Hello and welcome to this month’s blog on Microsoft’s patch releases. This is an average month—the vendor is releasing four bulletins covering a total of 22 vulnerabilities. Only one of the issues is rated ‘Critical’ and it affects the Microsoft Bluetooth Stack. An attacker in physical proximity to a vulnerable computer can exploit this issue for a complete compromise. The remaining issues, all rated “Important,” include a patch for a previously public issue in Microsoft Visio, and multiple local issues in the Client/Server Runtime Subsystem (CSRSS) and Windows kernel-mode drivers. As always, customers are advised to follow these security best practices: - Install vendor patches as soon as they are available. - Run all software with the least privileges required while still maintaining functionality. - Avoid handling files from unknown or questionable sources. - Never visit sites of unknown or questionable integrity. - Block external access at the network perimeter to all key systems unless specific access is required. Microsoft’s summary of the July releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-jul.mspx The following is a breakdown of the issues being addressed this month: 1. MS11-053 Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220) CVE-2011-1265 (BID 48617) Microsoft Windows Bluetooth Stack 'bthport.sys' Driver Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10) A remote code-execution vulnerability affects the Windows Bluetooth stack due to how it accesses memory that has not been properly initialized or has been deleted. An attacker in physical proximity to an affected computer could exploit this issue to execute arbitrary code with SYSYTEM-level privileges. This could facilitate a complete compromise of the affected computer. 2. MS11-054 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917) CVE-2011-1874 (BID 48587) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1874) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1875 (BID 48589) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1875) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1876 (BID 48590) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1876) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1877 (BID 48591) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1877) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1878 (BID 48592) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1878) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1879 (BID 48593) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1879) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1880 (BID 48597) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1880) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to a NULL-pointer dereference during object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1881 (BID 48599) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1881) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to a NULL-pointer dereference during object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1882 (BID 48594) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1882) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1883 (BID 48595) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1883) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1884 (BID 48596) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1884) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to improper object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1885 (BID 48600) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1885) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to a NULL-pointer dereference during object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1886 (BID 48607) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1886) Local Information Disclosure Vulnerability (MS Rating: Important / Symantec Rating: 4.4/10) A local information-disclosure vulnerability affects the Windows kernel-mode drivers due to a failure to properly validate function parameters. A local attacker can exploit this issue to retrieve arbitrary kernel memory. Information obtained may aid in further attacks. CVE-2011-1887 (BID 48601) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1887) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to a NULL-pointer dereference during object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. CVE-2011-1888 (BID 48603) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1888) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Windows kernel-mode drivers due to a NULL-pointer dereference during object management. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer. 3. MS11-056 Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938) CVE-2011-1281 (BID 48588) Microsoft Windows CSRSS 'AllocConsole()' Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Client/Server Runtime Subsystem (CSRSS) due to a memory-corruption issue when handling multiple console objects associated with a process. A local attacker can exploit this issue to elevate their privileges to SYSTEM level. This will facilitate a complete compromise of the affected computer. CVE-2011-1282 (BID 48598) Microsoft Windows CSRSS 'SrvSetConsoleLocalEUDC()' Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Client/Server Runtime Subsystem (CSRSS) due to a NULL-pointer issue that can cause memory-corruption. A local attacker can exploit this issue to elevate their privileges to SYSTEM level. This will facilitate a complete compromise of the affected computer. CVE-2011-1283 (BID 48604) Microsoft Windows CSRSS 'SrvSetConsoleNumberOfCommands()' Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Client/Server Runtime Subsystem (CSRSS) due to user-supplied input being used as an index for an array. A local attacker can exploit this issue to elevate their privileges to SYSTEM level. This will facilitate a complete compromise of the affected computer. CVE-2011-1284 (BID 48606) Microsoft Windows CSRSS 'SrvWriteConsoleOutput()' Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Client/Server Runtime Subsystem (CSRSS) due to an integer-overflow. A local attacker can exploit this issue to elevate their privileges to SYSTEM level. This will facilitate a complete compromise of the affected computer. CVE-2011-1870 (BID 48605) Microsoft Windows CSRSS 'SrvWriteConsoleOutputString()' Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 6.6/10) A local privilege-escalation vulnerability affects the Client/Server Runtime Subsystem (CSRSS) due to an integer-overflow. A local attacker can exploit this issue to elevate their privileges to SYSTEM level. This will facilitate a complete compromise of the affected computer. 4. MS11-055 Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847) CVE-2010-3148 (BID 42681) Microsoft Visio 2003 'mfc71enu.dll' DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10) A previously public (Aug 25, 2010) remote code-execution vulnerability affects Visio due to how it loads Dynamic Link Library (DLL) files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a Visio file from a remotely accessible WebDAV or SMB share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected application. ========================= More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.