March 2011 Microsoft Super Tuesday
Posted by Shane Garrett on March 08, 2011 at 1:11 PM EST.
March was a very light month for Microsoft. Three of the four CVEs addressed in the drop are DLL hijacking vulnerabilities. The other vulnerability is a serious remote code execution bug in a video format.
- MS11-015 : Vulnerabilities in Windows Media Could Allow Remote Code Execution
Two vulnerabilities, one publicly and one privately disclosed, in Windows Media Player/Media Center are covered in this bulletin. The publicly disclosed vulnerability is a DLL hijacking vulnerability in Windows Media Player that can allow an attacker to run arbitrary code when a victim opens certain files associated with Media Player from an attacker controlled remote share. Like all DLL hijacking vulnerabilities, the exposure to this can be minimized by blocking SMB and WebDAV at the network perimeter. The privately disclosed vulnerability is a more serious threat. It is a remote code execution vulnerability in Windows Media Player and Windows Media Center's handling of Microsoft Digital Video Recording (DVR-MS) files. A specially crafted DVR-MS file could be embedded in a web page or sent as an attachment in an email. A victim that visits the malicious web page or opens the attachment could then run attacker supplied code.
- MS11-016 : Vulnerability in Microsoft Office Groove Could Allow Remote Code Execution
- MS11-017 : Vulnerability in Remote Desktop Client Could Allow Remote Code Execution
Both of these bulletins cover privately disclosed DLL hijacking vulnerabilities in the indicated programs. While exploiting these vulnerabilities is trivial, blocking SMB and WebDAV traffic at the network perimeter reduces the chance of external exploitation. Microsoft also provides registry keys to modify the DLL loading behavior to help mitigate these vulnerabilities as well.