By: Greg Lambert
Executive Summary
With this December Microsoft Patch Tuesday update, we see a relatively large set of updates. In total there are 13 Microsoft Security Updates; 3 with the rating of Critical and 10 with the rating of Important. This is a relatively large update from Microsoft and the potential impact for the updates is likely to be moderate.
As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE team, we have seen moderate cause for potential compatibility issues.
Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this December Patch Tuesday release cycle.
Sample Results
Here is a sample of the results for one application and a summary of the Patch Tuesday results for one of our AOK Sample databases:
MS11-091: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution.
MS11-093: Vulnerabilities in OLE Could Allow Remote Code Execution.
And here is a sample AOK Summary report for a sample database where the AOK Patch Impact team has run the latest Microsoft Updates against a small application portfolio:
A RED issue is generally one that pertains to how the code or actual program works. In this case we will flag as Red issues where a package tries to use objects or functions that have been deprecated from the OS or where their use has been restricted. In this case there are no changes that a packager (or AOK Workbench) can make to the install routine to fix the problem. The problem needs to be dealt with at the program code level by the programmer that wrote it or by providing a more up to date driver. However it is reasonably straightforward once a programmer has the information provided by AOK Workbench to make these changes. For vendor MSIs an upgrade may be required.
An AMBER issue is one that pertains to the installation routine. A packager can change things in the installation routine and so can AOK Workbench. Anywhere an issue is found and a change can be made to the installation routine to get rid of it we will flag it as amber. AOK Workbench fixes almost all of the issues it flags as amber. For the few issues that require a decision to be made, a packager can manually remediate these using the issue data provided by AOK Workbench.
Applications flagged as GREEN have no issues identified against them.
Testing Summary
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417) | |
MS11-088 | Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege |
MS11-089 | Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602) |
MS11-090 | Cumulative Security Update of ActiveX Kill Bits (2618451) |
MS11-091 | Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702) |
MS11-092 | Vulnerability in Windows Media Could Allow Remote Code Execution (2648048) |
MS11-093 | Vulnerability in OLE Could Allow Remote Code Execution (2624667) |
MS11-094 | Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142) |
MS11-095 | Vulnerability in Active Directory Could Allow Remote Code Execution (2640045) |
MS11-096 | Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241) |
MS11-097 | Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712) |
MS11-098 | Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171) |
MS11-099 | Cumulative Security |
MS11-087 | Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417) |
Description | This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files. |
Payload | Win32k.sys |
Impact | Critical - Remote Code Execution |
MS11-088 | Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege |
Description | This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged-on user performed specific actions on a system where an affected version of the Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese is installed. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected. |
Payload | Not Defined |
Impact | Important - Elevation of Privilege |
MS11-089 | Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602) |
Description | This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Payload | Not Defined |
Impact | Important - Remote Code Execution |
MS11-090 | Cumulative Security Update of ActiveX Kill Bits (2618451) |
Description | This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls. |
Payload | Not Defined |
Impact | Critical - Remote Code Execution |
MS11-091 | Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702) |
Description | This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Payload | Mspub.exe, Prtf9.dll, Ptxt9.dll, Pubconv.dll |
Impact | Important - Remote Code Execution |
MS11-092 | Vulnerability in Windows Media Could Allow Remote Code Execution (2648048) |
Description | This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so. |
Payload | Encdec.dll |
Impact | Critical - Remote Code Execution |
MS11-093 | Vulnerability in OLE Could Allow Remote Code Execution (2624667) |
Description | The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Payload | Ole32.dll |
Impact | Important - Remote Code Execution |
MS11-094 | Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142) |
Description | This security update resolves privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of the vulnerabilities could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Payload | Not Defined |
Impact | Important - Remote Code Execution |
MS11-095 | Vulnerability in Active Directory Could Allow Remote Code Execution (2640045) |
Description | This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application. To exploit this vulnerability, an attacker would first need to acquire credentials to log on to an Active Directory domain. |
Payload | Adamdsa.dll |
Impact | Important - Remote Code Execution |
MS11-096 | Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241) |
Description | This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-3403. |
Payload | Excel.exe |
Impact | Important - Remote Code Execution |
MS11-097 | Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712) |
Description | This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. |
Payload | Csrsrv.dll |
Impact | Important - Elevation of Privilege |
MS11-098 | Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171) |
Description | This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. |
Payload | Ntkrnlmp.exe, Ntkrnlpa.exe, Ntkrpamp.exe, Ntoskrnl.exe, Mpsyschk.dll |
Impact | Important - Elevation of Privilege |
MS11-099 | Cumulative Security |
Description | This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted dynamic link library (DLL) file. |
Payload | Not Defined |
Impact | Important - Remote Code Execution |
*All results are based on a ChangeBASE Application Compatibility Lab’s test portfolio of over 1,000 applications.
No comments:
Post a Comment