Today we released 16 security bulletins. Nine have a maximum severity rating of Critical and seven have a maximum severity rating of Important. This release addresses several publicly disclosed vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability rating | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS11-050(IE) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploit developed in next 30 days. | IE9 not affected by several of these issues due to attack surface reduction and advances in fuzzing during IE9 development. More detail [here]. |
| MS11-052(Vector Markup Language) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploit developed in next 30 days. | IE9 not affected. Outlook preview pane not affected due to scripting requirement. |
| MS11-043(SMB Client) | Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0. | Critical | 1 | Likely to see reliable exploit developed in next 30 days. | Many enterprise perimeter firewalls and consumer ISP’s block outbound SMB ports (139, 445), preventing internet-based attacks. |
| MS11-042(DFS Client) | Victim makes an outbound connection to a malicious DFS server which responds with a malicious DFS packet, potentially executing code on the client in ring0. | Critical | 1 | Likely to see reliable exploit developed in next 30 days. | Many enterprise perimeter firewalls and consumer ISP’s block outbound SMB ports (139, 445), preventing internet-based attacks. |
| MS11-038(OLE Automation) | Victim browses to a malicious webpage that uses VBScript to load a WMF file from a SMB or WebDAV path. | Critical | 1 | Likely to see reliable exploit developed in next 30 days. | |
| MS11-040(Forefront TMG firewall client) | Victim running TMG client browses to a malicious webpage that initiates DNS hostname lookup to malicious DNS server. Malicious response is parsed by application that initiated request and could potentially allow code execution in that context. | Critical | 1 | Likely to see reliable exploit developed in next 30 days. | Clients for ISA Server 2004 and ISA Server 2006 are not affected. Client for TMG, Medium Business Edition is not affected. |
| MS11-039(.NET/Silverlight) | Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions. | Critical | 1 | Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this. | Latest version of Silverlight not affected. |
| MS11-044(.NET Framework) | Attack vector is application-dependent and limited to .NET applications relying on a certain kind of check to make security decisions. Read more [here] about potential attack vectors. | Critical | 2 | Likely to be difficult to build a reliable exploit, once a vulnerable application is found. | |
| MS11-041(Opentype Font driver) | Victim using explorer.exe browses to a folder containing a malicious OTF file. | Critical | 2 | Difficult to build a reliable exploit. | Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector. |
| MS11-046(AFD.sys driver) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | Exploits known to exist already. | |
| MS11-045(Excel) | Victim opens a malicious Excel spreadsheet (XLS). | Important | 1 | Likely to see reliable exploit developed in next 30 days. | Excel 2010 affected by only one of the eight vulnerabilities. |
| MS11-051(Active Directory Certificate Server) | Victim clicks on a malicious link directing them to Active Directory Certificate Server which initiates attacker actions on the certificate server in the context of the user clicking the link. (XSS) | Important | 1 | Likely to see reliable exploit developed in next 30 days. | |
| MS11-037(MHTML) | Victim browses to a malicious webpage that attempts to steal cookies belonging to a different website. (Cross-Domain Information Disclosure) | Important | 3 | No chance for direct code execution – Information Disclosure only. However, proof-of-concept code is publicly available. | |
| MS11-048(SMB Server) | Attacker sends malicious SMB request which causes denial-of-service on victim workstation. | Important | 3 | No chance for direct code execution – Denial of Service only. | |
| MS11-047(Hyper-V) | Attacker who is local administrator on a guest OS VM can cause a resource exhaustion denial-of-service on host OS. | Important | 3 | No chance for direct code execution – Denial of Service only. | |
| MS11-049(Visual Studio XML Editor) | Victim opens a malicious .disco files inside Visual Studio, leaking file content on the workstation to remote attacker. | Important | 3 | No chance for direct code execution – Information Disclosure only. |
Please let us know (switech at microsoft dot com) if you have any questions about these updates.
Jonathan Ness, MSRC Engineering