Patch Tuesday Analysis for February 2011

Many of the updates released this month address vulnerabilities in the heart of the OS, affecting key components. A glance at Microsoft’s exploitability index chart indicates that we can expect consistent code likely in the near future. Six of these have already been publicly disclosed.
 
MS11-003 is a cumulative update addressing 4 vulnerabilities with Internet Explorer, two of which are publicly disclosed. Of those one is being exploited.  IIS Servers and Workstations running the FTP service running Vista or later are primarily at risk with the vulnerability addressed in MS11-004. A restart of domain controllers is required to implement MS11-005. Administrators of Server 2003 Domain Controllers will want to plan for this to minimize disruptions. Microsoft indicates that consistent code is unlikely for this vulnerability. MS11-008 addresses two privately reported vulnerabilities in Visio 2002, 2003 and 2007.  MS11-010 and MS11-011 both address vulnerabilities that could cause a privilege elevation. These involve basic components of the operating system and so require a restart.  In addition, kernel mode drivers can wreak havoc and cause a system to crash. MS11-012 deals with 5 vulnerabilities and a restart is also required for this. To exploit any of these vulnerabilities a use must be able to log on locally or via Terminal Services. MS11-013 addresses 2 vulnerabilities. One of these is not exploitable if the domain is on Server 2008. This first vulnerability has been publicly disclosed.  Also a Kerberos Spoofing vulnerability exists on Server 2008 R2 that could weaken Kerberos encryption making it easier to crack.  To exploit the vulnerability in MS11-014 a user must be logged on locally.
BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS11-011

2393802
Privilege elevation

/ Windows
Workstations
Terminal Servers
Yes/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-008

2451879
Arbitrary code

/ Office Visio
Workstations
Terminal Servers
No/NoYesImportant Visio 2003
Visio 2002
Visio 2007
 Patch after testing
MS11-009

2475792
Information disclosure

/ JScript and VBScript Scripting Engine
Workstations
Terminal Servers
No/NoNoImportant Server 2008 R2
Windows 7
 Patch after testing
MS11-010

2476687
Privilege elevation

/ Windows
Workstations
No/NoNoImportant XP
Server 2003
Restart Req'dPatch after testing
MS11-005

2478953
Denial of service

/ Active Directory
Domain Controllers
Yes/NoNoImportant Server 2003
 Patch after testing
MS11-014

2478960
Privilege elevation

/ Windows
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
Restart Req'dPatch after testing
MS11-012

2479628
Privilege elevation

/ Windows kernel mode drivers
Workstations
Terminal Servers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-003

2482017
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
Yes/YesNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Cumulative Update; Restart Req'dPatch after testing
MS11-006

2483185
Arbitrary code

/ Windows Shell
Workstations
Terminal Servers
Yes/NoYesCritical XP
Vista
Server 2003
Server 2008
Restart Req'd; proof of concept code publishedPatch after testing
MS11-007

2485376
Arbitrary code

/ OpenType CFF
Workstations
Terminal Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-004

2489256
Arbitrary code

/ IIS
Workstations
IIS Servers
Yes/NoYesImportant Vista
Server 2008
Server 2008 R2
Windows 7
 Patch after testing
MS11-013

2496930
Privilege elevation

/ Kerberos
Workstations
Terminal Servers
Servers
Yes/NoNoImportant XP
Win2003
Windows 7
Win2008 R2
Restart Req'dPatch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.