critical

Remote Code Execution

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

MS11-088

Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)

Important

Elevation of Privilege

May require restart

Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Office Pinyin SimpleFast Style 2010, and Microsoft Office Pinyin New Experience Style 2010.

MS11-089

Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)

Important

Remote Code Execution

May require restart

Microsoft Office 2007, Office 2010, and Office for Mac 2011.

MS11-090

Cumulative Security Update of ActiveX Kill Bits (2618451)

Critical

Remote Code Execution

May require restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

MS11-091

Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)

Important

Remote Code Execution

May require restart

Microsoft Publisher 2003 and Publisher 2007.

MS11-092

Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)

Critical

Remote Code Execution

May require restart

Microsoft Windows XP, Windows Vista, and Windows 7.

MS11-093

Vulnerability in OLE Could Allow Remote Code Execution (2624667)

Important

Remote Code Execution

May require restart

Microsoft Windows XP and Windows Server 2003.

MS11-094

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)

Important

Remote Code Execution

May require restart

Microsoft PowerPoint 2007, PowerPoint 2010, Office 2008 for Mac.

MS11-095

Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)

Important

Remote Code Execution

May require restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

MS11-096

Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)

Important

Remote Code Execution

May require restart

Microsoft Excel and Office 2004 for Mac.

MS11-097

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)

Important

Elevation of Privilege

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

MS11-098

Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)

Important

Elevation of Privilege

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7.

MS11-099

Cumulative Security Update for Internet Explorer (2618444)

Important

Remote Code Execution

Requires restart

Internet Explorer on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Note: The list of affected software in the summary table above is an abstract. To see the full list of affected components please visit the bulletin webpage and review the "Affected Software" section.

Summaries for new bulletin(s) may be found at http://technet.microsoft.com/security/bulletin/MS11-dec.

Microsoft Windows Malicious Software Removal Tool

Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center. Information on the Microsoft Windows Malicious Software Removal Tool is available at http://support.microsoft.com/?kbid=890830.

More Technical Details

Bulletin Identifier

Microsoft Security Bulletin MS11-087

Bulletin Title

Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)

Executive Summary

This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files.

 

The security update addresses the vulnerability by modifying the way that a Windows kernel-mode driver handles TrueType font files.

 

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2639658.

Severity Ratings and Affected Software

This security update is rated Critical for all supported releases of Microsoft Windows.

Attack Vectors

The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files.

 

Mitigating Factors

An attacker would have to convince users to open a specially crafted document or visit a website, typically by getting them to click a link in an email or IM message.

 

Restart Requirement

This update requires a restart.

Bulletins Replaced by This Update

MS11-077 and MS11-084

Full Details

http://technet.microsoft.com/security/bulletin/MS11-087

Bulletin Identifier

Microsoft Security Bulletin MS11-088

Bulletin Title

Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged-on user performed specific actions on a system where an affected version of the Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese is installed. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

 

The security update addresses the vulnerability by correcting the manner in which the Microsoft Office IME (Chinese) exposes configuration options not designed to run on the secure desktop.

Severity Ratings and Affected Software

This security update is rated Important for all supported editions of Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Microsoft Office Pinyin SimpleFast Style 2010, and Microsoft Office Pinyin New Experience Style 2010.

Attack Vectors

An attacker who exposes configuration options in Microsoft Office IME (Chinese) can exploit this vulnerability, and perform specific actions utilizing the MSPY IME toolbar to launch Internet Explorer with system-level privileges.

Mitigating Factors

·         An attacker must have valid logon credentials to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users.

·         Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

None

Full Details

http://technet.microsoft.com/security/bulletin/MS11-088

Bulletin Identifier

Microsoft Security Bulletin MS11-089

Bulletin Title

Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Word file.

 

The security update addresses the vulnerability by correcting the way that Microsoft Word parses specially crafted Word files.

Severity Ratings and Affected Software

This security update is rated Important for all supported editions of Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office for Mac 2011.

Attack Vectors

An attacker could exploit this vulnerability if a user opens a specially crafted Word file.

Mitigating Factors

·         An attacker could not force a user to visit a specially crafted site.

·         An attacker cannot exploit this vulnerability automatically through email; instead, the user would have to click on an attachment in an email message.

·         An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

Office for Mac 2011: MS11-072

Full Details

http://technet.microsoft.com/security/bulletin/MS11-089

Bulletin Identifier

Microsoft Security Bulletin MS11-090

Bulletin Title

Cumulative Security Update of ActiveX Kill Bits (2618451)

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted webpage that uses a specific binary behaviour in Internet Explorer.

 

The security update addresses the vulnerability by setting kill bits so that the vulnerable control does not run in Internet Explorer. This update also includes kill bits for four third-party ActiveX controls.

Severity Ratings and Affected Software

This security update is rated Critical for all supported editions of Windows XP and Windows Server 2003.

Attack Vectors

An attacker could exploit this vulnerability if a user views a specially crafted webpage that uses a specific binary behaviour in Internet Explorer.

Mitigating Factors

·         An attacker would have to convince users to visit a website, typically by getting them to click a link in an email or IM message.

·         Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

MS11-027

Full Details

http://technet.microsoft.com/security/bulletin/MS11-090


Bulletin Identifier

Microsoft Security Bulletin MS11-091

Bulletin Title

Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)

Executive Summary

This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Publisher file.

 

The security update addresses the vulnerabilities by correcting the way that Microsoft Publisher parses specially crafted Publisher files.

Severity Ratings and Affected Software

This security update is rated Important for supported editions of Microsoft Publisher 2003 and Microsoft Publisher 2007.

Attack Vectors

·         An attacker can exploit this vulnerability by creating a specially crafted Publisher file that could be included as an email attachment, or hosted on a specially crafted/compromised website, and then convince the user to open the specially crafted Publisher file.

Mitigating Factors

·         An attacker has to convince the user to visit a website or open an attachment.

·         Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

MS10-103

Full Details

http://technet.microsoft.com/security/bulletin/MS11-091

Bulletin Identifier

Microsoft Security Bulletin MS11-092

Bulletin Title

Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)

Executive Summary

This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.

 

The security update addresses the vulnerability by modifying the way that Windows Media Player and Windows Media Center open specially crafted .dvr-ms files.

Severity Ratings and Affected Software

This security update is rated Critical for all affected editions of Windows XP (including Windows XP Media Center Edition 2005) and all supported editions of Windows Vista and Windows 7.

Attack Vectors

The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.

Mitigating Factors

In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

None

Full Details

http://technet.microsoft.com/security/bulletin/MS11-092

Bulletin Identifier

Microsoft Security Bulletin MS11-093

Bulletin Title

Vulnerability in OLE Could Allow Remote Code Execution (2624667)

Executive Summary

This security update resolves a privately reported vulnerability in all supported editions of Windows XP and Windows Server 2003. The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object.

 

The security update addresses the vulnerability by modifying the way that OLE objects are handled in memory.

Severity Ratings and Affected Software

This security update is rated Important for all supported editions of Windows XP and Windows Server 2003.

Attack Vectors

The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object.

Mitigating Factors

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

None

Full Details

http://technet.microsoft.com/security/bulletin/MS11-093

Bulletin Identifier

Microsoft Security Bulletin MS11-094

Bulletin Title

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)

Executive Summary

This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of the vulnerabilities could take complete control of an affected system.

 

The security update addresses the vulnerabilities by correcting the way that PowerPoint loads external libraries and modifying the way that it validates OfficeArt records when opening PowerPoint files.

Severity Ratings and Affected Software

This security update is rated Important for Microsoft PowerPoint 2007 Service Pack 2, Microsoft PowerPoint 2010, and Microsoft Office 2008 for Mac. The security update is also rated Important for Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 and Microsoft PowerPoint Viewer 2007 Service Pack 2.

Attack Vectors

CVE-2011-3396:

·         In a network attack scenario, an attacker could place a legitimate file and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file.

·         In an email attack scenario, an attacker could exploit the vulnerability by sending a legitimate file attachment to a user, and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file.

CVE-2011-3413:

·         In a web-based attack scenario, an attacker would have to convince users to visit the website and open the specially crafted PowerPoint file.

·         In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted PowerPoint file to the user and convincing the user to open the file.

Mitigating Factors

·         An attacker cannot force a user to open a malicious file or to place files in a specific directory.

·         Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

MS11-022, MS11-036, and MS11-072.

Full Details

http://technet.microsoft.com/security/bulletin/MS11-094

Bulletin Identifier

Microsoft Security Bulletin MS11-095

Bulletin Title

Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)

Executive Summary

This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application.

 

The security update addresses the vulnerability by changing the way that Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) handle objects in memory.

Severity Ratings and Affected Software

This security update is rated Important for Active Directory, ADAM, and AD LDS when installed on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 (except Itanium), Windows 7, and Windows Server 2008 R2 (except Itanium).

Attack Vectors

The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application.

Mitigating Factors

To exploit this vulnerability, an attacker would first need to acquire credentials to log on to an Active Directory domain.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

MS11-086

Full Details

http://technet.microsoft.com/security/bulletin/MS11-095

Bulletin Identifier

Microsoft Security Bulletin MS11-096

Bulletin Title

Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. The security update addresses the vulnerability by correcting the way that Microsoft Excel manages objects in memory.

Severity Ratings and Affected Software

This security update is rated Important for all supported editions of Microsoft Excel 2003 and Microsoft Office 2004 for Mac.

Attack Vectors

·         In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Excel file to the user and by convincing the user to open the file.

·         In a web-based attack scenario, an attacker would have to host a website that contains an Excel file that is used to attempt to exploit this vulnerability.

Mitigating Factors

·         An attacker would have no way to force users to visit these websites or to open malicious files.

·         An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

·         Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-3403.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

MS11-072

Full Details

http://technet.microsoft.com/security/bulletin/MS11-096

Bulletin Identifier

Microsoft Security Bulletin MS11-097

Bulletin Title

Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process.

 

The security update addresses the vulnerability by modifying the way that the Client/Server Run-time Subsystem (CSRSS) evaluates inter-process device event message permissions.

Severity Ratings and Affected Software

This security update is rated Important for all supported releases Microsoft Windows.

Attack Vectors

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process.

Mitigating Factors

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Restart Requirement

This update requires a restart.

Bulletins Replaced by This Update

MS11-010

Full Details

http://technet.microsoft.com/security/bulletin/MS11-097

Bulletin Identifier

Microsoft Security Bulletin MS11-098

Bulletin Title

Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability.

 

The security update addresses the vulnerability by helping to ensure that the Windows kernel initializes objects in memory.

Severity Ratings and Affected Software

This security update is rated Important for all supported 32-bit editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7.

Attack Vectors

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability.

Mitigating Factors

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Restart Requirement

This update requires a restart.

Bulletins Replaced by This Update

MS10-047, MS10-021, and MS11-068.

Full Details

http://technet.microsoft.com/security/bulletin/MS11-098

Bulletin Identifier

Microsoft Security Bulletin MS11-099

Bulletin Title

Cumulative Security Update for Internet Explorer (2618444)

Executive Summary

This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted Dynamic-Link Library (DLL) file.

 

The update addresses the vulnerabilities by modifying the behavior of Internet Explorer XSS Filter, correcting the manner in which Internet Explorer loads external libraries, and correcting the way that Internet Explorer enforces the content settings supplied by the web server.

Severity Ratings and Affected Software

This security update is rated Important for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and for Internet Explorer 9 for Windows Server 2008 R2. This security update is also rated Moderate for Internet Explorer 6 on all supported editions of Windows XP. This security update is also rated Low for Internet Explorer on Windows servers (except Windows Server 2008 R2).

Attack Vectors

CVE 2011-1992 & CVE 2011-3404:

·         Browse and Own: An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Mitigating Factors

·         The Server Message Block (SMB) is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability.

·         An attacker could not force a user to visit a specially crafted site.

Restart Requirement

This update requires a restart.

Bulletins Replaced by This Update

MS11-081

Full Details

http://technet.microsoft.com/security/bulletin/MS11-099

Jeffa

Digg This
Comments (0)

Skip to main content