BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – April 2011

Posted April 13, 2011    Chris Silva

Well, Microsoft is nothing if not predictable these days. After a nice, light March, they dropped a ton of security bulletins this month – 17 to be exact. That ties their record set just a few months ago (back in December 2010), and gives them a total of 34 so far this year.

Today’s release addressed a lot of zero day vulnerabilities. MS11-018, MS11-019, MS11-022, MS11-023, MS11-024, MS11-025, MS11-026, and MS11-028 all contained publicly disclosed vulnerabilities. Not surprisingly, the recently announced zero day in Internet Explorer 9 did not get patched. Coincidently, Microsoft also made the Platform Preview of IE10 available for download today.

Just as last month, tomorrow’s Vulnerability Expert Forum (VEF) will be at its new time – 1PM PDT. Sign up to hear what Marc Maiffret and the eEye Research team have to say about today’s security bulletins and other security related topics. With lots of topics to choose from, it should obviously be an information packed VEF.

Here are our recommendations for the seventeen security updates. Retina Network Security Scanner customers can view the list of audits associated with these bulletins.

Deploy Immediately

MS11-018 – Cumulative Security Update for Internet Explorer (2497640)

Recommendation: Install the patch immediately, as this patches the pwn2own vulnerability that was disclosed. Until this is possible, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones.

MS11-019 – Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

Recommendation: Install the patch immediately, as attackers will be seeking to combine the vulnerabilities in this patch with those in MS11-020, which can make for a very malicious worm. Until this is possible, block TCP ports 138, 139, and 445 with a firewall.

MS11-020 – Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)

Recommendation: Install the patch immediately, as attackers will be seeking to combine the vulnerabilities in this patch with those in MS11-019, which can make for a very malicious worm. Until this is possible, block TCP ports 139 and 445 with a firewall.

MS11-028 – Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)

Recommendation: Install the patch immediately since this vulnerability has been publicly disclosed. Until this is possible, prevent use of Microsoft .NET partially trusted applications and prevent the use of XAML applications in Internet Explorer.

Deploy As Soon As Possible

MS11-021 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)

Recommendation: Install the patch as soon as possible since consistent code execution is likely. Until this is possible, block Office Excel 2003 files from untrusted sources and use MOICE when opening files that are not from trusted sources. It should be noted that no realistic mitigation exists for CVE-2011-0105 or CVE-2011-0101, so patching is the only way to block against these vulnerabilities.

MS11-022 – Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)

Recommendation: Install the patch as soon as possible since consistent code execution is likely. Until this is possible, prevent editing documents in protected mode, using Office File Validation, for PowerPoint 2010. Additionally, block Office PowerPoint 2003 files from untrusted sources and use MOICE when opening files that are not from trusted sources.

MS11-024 – Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)

Recommendation: Install the patch as soon as possible, as it has been publicly disclosed and it has been found that consistent code execution is likely. Until this is possible, disassociate the .cov file extension from the Windows Fax Cover Page Editor on Windows XP and Server 2003. The other operating systems do not have mitigations provided, so patching is the only way to protect those systems against this vulnerability.

MS11-027 – Cumulative Security Update of ActiveX Kill Bits (2508272)

Recommendation: Install the patch as soon as possible since consistent code execution is likely. Until this is possible, disable COM objects in Internet Explorer, block/disable ActiveX Controls and Active Scripting in both Internet and Local Internet zones.

MS11-029 – Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

Recommendation: Install the patch as soon as possible since consistent code execution is likely. Until this is possible, prevent metafiles from being processed, and prevent gdiplus.dll from being accessed.

MS11-030 – Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)

Recommendation: Install the patch as soon as possible since consistent code execution is likely. Until this is possible, block TCP/UDP port 5355, use group policy to disable the Link-Local Multicast Name Resolution, and disable Network Discovery.

Deploy At Earliest Convenience

MS11-023 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)

Recommendation: Install the patch at the earliest possible convenience. Administrators should install the patch at their earliest convenience. Until this is possible, DLLs should blocked from being loaded off of WebDAV shares, the WebClient service should be disabled, and TCP ports 139 and 445 should be blocked with a firewall.

MS11-025 – Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)

Recommendation: Administrators should install the patch at their earliest convenience. Until this is possible, DLLs should be blocked from being loaded off of WebDAV shares, the WebClient service should be disabled and block TCP ports 139 and 445 with a firewall.

MS11-026 – Vulnerability in MHTML Could Allow Information Disclosure (2503658)

Recommendation: Administrators should install the patch at their earliest convenience. Until this is possible, either disable or lock down the MHTML protocol. Additionally, block/disable ActiveX controls and Active Scripting in both Internet and Local Internet zones.

MS11-031 – Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)

Recommendation: Administrators should install the patch at their earliest convenience. Until this is possible, ActiveX Controls and Active Scripting within the Internet and Local Intranet security zone settings should be set to disabled.

MS11-032 – Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

Recommendation: Administrators should install the patch at their earliest convenience. Until this is possible, disable the preview and details pane in Windows Explorer. Additionally, disable the WebClient service.

MS11-033 – Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)

Recommendation: Administrators should install the patch at their earliest convenience. Until this is possible, use CACLS to prevent access to mswrd8.wpc (and mswrd864.wpc on x64 bit systems).

MS11-034 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)

Recommendation: Administrators should install the patch at their earliest convenience. There are no mitigations to these vulnerabilities provided by Microsoft.

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,