BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – October 2011

Posted October 11, 2011    Chris Silva

Welcome to another exciting episode of Patch Tuesday, where Microsoft has released a total of 8 bulletins concerning 23 CVEs. 2 bulletins are rated as critical, mostly covering issues within Internet Explorer, while the rest are not as riveting.

The bulletins this month cover a few memory issues within IE that could possibly allow an attacker to execute arbitrary code from a remote location (MS11-081), as well as a fairly serious remote code execution vulnerability found within .NET (MS11-078), which according to some could possibly affect other platforms not specified by Microsoft.

Interestingly enough, MS11-077 deals with a Kernel-mode driver issue when parsing font files (CVE 2011-2003). This issue could potentially allow for remote code execution within the context of SYSTEM, yet was only rated as Important, likely due to the difficulty of exploitation. The remainder of the patches deal with various DLL preloading issues which is nothing new and will most likely remain an issue for some time.

Join us tomorrow for another edition of the Vulnerability Expert Forum (VEF). The eEye Research Team (with a special guest appearance by Marc Maiffret) will cover today’s security bulletins and touch on other security trends and topics. Want a sneak preview? Listen now.

Retina Network Security Scanner customers can view the list of audits associated with these bulletins.

Here are this month’s recommendations from the eEye Research Team:

Deploy Immediately

MS11-078 – Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block XAML browser applications from running in Internet Explorer. Additionally, prevent the Silverlight ActiveX from running in Internet Explorer, and prevent Silverlight from executing within Firefox and/or Chrome.

MS11-081 – Cumulative Security Update for Internet Explorer (2586448)
Recommendation: Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

Deploy As Soon As Possible

MS11-075 – Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

MS11-076 – Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, block ports 139 and 445 using a firewall, prevent the WebClient service from running, and prevent DLLs from being loaded from WebDAV and remote shares.

MS11-077 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
Recommendation: Deploy patches as soon as possible, since no mitigation is available for two of the four CVEs. Until the patch can be installed, mitigate CVE-2011-2002 and CVE-2011-2003 by stopping the WebClient service from running.

MS11-079 – Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)
Recommendation: Deploy patches as soon as possible, since no mitigation is available for four of the five CVEs. Until the patches can be installed, the remote code execution vulnerability (CVE-2011-1969) can be mitigated by blacklisting the MicrosoftClient.Jar file in the Java\jre6\lib\security\blacklist file.

MS11-080 – Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)
Recommendation: Since no mitigation is available, deploy patches as soon as possible.

MS11-082 – Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)
Recommendation: Deploy patches as soon as possible. Until the patch can be installed, block TCP ports 1477 and 1478 and UDP port 1478 using a firewall.

Leave a Reply

Additional articles

{c4eae211-3ca2-4f8e-b2b9-6df0e970aab1}_g.markhardy

The “insider” threat. Is it real, or is it being blown out of proportion?

Posted March 4, 2015    G. Mark Hardy

A lot depends on whether or not you’ve been compromised. And therein lies the problem. Cyber threats are often ignored until they cause some damage, at which point management looks for people to blame and gives all kinds of attention to fixing the problem – until the next crisis in accounting or warehousing or staffing comes along.

Tags:
, , ,
webinar_chalk

Webinar March 4th: Recreating the Carbanak Breach & Techniques for Mitigating Similar Attacks

Posted March 3, 2015    Lindsay Marsh

Join BeyondTrust Research and Development team for an in-depth live webinar that will explore the attack vectors used in the Carbanak Bank Breach and share successful mitigation techniques needed to prevent this type of attack.

Tags:
, ,
VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

Tags:
, , , ,