Overview of the June 2011 Microsoft patches and their status.
#
Affected
Contra Indications - KB
Known Exploits
Microsoft rating
ISC rating(*)
clients
servers
MS11-037
The MHTML (Mime encapsulated HTML) protocol handler is vulnerable to information disclosure through an XSS like problem.
Replaces MS11-026.
MHTML
CVE-2011-1894
KB 2544893
Publicly known vulnerability.
Severity:Important
Exploitability:3
Important
Low
MS11-038
WMF processing by OLE allows for arbitrary code execution with the rights of the logged on user.
Replaces MS08-008.
OLE - WMF
CVE-2011-0658
KB 2476490
No known exploits
Severity:Critical
Exploitability:1
Critical
Important
MS11-039
Input validation vulnerabilities in the .NET framework and the Silverlight implementations allow for arbitrary code execution with the rights of the logged on user.
.NET - silverlight
CVE-2011-0664
KB 2514842
No known exploits
Severity:Critical
Exploitability:1
Critical
Important
MS11-040
Improper bounds checking in Microsoft Forefront Threat Management Gateway 2010 Client allows for arbitrary code execution in the context of the service.
Forefront TMG
CVE-2011-1889
KB 2520426
No known exploits
Severity:Critical
Exploitability:1
Critical
Important
MS11-041
An input validation problem in the parsing of OTF (OpenType Font) fonts in in 64bit kernels allows for arbitrary code execution in kernel mode. This is remotely exploitable though file sharing, webdav, websites, email and more.
Replaces MS11-034.
OTF
CVE-2011-1873
KB 2525694
No known exploits
Severity:Critical
Exploitability:2
Critical
Important
MS11-042
Input validation problems in the Distributed File System (DFS)implementation allow for arbitrary code execution in the context of the service or denial of service (DoS) conditions.
DFS (Distributed File System)
CVE-2011-1868
CVE-2011-1869
KB 2535512
No known exploits
Severity:Critical
Exploitability:1-3
Critical
Critical
MS11-043
An input validation problem in the parsing of the responses to SMB requests allows for arbitrary code execution in the context of the service.
Replaces MS11-019 and MS10-020.
SMB
CVE-2011-1268
KB 2536276
No known exploits
Severity:Critical
Exploitability:1
Critical
Important
MS11-044
An input validation problem in the JIT optimization of the .NET framework allows for arbitrary code execution in the context of the logged on user, and bypass security measures such as the CAS(Code Access Security) restrictions.
Replaces MS11-028 and MS10-060.
.NET
CVE-2011-1271
KB 2538814
Publicly disclosed vulnerability.
Severity:Critical
Exploitability:2
Critical
Critical
MS11-045
Multiple vulnerabilities in Excel allow for arbitrary code execution in the context of the logged on user.
Office for Mac versions are also affected.
Replaces MS11-021 and MS11-022.
Excel
CVE-2011-1272
CVE-2011-1273
CVE-2011-1274
CVE-2011-1275
CVE-2011-1276
CVE-2011-1277
CVE-2011-1278
CVE-2011-1279
KB 2537146
No known exploits
Severity:Important
Exploitability:1-3
Critical
Important
MS11-046
An input validation vulnerability in AFD (Ancillary Function Driver) allows for privilege escalation and arbitrary code execution in kernel mode for logged on users.
Replaces MS10-066.
AFD
CVE-2011-1249
KB 2503665
Publicly disclosed vulnerability, Microsoft claims limited, targeted attacks attempting to exploit the vulnerability
Severity:Important
Exploitability:1
Critical
Critical
MS11-047
A Denial of Service (DoS) condition is possible where an authenticated user of a guest system can cause a denial of service on the host system.
Replaces MS10-102.
Hyper-V
CVE-2011-1872
KB 2525835
No known exploits.
Severity:Important
Exploitability:3
Low
Important
MS11-048
A parsing error in the SMB server can be used to cause a Denial of Service (DoS) condition.
Replaces MS09-050.
SMB server
CVE-2011-1267
KB 2525835
No known exploits.
Severity:Important
Exploitability:3
Low
Important
MS11-049
XML editor can leak file content though XML external entities that are nested. XML editor is part of Infopath, SQLserver, and Visual Studio.
Replaces MS10-039 and MS09-062.
XML editor
CVE-2011-1280
KB 2543893
No known exploits.
Severity:Important
Exploitability:3
Important
Important
MS11-050
Multitude of vulnerabilities in MSIE.
Replaces MS11-018.
MSIE
CVE-2011-1246
CVE-2011-1250
CVE-2011-1251
CVE-2011-1252
CVE-2011-1254
CVE-2011-1255
CVE-2011-1256
CVE-2011-1258
CVE-2011-1260
CVE-2011-1261
CVE-2011-1262
KB 2543893
No known exploits.
Severity:Critical
Exploitability:1-3
Critical
Important
MS11-051
Active Directory Certificate Services Web Enrollment allows for a reflected XSS issue.
Active Directory Certificate Services Web Enrollment
CVE-2011-1264
KB 2518295
No known exploits.
Severity:Important
Exploitability:1
N/A
Important
MS11-052
A VML memory corruption allows arbitrary code execution in MSIE with the rights of the logged on user. IE9 is not affected.
VML - MSIE
CVE-2011-1266
KB 2544521
No known exploits.
Severity:Critical
Exploitability:1
Critical
Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
We use 4 levels:
PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
Swa Frantzen -- Section 66
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.