Internet Security Systems - AlertCon(TM)

March 2011 Microsoft Super Tuesday

Posted by Shane Garrett on March 08, 2011 at 1:11 PM EST.

March was a very light month for Microsoft.  Three of the four CVEs addressed in the drop are DLL hijacking vulnerabilities.  The other vulnerability is a serious remote code execution bug in a video format.

  • MS11-015 : Vulnerabilities in Windows Media Could Allow Remote Code Execution

    Two vulnerabilities, one publicly and one privately disclosed, in Windows Media Player/Media Center are covered in this bulletin.  The publicly disclosed vulnerability is a DLL hijacking vulnerability in Windows Media Player that can allow an attacker to run arbitrary code when a victim opens certain files associated with Media Player from an attacker controlled remote share.  Like all DLL hijacking vulnerabilities, the exposure to this can be minimized by blocking SMB and WebDAV at the network perimeter.  The privately disclosed vulnerability is a more serious threat.  It is a remote code execution vulnerability in Windows Media Player and Windows Media Center's handling of Microsoft Digital Video Recording (DVR-MS) files.  A specially crafted DVR-MS file could be embedded in a web page or sent as an attachment in an email.  A victim that visits the malicious web page or opens the attachment could then run attacker supplied code.

  • MS11-016 : Vulnerability in Microsoft Office Groove Could Allow Remote Code Execution
  • MS11-017 : Vulnerability in Remote Desktop Client Could Allow Remote Code Execution

    Both of these bulletins cover privately disclosed DLL hijacking vulnerabilities in the indicated programs.  While exploiting these vulnerabilities is trivial, blocking SMB and WebDAV traffic at the network perimeter reduces the chance of external exploitation.  Microsoft also provides registry keys to modify the DLL loading behavior to help mitigate these vulnerabilities as well.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.