Video Screencast Help
Security Response

Microsoft Patch Tuesday - November 2011

Created: 08 Nov 2011 22:48:11 GMT • Updated: 23 Jan 2014 18:18:27 GMT • Translations available: 日本語
Robert Keith's picture
0 0 Votes
Login to vote

Hello, welcome to this month’s blog on the Microsoft patch release. This is a small month—the vendor is releasing four bulletins covering a total of four vulnerabilities.

Only one of this month's issues is rated ‘Critical’ and it affects the Windows TCP/IP stack. It potentially can be exploited to completely compromise an affected computer. The remaining issues affect Active Directory, Windows Mail, and Windows kernel-mode drivers.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the November releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms11-nov

The following is a breakdown of the issues being addressed this month:

  1. MS11-083 Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

    CVE-2011-2013 (BID 50517) Microsoft Windows TCP/IP Stack Reference Counter Integer Overflow Vulnerability (MS Rating: Critical; Symantec Urgency Rating: 8.2/10)

    A remote code execution vulnerability affects the Windows TCP/IP stack when handling a continuous flow of UDP packets. An attacker can exploit this issue by sending a series of malformed packets to an affected computer. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the kernel. This may facilitate a complete system compromise.

    Affects: Windows Vista SP2, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, Windows Server 2008 R2 for Itanium-based Systems, and Windows Server 2008 R2 for Itanium-based Systems SP1

  2. MS11-085 Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)

    CVE-2011-2016 (BID 50507) Windows Mail and Windows Meeting Space DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important; Symantec Urgency Rating: 8.5/10)

    A remote code-execution vulnerability affects Windows Mail and Windows Meeting Space due to how they load DLL files. An attacker can exploit this issue by enticing an unsuspecting victim into opening a file associated with the applications from a remote SMB or WebDAV share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

    Affects: Windows Vista SP2, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, Windows Server 2008 R2 for Itanium-based Systems, and Windows Server 2008 R2 for Itanium-based Systems SP1

  3. MS11-086 Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)

    CVE-2011-2014 (BID 50518) Microsoft Active Directory LDAPS Authentication Bypass Vulnerability (MS Rating: Important; Symantec Urgency Rating: 6.8/10)

    An authentication-bypass vulnerability affects Active Directory when it is configured to use LDAP over SSL because it fails to properly verify if a certificate has been revoked. An attacker can exploit this issue to gain access to an affected system by using a revoked certificate.

    Affects: Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Vista SP2, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, and Windows Server 2008 R2 for x64-based Systems SP1

  4. MS11-084 Microsoft Windows Kernel TrueType Font Parsing (CVE-2011-2004) Denial of Service Vulnerability (2617657)

    CVE-2011-2004 (BID 50510) TrueType Font Parsing Vulnerability (MS Rating: Moderate; Symantec Urgency Rating: 5.3/10)

    A denial-of-service vulnerability affects the Windows kernel when handling TrueType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into connecting to a remote share that is hosting a malicious font. A successful exploit will cause the affected computer to stop responding, effectively denying service.

    Affects: Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, Windows Server 2008 R2 for Itanium-based Systems, and Windows Server 2008 R2 for Itanium-based Systems SP1

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.