Today we released twelve security bulletins. Three have a maximum severity rating of Critical and nine have a maximum severity rating of Important. This release addresses three publicly disclosed vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS11-003(IE) | Victim browses to a malicious webpage. | Critical | 1 | Public exploits exist for CVE-2010-3971, as first described in advisory 2488013. Please see MMPC blog post for attack telemetry. | |
| advisory 2490606(shimgvw.dll) | Victim browses to a malicious SMB or WebDAV share that contains a file with a malicious thumbnail image. | Critical | 1 | Public exploits exist for CVE-2010-3970, as first described in advisory 2490606. We have not been alerted to any real-world active attacks. | The thumbnail preview attack vector exists only if explorer.exe is in thumbnail or preview mode. By default, explorer.exe uses details mode which cannot be used as an attack vector. |
| MS11-007(OpenType Font driver) | Victim using explorer.exe browses to a folder containing a malicious OTF file. | Critical | 2 | Any exploits released in next 30 days likely to be inconsistent and not reliable for code execution. | Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector. |
| MS11-004(IIS FTPSVC) | Attackers send malicious exploit against IIS 7 servers that have enabled the FTP service. | Important | 2 | Vulnerability details for CVE-2010-3972 are public. However, it will be difficult to build a reliable exploit for code execution. We have heard rumors of an exploit technique that will be discussed publicly in April by Chris Valasek and Ryan Smith. | The FTP service included with Windows Server 2003 and Windows Server 2008 are not vulnerable by default. This blog post explains in more detail how versions of Windows other than Windows 7 and Windows Server 2008 R2 could be impacted. |
| MS11-011(Kernel) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | Proof-of-concept code is publicly available. | |
| MS11-012(win32k.sys) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | Likely to see an exploit released granting a local attacker SYSTEM level access. | |
| MS11-014(LSASS) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | Likely to see an exploit released granting a local attacker SYSTEM level access. | |
| MS11-008(Visio) | Victim opens a malicious .VSD file | Important | 1 | Likely to see an exploit released. | |
| MS11-010(CSRSS) | Attacker able to logon interactively to a machine runs code and then logs off. Later, when an administrator logs onto the machine, attacker code runs in the administrator’s security context. | Important | 1 | Likely to see an exploit released granting a local attacker access to the security context of the next user who logs into the system. | |
| MS11-013(Kerberos) | Two vulnerabilities:1 - Attacker already running code locally in the context of a service account (IIS, SQL, etc) elevates privileges on the network.2 - Man-in-the-middle attacker able to sniff and modify traffic on the wire causes encryption downgrade to DES, cracks the encryption, and impersonates the user who sent the traffic. | Important | 1 | Likely to see an exploit released allowing an attacker to increase their foothold on a compromised network. | 1 - Services running in the context of a low-privileged account cannot be used as initial vector of an exploit where this vulnerability is used. Domain controllers running Windows Server 2008 or later are not affected.2 - Attacker must be able to sniff and modify traffic on the wire. |
| MS11-005(Active Directory) | An attacker running code as an administrator of a domain-joined computer could disrupt critical functions of the domain (such as the Kerberos service) by updating properties of the attacker-controlled system in its Active Directory record. | Important | 3 | No exploit possible for code execution. This vulnerability has potential for denial-of-service only. | Attacker must first compromise a domain account having administrative access to a workstation in the domain. |
| MS11-009(JScript / VBscript) | Victim browses to a malicious webpage allowing attacker to read a few bytes of memory within the victim’s Internet Explorer process. | Important | 3 | No exploit possible for code execution. This vulnerability has potential for information disclosure only. |
In addition to the twelve security updates, we are also releasing an advisory related to the Autorun functionality. This advisory describes a package live today on Windows Update that disables the Autorun functionality for removable, “non-shiny” media. You can read more about it in this blog post.
Acknowledgement
Thanks to Andrew Roths, Mark Wodrich, and the rest of the MSRC Engineering team for help with this post and the whole team for their work on this month’s security updates.
Jonathan Ness, MSRC Engineering