Microsoft June 2011 Black Tuesday Overview
Overview of the June 2011 Microsoft patches and their status.
# | Affected | Contra Indications - KB | Known Exploits | Microsoft rating | ISC rating(*) | |
---|---|---|---|---|---|---|
clients | servers | |||||
MS11-037 | The MHTML (Mime encapsulated HTML) protocol handler is vulnerable to information disclosure through an XSS like problem. Replaces MS11-026. |
|||||
MHTML CVE-2011-1894 |
KB 2544893 | Publicly known vulnerability. | Severity:Important Exploitability:3 |
Important | Low | |
MS11-038 | WMF processing by OLE allows for arbitrary code execution with the rights of the logged on user. Replaces MS08-008. |
|||||
OLE - WMF CVE-2011-0658 |
KB 2476490 | No known exploits | Severity:Critical Exploitability:1 |
Critical | Important | |
MS11-039 | Input validation vulnerabilities in the .NET framework and the Silverlight implementations allow for arbitrary code execution with the rights of the logged on user. | |||||
.NET - silverlight CVE-2011-0664 |
KB 2514842 | No known exploits | Severity:Critical Exploitability:1 |
Critical | Important | |
MS11-040 | Improper bounds checking in Microsoft Forefront Threat Management Gateway 2010 Client allows for arbitrary code execution in the context of the service. | |||||
Forefront TMG CVE-2011-1889 |
KB 2520426 | No known exploits | Severity:Critical Exploitability:1 |
Critical | Important | |
MS11-041 | An input validation problem in the parsing of OTF (OpenType Font) fonts in in 64bit kernels allows for arbitrary code execution in kernel mode. This is remotely exploitable though file sharing, webdav, websites, email and more. Replaces MS11-034. |
|||||
OTF CVE-2011-1873 |
KB 2525694 | No known exploits | Severity:Critical Exploitability:2 |
Critical | Important | |
MS11-042 | Input validation problems in the Distributed File System (DFS) implementation allow for arbitrary code execution in the context of the service or denial of service (DoS) conditions. | |||||
DFS (Distributed File System) CVE-2011-1868 CVE-2011-1869 |
KB 2535512 | No known exploits | Severity:Critical Exploitability:1-3 |
Critical | Critical | |
MS11-043 | An input validation problem in the parsing of the responses to SMB requests allows for arbitrary code execution in the context of the service. Replaces MS11-019 and MS10-020. |
|||||
SMB CVE-2011-1268 |
KB 2536276 | No known exploits | Severity:Critical Exploitability:1 |
Critical | Important | |
MS11-044 | An input validation problem in the JIT optimization of the .NET framework allows for arbitrary code execution in the context of the logged on user, and bypass security measures such as the CAS (Code Access Security) restrictions. Replaces MS11-028 and MS10-060. |
|||||
.NET CVE-2011-1271 |
KB 2538814 | Publicly disclosed vulnerability. | Severity:Critical Exploitability:2 |
Critical | Critical | |
MS11-045 | Multiple vulnerabilities in Excel allow for arbitrary code execution in the context of the logged on user. Office for Mac versions are also affected. Replaces MS11-021 and MS11-022. |
|||||
Excel CVE-2011-1272 CVE-2011-1273 CVE-2011-1274 CVE-2011-1275 CVE-2011-1276 CVE-2011-1277 CVE-2011-1278 CVE-2011-1279 |
KB 2537146 | No known exploits | Severity:Important Exploitability:1-3 |
Critical | Important | |
MS11-046 | An input validation vulnerability in AFD (Ancillary Function Driver) allows for privilege escalation and arbitrary code execution in kernel mode for logged on users. Replaces MS10-066. |
|||||
AFD CVE-2011-1249 |
KB 2503665 | Publicly disclosed vulnerability, Microsoft claims "limited, targeted attacks attempting to exploit the vulnerability" | Severity:Important Exploitability:1 |
Critical | Critical | |
MS11-047 | A Denial of Service (DoS) condition is possible where an authenticated user of a guest system can cause a denial of service on the host system. Replaces MS10-102. |
|||||
Hyper-V CVE-2011-1872 |
KB 2525835 | No known exploits. | Severity:Important Exploitability:3 |
Low | Important | |
MS11-048 | A parsing error in the SMB server can be used to cause a Denial of Service (DoS) condition. Replaces MS09-050. |
|||||
SMB server CVE-2011-1267 |
KB 2530548 | No known exploits. | Severity:Important Exploitability:3 |
Low | Important | |
MS11-049 | XML editor can leak file content though XML external entities that are nested. XML editor is part of Infopath, SQL server, and Visual Studio. Replaces MS10-039 and MS09-062. |
|||||
XML editor CVE-2011-1280 |
KB 2543893 | No known exploits. | Severity:Important Exploitability:3 |
Important | Important | |
MS11-050 | Multitude of vulnerabilities in MSIE. Replaces MS11-018. |
|||||
MSIE CVE-2011-1246 CVE-2011-1250 CVE-2011-1251 CVE-2011-1252 CVE-2011-1254 CVE-2011-1255 CVE-2011-1256 CVE-2011-1258 CVE-2011-1260 CVE-2011-1261 CVE-2011-1262 |
KB 2543893 | UPDATE 17/6: - Symantec reports exploits against CVE-2011-1255 in the wild. - Exploits publicly available claiming to work against CVE-2011-1260 |
Severity:Critical Exploitability:1-3 |
Critical | Important | |
MS11-051 | Active Directory Certificate Services Web Enrollment allows for a reflected XSS issue. | |||||
Active Directory Certificate Services Web Enrollment CVE-2011-1264 |
KB 2518295 | No known exploits. | Severity:Important Exploitability:1 |
N/A | Important | |
MS11-052 | A VML memory corruption allows arbitrary code execution in MSIE with the rights of the logged on user. IE9 is not affected. | |||||
VML - MSIE CVE-2011-1266 |
KB 2544521 | No known exploits. | Severity:Critical Exploitability:1 |
Critical | Important |
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
Swa Frantzen -- Section 66
×
Diary Archives
Comments
Conrad Longmore
Jun 14th 2011
1 decade ago
Swa
Jun 14th 2011
1 decade ago
daem0n647
Jun 15th 2011
1 decade ago
Swa
Jun 17th 2011
1 decade ago
On the website, a public metasploit exploit is available.
Joe
Jun 17th 2011
1 decade ago
"The ThreatCon is currently at Level 2: Elevated... On June 16, 2011, one of the issues fixed in Microsoft's June update, CVE-2011-1255, described in MS11-050 was found to be exploited in-the-wild. Customers are advised to install all applicable updates as soon as possible..."
MS11-050 - Critical - Cumulative Security Update for Internet Explorer (2530548)
- http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx
.
PC.Tech
Jun 17th 2011
1 decade ago
Alessandro
Jun 17th 2011
1 decade ago
It's a nightmare scenario for e.g. shared webhosting, or where e.g. a webmaster isn't fully trusted by the system administration.
To quote Microsoft: "The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario."
Swa
Jun 18th 2011
1 decade ago