February 2011 Microsoft Super Tuesday
Posted by Shane Garrett on February 08, 2011 at 2:16 PM EST.
February has a fairly heft drop. It includes fixes for a number of publicly disclosed vulnerabilities that have public exploits. Following is a look at the bulletins that address these issues.
- MS11-003: Cumulative Security Update for Internet Explorer
Two of the four vulnerabilities patched in Internet Explorer were publicly released. CVE-2010-3971 covers a vulnerability in multiple recursive import statements within a CSS file. This use after free bug can lead to remote code execution and has public exploits readily available. IBM customers have had protection available in the previously released CSS_Import_Corruption signature. The other vulnerability listed as publicly disclosed is CVE-2011-0038. This is a dll hijacking vulnerability in IE 8 when opening .html files. The two privately disclosed vulnerabilities are both critical memory corruption vulnerabilities that can lead to remote code execution.
- MS11-004: IIS FTP Service Heap Buffer Overrun Vulnerability
The IIS FTP service has a publicly disclosed vulnerability in the handling of IAC commands. Due to the limited control an attacker could exert on the data written past the heap buffer, this vulnerability was initially classified as a denial of service. Subsequent research showed that even with limited control an attacker could potentially gain remote code execution. The known public exploits at the time of this writing are denial of services against the FTP service. IBM customers have had protection available from this via the previously released FTP_IIS_IAC_Overflow signature.
- MS11-008: Windows Shell Graphics Processing Overflow Vulnerability
This bulletin covers a vulnerability in the rendering of a malformed thumbnail in meta-data embedded within certain file formats such as Microsoft Word .doc files that can lead to remote code execution. Public exploits of this vulnerability are readily available. The exploit occurs when Windows Explorer attempts to render the malicious file in preview mode. An attacker could attach a malicious file to an email and wait for the victim to browse to it or entice the victim to open a share containing a malicious document. IBM customers have had protection available from this via the previously released CompoundFile_Windows_Thumbnail_Overflow signature. X-Force member Jon Larimer recently blogged about his presentations on this class of vulnerabilities in shell extensions.