Skip to main content
MSRC

Assessing the risk of the June security updates

Today we released 16 security bulletins. Nine have a maximum severity rating of Critical and seven have a maximum severity rating of Important. This release addresses several publicly disclosed vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability rating Likely first 30 days impact Platform mitigations and key notes
MS11-050(IE) Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploit developed in next 30 days. IE9 not affected by several of these issues due to attack surface reduction and advances in fuzzing during IE9 development. More detail [here].
MS11-052(Vector Markup Language) Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploit developed in next 30 days. IE9 not affected. Outlook preview pane not affected due to scripting requirement.
MS11-043(SMB Client) Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0. Critical 1 Likely to see reliable exploit developed in next 30 days. Many enterprise perimeter firewalls and consumer ISP’s block outbound SMB ports (139, 445), preventing internet-based attacks.
MS11-042(DFS Client) Victim makes an outbound connection to a malicious DFS server which responds with a malicious DFS packet, potentially executing code on the client in ring0. Critical 1 Likely to see reliable exploit developed in next 30 days. Many enterprise perimeter firewalls and consumer ISP’s block outbound SMB ports (139, 445), preventing internet-based attacks.
MS11-038(OLE Automation) Victim browses to a malicious webpage that uses VBScript to load a WMF file from a SMB or WebDAV path. Critical 1 Likely to see reliable exploit developed in next 30 days.
MS11-040(Forefront TMG firewall client) Victim running TMG client browses to a malicious webpage that initiates DNS hostname lookup to malicious DNS server. Malicious response is parsed by application that initiated request and could potentially allow code execution in that context. Critical 1 Likely to see reliable exploit developed in next 30 days. Clients for ISA Server 2004 and ISA Server 2006 are not affected. Client for TMG, Medium Business Edition is not affected.
MS11-039(.NET/Silverlight) Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions. Critical 1 Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this. Latest version of Silverlight not affected.
MS11-044(.NET Framework) Attack vector is application-dependent and limited to .NET applications relying on a certain kind of check to make security decisions. Read more [here] about potential attack vectors. Critical 2 Likely to be difficult to build a reliable exploit, once a vulnerable application is found.
MS11-041(Opentype Font driver) Victim using explorer.exe browses to a folder containing a malicious OTF file. Critical 2 Difficult to build a reliable exploit. Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector.
MS11-046(AFD.sys driver) Attacker running code on a machine already elevates from low-privileged account to SYSTEM. Important 1 Exploits known to exist already.
MS11-045(Excel) Victim opens a malicious Excel spreadsheet (XLS). Important 1 Likely to see reliable exploit developed in next 30 days. Excel 2010 affected by only one of the eight vulnerabilities.
MS11-051(Active Directory Certificate Server) Victim clicks on a malicious link directing them to Active Directory Certificate Server which initiates attacker actions on the certificate server in the context of the user clicking the link. (XSS) Important 1 Likely to see reliable exploit developed in next 30 days.
MS11-037(MHTML) Victim browses to a malicious webpage that attempts to steal cookies belonging to a different website. (Cross-Domain Information Disclosure) Important 3 No chance for direct code execution – Information Disclosure only. However, proof-of-concept code is publicly available.
MS11-048(SMB Server) Attacker sends malicious SMB request which causes denial-of-service on victim workstation. Important 3 No chance for direct code execution – Denial of Service only.
MS11-047(Hyper-V) Attacker who is local administrator on a guest OS VM can cause a resource exhaustion denial-of-service on host OS. Important 3 No chance for direct code execution – Denial of Service only.
MS11-049(Visual Studio XML Editor) Victim opens a malicious .disco files inside Visual Studio, leaking file content on the workstation to remote attacker. Important 3 No chance for direct code execution – Information Disclosure only.

Please let us know (switech at microsoft dot com) if you have any questions about these updates.

Jonathan Ness, MSRC Engineering


Related Posts

How satisfied are you with the MSRC Blog?

Rating

Feedback * (required)

Your detailed feedback helps us improve your experience. Please enter between 10 and 2,000 characters.

Thank you for your feedback!

We'll review your input and work on improving the site.