Wednesday, 14 December 2011

Microsoft Patch Tuesday Report December 13th

Application Compatibility Update
By: Greg Lambert

Executive Summary
With this December Microsoft Patch Tuesday update, we see a relatively large set of updates. In total there are 13 Microsoft Security Updates; 3 with the rating of Critical and 10 with the rating of Important. This is a relatively large update from Microsoft and the potential impact for the updates is likely to be moderate.

As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE team, we have seen moderate cause for potential compatibility issues.

Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this December Patch Tuesday release cycle.



 Sample Results

Here is a sample of the results for one application and a summary of the Patch Tuesday results for one of our AOK Sample databases:

MS11-091: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution.
MS11-093: Vulnerabilities in OLE Could Allow Remote Code Execution.

And here is a sample AOK Summary report for a sample database where the AOK Patch Impact team has run the latest Microsoft Updates against a small application portfolio:
A RED issue is generally one that pertains to how the code or actual program works. In this case we will flag as Red issues where a package tries to use objects or functions that have been deprecated from the OS or where their use has been restricted. In this case there are no changes that a packager (or AOK Workbench) can make to the install routine to fix the problem. The problem needs to be dealt with at the program code level by the programmer that wrote it or by providing a more up to date driver. However it is reasonably straightforward once a programmer has the information provided by AOK Workbench to make these changes. For vendor MSIs an upgrade may be required.
An AMBER issue is one that pertains to the installation routine. A packager can change things in the installation routine and so can AOK Workbench. Anywhere an issue is found and a change can be made to the installation routine to get rid of it we will flag it as amber. AOK Workbench fixes almost all of the issues it flags as amber. For the few issues that require a decision to be made, a packager can manually remediate these using the issue data provided by AOK Workbench.
Applications flagged as GREEN have no issues identified against them.

Testing Summary

MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
MS11-088
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
MS11-089
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
MS11-090
Cumulative Security Update of ActiveX Kill Bits (2618451)
MS11-091
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)
MS11-092
Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)
MS11-093
Vulnerability in OLE Could Allow Remote Code Execution (2624667)
MS11-094
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
MS11-095
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
MS11-096
Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
MS11-097
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)
MS11-098
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
MS11-099
Cumulative Security


Security Update Detailed Summary
MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
Description
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files.
Payload
Win32k.sys
Impact
Critical - Remote Code Execution


MS11-088
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
Description
This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged-on user performed specific actions on a system where an affected version of the Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese is installed. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.
Payload
Not Defined
Impact
Important - Elevation of Privilege


MS11-089
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
Description
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
Not Defined
Impact
Important - Remote Code Execution


MS11-090
Cumulative Security Update of ActiveX Kill Bits (2618451)
Description
This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.
Payload
Not Defined
Impact
Critical - Remote Code Execution


MS11-091
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)
Description
This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
Mspub.exe, Prtf9.dll, Ptxt9.dll, Pubconv.dll
Impact
Important - Remote Code Execution



MS11-092
Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)
Description
This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.
Payload
Encdec.dll
Impact
Critical - Remote Code Execution


MS11-093
Vulnerability in OLE Could Allow Remote Code Execution (2624667)
Description
The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
Ole32.dll
Impact
Important - Remote Code Execution


MS11-094
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
Description
This security update resolves privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of the vulnerabilities could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
Not Defined
Impact
Important - Remote Code Execution


MS11-095
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
Description
This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application. To exploit this vulnerability, an attacker would first need to acquire credentials to log on to an Active Directory domain.
Payload
Adamdsa.dll
Impact
Important - Remote Code Execution


MS11-096
Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
Description
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-3403.
Payload
Excel.exe
Impact
Important - Remote Code Execution


MS11-097
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)
Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Payload
Csrsrv.dll
Impact
Important - Elevation of Privilege


MS11-098
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Payload
Ntkrnlmp.exe, Ntkrnlpa.exe, Ntkrpamp.exe, Ntoskrnl.exe, Mpsyschk.dll
Impact
Important - Elevation of Privilege


MS11-099
Cumulative Security
Description
This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted dynamic link library (DLL) file.
Payload
Not Defined
Impact
Important - Remote Code Execution


*All results are based on a ChangeBASE Application Compatibility Lab’s test portfolio of over 1,000 applications.

No comments:

Post a Comment