Today we released 17 security bulletins. Nine have a maximum severity rating of Critical and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability Index | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS11-018(IE) | Victim browses to a malicious webpage. | Critical | 1 | We are aware of targeted attacks leveraging both CVE-2011-0094 and CVE-2011-1345. | IE8 and IE9 not vulnerable to CVE-2011-0094. IE9 not vulnerable to CVE-2011-1345. |
| MS11-019(SMB Client) | Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0. | Critical | 1 | Likely to see reliable exploits developed within next 30 days for CVE-2011-0660. | Windows 7 SP1 vulnerable to CVE-2011-0660 for denial of service only. |
| MS11-020(SMB Server) | Attacker sends malicious network traffic to a victim running the Server service, potentially executing code in ring0. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | Many home routers and enterprise perimeter firewalls block SMB ports (139, 445). |
| MS11-027(IE killbits) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed for one or more of these ActiveX controls. | CVE-2011-1243 affects only Windows XP users who have never used Windows Messenger. |
| MS11-028(.NET) | Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions. | Critical | 1 | Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this. | Silverlight not affected. |
| MS11-032(Opentype Font driver) | Victim using explorer.exe browses to a folder containing a malicious OTF file. Could also be used as a local elevation of privilege for an attacker already able to run code on a machine. | Critical | 1* | Likely to see reliable exploits developed within next 30 days. | Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector. |
| MS11-029(GDIplus.dll) | Victim opens malicious Word document or opens a malicious EMF file. | Critical | 1 | Likely to see reliable exploit developed in next 30 days. | Office 2003 and later versions of Office are not affected. Windows 7 also not affected. |
| MS11-031(VBScript / JScript) | Victim browses to a malicious webpage. | Critical | 2 | Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in next 30 days. | 32-bit platforms unlikely to be exploited for code execution unless running with /3GB boot option. |
| MS11-030(DNS link-local name resolution) | Attacker sends a malicious link local multicast name resolution (LLMNR) request to victims on the same local link, potentially executing code as NetworkService on nearby systems. | Critical | 2 | Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in first 30 days. | Does not affect systems using the (default) Public network profile. |
| MS11-026(MHTML) | Victim browses to a malicious website that steals browser cookies for other trusted website. | Important | n/a | We are aware of public exploits that attempt to leverage CVE-2011-0096. | No direct code execution. This is an information disclosure threat. |
| MS11-021(Excel) | Victim opens a malicious Excel spreadsheet (XLS). | Important | 1 | Likely to see reliable exploit developed in next 30 days. | |
| MS11-022(PowerPoint) | Victim opens a malicious PowerPoint presentation (PPT). | Important | 1 | Likely to see reliable exploit developed in next 30 days. | |
| MS11-023(Excel) | Victim opens a malicious Excel spreadsheet (XLS). | Important | 1 | CVE-2011-0107 (DLL Preloading vulnerability) has been disclosed publicly. The other CVE addressed in this bulletin (CVE-2011-0977) would be more difficult to exploit for code execution. | Office 2010 not affected. |
| MS11-033(Wordpad converter) | Victim opens malicious RTF, WRI, or DOC file with Wordpad. | Important | 2 | Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in first 30 days. | Windows Vista and later versions of Windows are not affected. |
| MS11-034(win32k.sys) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | Likely to see an exploit released granting a local attacker SYSTEM level access. | 30 of this month’s 64 vulnerabilities being addressed in this bulletin. More information about the high vulnerability count in this month’s SRD blog post. |
| MS11-025(DLL Preloading) | Victim browses to a malicious WebDAV share and launches an application by double-clicking a content file hosted on the attacker-controlled WebDAV share. | Important | 1 | Exploiting DLL preloading cases is straightforward. Therefore, exploit code is likely to appear. | |
| MS11-024 (Fax cover sheet) | Victim opens a malicious fax cover sheet (COV, CPE). | Important | 3 | Less likely to see real-world effective exploits for this filetype due to mitigating factors. | No version of Windows will open a .cov file by default via a registered file extension (double-clicking the file). The affected component is not installed by default or is not registered. |
In addition to the bulletins, two interesting advisories are being released today. Security advisory 2501584 describes a great protection mechanism available for Office 2003 and Office 2007 customers to download and install. The Office team’s blog post about the tool is available at http://blogs.technet.com/b/office_sustained_engineering/archive/2011/04/11/office-file-validation-general-availability-announcement.aspx.
The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. It is an update available on WU and WSUS, pushed out automatically to customers who have opt-in to Automatic Updates.
If you have any questions about these updates, please email us at switech [at] microsoft [dot] com. You can also tune into the MSRC webcast tomorrow where I’ll be answering questions on-the-air. The MSRC blog post has all the information for that.
Update April 13: Corrected the MS11-028 bulletin severity and affected products. Also moved this bulletin up higher in priority due to this correction.
Update April 15: Corrected the MS11-032 bulletin exploitability due to a rating error. Also moved MS11-032 higher in priority order.
- Jonathan Ness, MSRC Engineering