Gladiator Research and Security

Microsoft has announced thirteen new patches today, including ten that could allow remote code execution.  MS11-087, MS11-090, and MS11-092 are rated Critical and Gladiator recommends all users install these patches as soon as possible.  Despite the Important rating, Gladiator also recommends you apply patches MS11-089, MS11-091, MS11-093, MS11-094, MS11-095, MS11-096, and MS11-099 to remediate vulnerabilities that could lead to remote code execution.  All other patches can be applied during your normal patch window.  Detailed information regarding the patches can be found in Microsoft’s December Security Bulletin.  Summary information is included below:

• Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417) MS11-087 – This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a malicious document or visits a crafted Web page with embedded TrueType font files. Microsoft has rated this patch as Critical.  Gladiator recommends that this patch be applied immediately to all systems.
• Cumulative Security Update of ActiveX Kill Bits (2618451) MS11-090 – This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a malicious Web page in Internet Explorer. Administrator level users may be more impacted. This update also includes kill bits for four third-party ActiveX controls. Microsoft has rated this patch as Critical. Gladiator recommends that this patch be applied immediately to all systems.
• Vulnerability in Windows Media Could Allow Remote Code Execution (2648048) MS11-092 – This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a malicious Microsoft Digital Video Recording (.dvr-ms) file. Microsoft has rated this patch as Critical. Gladiator recommends that this patch be applied immediately to all systems.
• Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016) MS11-088 – This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied during your institution’s normal patch cycle.
• Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602) MS11-089 – This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied immediately to all systems.
• Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702) MS11-091 – This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Publisher file. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied immediately to all systems.
• Vulnerability in OLE Could Allow Remote Code Execution (2624667) MS11-093 – This security update resolves a privately reported vulnerability in all supported editions of Windows XP and Windows Server 2003. The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied immediately to all systems.
• Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142) MS11-094 – This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of the vulnerabilities could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied immediately to all systems.
• Vulnerability in Active Directory Could Allow Remote Code Execution (2640045) MS11-095 – This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow remote code execution if an attacker logs on to an Active Directory domain and runs a specially crafted application. To exploit this vulnerability, an attacker would first need to acquire credentials to log on to an Active Directory domain. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied immediately to all systems.
• Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241) MS11-096 – This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied immediately to all systems.
• Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712) MS11-097 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied during your institution’s normal patch cycle.
• Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171) MS11-098 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability. The vulnerability could not be exploited remotely or by anonymous users. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied during your institution’s normal patch cycle.
• Cumulative Security Update for Internet Explorer (2618444) MS11-099 – This security update resolves three privately reported vulnerabilities in Internet Explorer. The most severe vulnerability could allow remote code execution if a user opens a legitimate HyperText Markup Language (HTML) file that is located in the same directory as a specially crafted dynamic link library (DLL) file. Microsoft has rated this patch as Important. Gladiator recommends that this patch be applied immediately to all systems.

Reference Links:

• Microsoft Patch Bulletin (http://technet.microsoft.com/en-us/security/bulletin/ms11-dec)
• ISC Patch Summary (http://isc.sans.edu/diary.html?storyid=12193)