BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – December 2011

Posted December 13, 2011    Chris Silva

To wish IT administrators everywhere a happy holiday, Microsoft today released 13 security bulletins. Microsoft had initially planned to release 14 bulletins, but a bulletin related to the BEAST vulnerability was held back for not behaving well with other other software. Assuming it can be whipped into shape, it will most likely make an appearance as MS12-001 in January. On the other hand, Microsoft did end up releasing a patch for the 2639658 Duqu TrueType vulnerability.

So with all that, Microsoft kept us busy this year with a grand total of 99 bulletins (assuming no emergency out of band patches show up in the next few weeks). That is just seven shy of the record set just last year.

Tune in tomorrow for another exciting edition of the Vulnerability Expert Forum (VEF). eEye Research Team will break down today’s bulletins and recap the month in security. They will also be giving away a Kindle Fire or two.

Customers can refer to the list of Retina Network Security Scanner audits associated with these bulletins.

Here are this month’s recommendations from the eEye Research Team:

Deploy Immediately

MS11-087 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, restrict access to the affected binary, t2embed.dll. Note: Restricting access to t2embed.dll will break embedded font functionality within certain applications.

MS11-090 – Cumulative Security Update of ActiveX Kill Bits (2618451)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, prevent time behaviors from being used in Windows XP or Server 2003. Additionally, binary behaviors should be blocked from being used in Internet Explorer.

MS11-092 – Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, restrict access to the affected binary, encdec.dll.

Deploy As Soon As Possible

MS11-088 – Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)
Recommendation: Deploy patches as soon as possible, since no mitigation is available.

MS11-089 – Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
Recommendation: Deploy patches as soon as possible, since no reasonable mitigation is available.

MS11-091 – Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)
Recommendation: Deploy patches as soon as possible, since no reasonable mitigation is available.

MS11-093 – Vulnerability in OLE Could Allow Remote Code Execution (2624667)
Recommendation: Deploy patches as soon as possible, since no reasonable mitigation is available.

MS11-094 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
Recommendation: Deploy patches as soon as possible. Until the patch can be applied, block Office 2003 (and prior) binary files that fail validation and/or are from untrusted sources. Use MOICE when opening files that are not from trusted sources. Additionally, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

MS11-095 – Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, likely exploitation vectors can be deterred by blocking TCP port 389 using a perimeter firewall.

MS11-096 – Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
Recommendation: Deploy patches as soon as possible. Until the patch can be applied, prevent files that fail validation from being opened in Microsoft Office Excel 2003. Also, block Microsoft Excel 2003 files from untrusted sources and use MOICE when opening files that are not from trusted sources.

MS11-097 – Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)
Recommendation: Deploy patches as soon as possible, since no mitigation is available.

MS11-098 – Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
Recommendation: This bulletin addresses a privately reported local elevation of privilege vulnerability in the Windows Kernel Exception Handler. The patch fixes a memory corruption vulnerability that occurs when accessing improperly initialized objects. An attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

MS11-099 – Cumulative Security Update for Internet Explorer (2618444)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares. To protect against the information disclosure vulnerabilities, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones. While there is an information disclosure vulnerability in the XSS filter in Internet Explorer, it is still recommended that administrators keep it enabled, since exploitation unlikely, due to the difficulty involved in successfully executing an attack.

Leave a Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,