This month we are releasing 13 security bulletins for new vulnerabilities. Please see the details below and make sure you apply these in your environments where applicable. I’ve provided more technical details below as well.
What is the purpose of this alert?
This alert is to provide you with an overview of the new security bulletin(s) being released on December 13, 2011. Security bulletins are released monthly to resolve critical problem vulnerabilities.
New Security Bulletins
Microsoft is releasing the following thirteen new security bulletins for newly discovered vulnerabilities:
Bulletin ID
Bulletin Title
Max Severity Rating
Vulnerability Impact
Restart Requirement
Affected Software
MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
Critical
Remote Code Execution
Requires restart
Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
MS11-088
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)
Important
Elevation of Privilege
May require restart
Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Office Pinyin SimpleFast Style 2010, and Microsoft Office Pinyin New Experience Style 2010.
MS11-089
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
Microsoft Office 2007, Office 2010, and Office for Mac 2011.
MS11-090
Cumulative Security Update of ActiveX Kill Bits (2618451)
MS11-091
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)
Microsoft Publisher 2003 and Publisher 2007.
MS11-092
Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)
Microsoft Windows XP, Windows Vista, and Windows 7.
MS11-093
Vulnerability in OLE Could Allow Remote Code Execution (2624667)
Microsoft Windows XP and Windows Server 2003.
MS11-094
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
Microsoft PowerPoint 2007, PowerPoint 2010, Office 2008 for Mac.
MS11-095
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
MS11-096
Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
Microsoft Excel and Office 2004 for Mac.
MS11-097
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)
MS11-098
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7.
MS11-099
Cumulative Security Update for Internet Explorer (2618444)
Internet Explorer on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Note: The list of affected software in the summary table above is an abstract. To see the full list of affected components please visit the bulletin webpage and review the "Affected Software" section.
Summaries for new bulletin(s) may be found at http://technet.microsoft.com/security/bulletin/MS11-dec.
Microsoft Windows Malicious Software Removal Tool
Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center. Information on the Microsoft Windows Malicious Software Removal Tool is available at http://support.microsoft.com/?kbid=890830.
More Technical Details
Bulletin Identifier
Microsoft Security Bulletin MS11-087
Executive Summary
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files.
The security update addresses the vulnerability by modifying the way that a Windows kernel-mode driver handles TrueType font files.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 2639658.
Severity Ratings and Affected Software
This security update is rated Critical for all supported releases of Microsoft Windows.
Attack Vectors
The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files.
Mitigating Factors
An attacker would have to convince users to open a specially crafted document or visit a website, typically by getting them to click a link in an email or IM message.
This update requires a restart.
Bulletins Replaced by This Update
MS11-077 and MS11-084
Full Details
http://technet.microsoft.com/security/bulletin/MS11-087
Microsoft Security Bulletin MS11-088
This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged-on user performed specific actions on a system where an affected version of the Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese is installed. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
The security update addresses the vulnerability by correcting the manner in which the Microsoft Office IME (Chinese) exposes configuration options not designed to run on the secure desktop.
This security update is rated Important for all supported editions of Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Microsoft Office Pinyin SimpleFast Style 2010, and Microsoft Office Pinyin New Experience Style 2010.
An attacker who exposes configuration options in Microsoft Office IME (Chinese) can exploit this vulnerability, and perform specific actions utilizing the MSPY IME toolbar to launch Internet Explorer with system-level privileges.
· An attacker must have valid logon credentials to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users.
· Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.
This update may require a restart.
None
http://technet.microsoft.com/security/bulletin/MS11-088
Microsoft Security Bulletin MS11-089
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Word file.
The security update addresses the vulnerability by correcting the way that Microsoft Word parses specially crafted Word files.
This security update is rated Important for all supported editions of Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office for Mac 2011.
An attacker could exploit this vulnerability if a user opens a specially crafted Word file.
· An attacker could not force a user to visit a specially crafted site.
· An attacker cannot exploit this vulnerability automatically through email; instead, the user would have to click on an attachment in an email message.
· An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Office for Mac 2011: MS11-072
http://technet.microsoft.com/security/bulletin/MS11-089
Microsoft Security Bulletin MS11-090
This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted webpage that uses a specific binary behaviour in Internet Explorer.
The security update addresses the vulnerability by setting kill bits so that the vulnerable control does not run in Internet Explorer. This update also includes kill bits for four third-party ActiveX controls.
This security update is rated Critical for all supported editions of Windows XP and Windows Server 2003.
An attacker could exploit this vulnerability if a user views a specially crafted webpage that uses a specific binary behaviour in Internet Explorer.
· An attacker would have to convince users to visit a website, typically by getting them to click a link in an email or IM message.
· Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS11-027
http://technet.microsoft.com/security/bulletin/MS11-090
Microsoft Security Bulletin MS11-091
This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Publisher file.
The security update addresses the vulnerabilities by correcting the way that Microsoft Publisher parses specially crafted Publisher files.
This security update is rated Important for supported editions of Microsoft Publisher 2003 and Microsoft Publisher 2007.
· An attacker can exploit this vulnerability by creating a specially crafted Publisher file that could be included as an email attachment, or hosted on a specially crafted/compromised website, and then convince the user to open the specially crafted Publisher file.
· An attacker has to convince the user to visit a website or open an attachment.
MS10-103
http://technet.microsoft.com/security/bulletin/MS11-091
Microsoft Security Bulletin MS11-092
This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.
The security update addresses the vulnerability by modifying the way that Windows Media Player and Windows Media Center open specially crafted .dvr-ms files.
This security update is rated Critical for all affected editions of Windows XP (including Windows XP Media Center Edition 2005) and all supported editions of Windows Vista and Windows 7.
The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.
In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.
http://technet.microsoft.com/security/bulletin/MS11-092
Microsoft Security Bulletin MS11-093
This security update resolves a privately reported vulnerability in all supported editions of Windows XP and Windows Server 2003. The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object.
The security update addresses the vulnerability by modifying the way that OLE objects are handled in memory.
This security update is rated Important for all supported editions of Windows XP and Windows Server 2003.
The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
http://technet.microsoft.com/security/bulletin/MS11-093
Microsoft Security Bulletin MS11-094
This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of the vulnerabilities could take complete control of an affected system.
The security update addresses the vulnerabilities by correcting the way that PowerPoint loads external libraries and modifying the way that it validates OfficeArt records when opening PowerPoint files.
This security update is rated Important for Microsoft PowerPoint 2007 Service Pack 2, Microsoft PowerPoint 2010, and Microsoft Office 2008 for Mac. The security update is also rated Important for Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 and Microsoft PowerPoint Viewer 2007 Service Pack 2.
CVE-2011-3396:
· In a network attack scenario, an attacker could place a legitimate file and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file.
· In an email attack scenario, an attacker could exploit the vulnerability by sending a legitimate file attachment to a user, and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file.
CVE-2011-3413:
· In a web-based attack scenario, an attacker would have to convince users to visit the website and open the specially crafted PowerPoint file.
· In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted PowerPoint file to the user and convincing the user to open the file.
· An attacker cannot force a user to open a malicious file or to place files in a specific directory.
MS11-022, MS11-036, and MS11-072.
http://technet.microsoft.com/security/bulletin/MS11-094
Microsoft Security Bulletin MS11-095
This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application.
The security update addresses the vulnerability by changing the way that Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) handle objects in memory.
This security update is rated Important for Active Directory, ADAM, and AD LDS when installed on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 (except Itanium), Windows 7, and Windows Server 2008 R2 (except Itanium).
The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application.
To exploit this vulnerability, an attacker would first need to acquire credentials to log on to an Active Directory domain.
MS11-086
http://technet.microsoft.com/security/bulletin/MS11-095
Microsoft Security Bulletin MS11-096
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. The security update addresses the vulnerability by correcting the way that Microsoft Excel manages objects in memory.
This security update is rated Important for all supported editions of Microsoft Excel 2003 and Microsoft Office 2004 for Mac.
· In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Excel file to the user and by convincing the user to open the file.
· In a web-based attack scenario, an attacker would have to host a website that contains an Excel file that is used to attempt to exploit this vulnerability.
· An attacker would have no way to force users to visit these websites or to open malicious files.
· Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-3403.
MS11-072
http://technet.microsoft.com/security/bulletin/MS11-096
Microsoft Security Bulletin MS11-097
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process.
The security update addresses the vulnerability by modifying the way that the Client/Server Run-time Subsystem (CSRSS) evaluates inter-process device event message permissions.
This security update is rated Important for all supported releases Microsoft Windows.
The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process.
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
MS11-010
http://technet.microsoft.com/security/bulletin/MS11-097
Microsoft Security Bulletin MS11-098
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability.
The security update addresses the vulnerability by helping to ensure that the Windows kernel initializes objects in memory.
This security update is rated Important for all supported 32-bit editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7.
The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability.
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
MS10-047, MS10-021, and MS11-068.
http://technet.microsoft.com/security/bulletin/MS11-098
Microsoft Security Bulletin MS11-099
This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted Dynamic-Link Library (DLL) file.
The update addresses the vulnerabilities by modifying the behavior of Internet Explorer XSS Filter, correcting the manner in which Internet Explorer loads external libraries, and correcting the way that Internet Explorer enforces the content settings supplied by the web server.
This security update is rated Important for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and for Internet Explorer 9 for Windows Server 2008 R2. This security update is also rated Moderate for Internet Explorer 6 on all supported editions of Windows XP. This security update is also rated Low for Internet Explorer on Windows servers (except Windows Server 2008 R2).
CVE 2011-1992 & CVE 2011-3404:
· Browse and Own: An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
· The Server Message Block (SMB) is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability.
MS11-081
http://technet.microsoft.com/security/bulletin/MS11-099
Jeffa