Today we released 17 security bulletins. Nine have a maximum severity rating of Critical and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max Exploit-ability Index||Likely first 30 days impact||Platform mitigations and key notes|
|Victim browses to a malicious webpage.||Critical||1||We are aware of targeted attacks leveraging both CVE-2011-0094 and CVE-2011-1345.||IE8 and IE9 not vulnerable to CVE-2011-0094. IE9 not vulnerable to CVE-2011-1345.|
|Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0.||Critical||1||Likely to see reliable exploits developed within next 30 days for CVE-2011-0660.||Windows 7 SP1 vulnerable to CVE-2011-0660 for denial of service only.|
|Attacker sends malicious network traffic to a victim running the Server service, potentially executing code in ring0.||Critical||1||Likely to see reliable exploits developed within next 30 days.||Many home routers and enterprise perimeter firewalls block SMB ports (139, 445).|
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploits developed for one or more of these ActiveX controls.||CVE-2011-1243 affects only Windows XP users who have never used Windows Messenger.|
|Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions.||Critical||1||Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this.||Silverlight not affected.|
(Opentype Font driver)
|Victim using explorer.exe browses to a folder containing a malicious OTF file. Could also be used as a local elevation of privilege for an attacker already able to run code on a machine.||Critical||1*||Likely to see reliable exploits developed within next 30 days.||Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector.|
|Victim opens malicious Word document or opens a malicious EMF file.||Critical||1||Likely to see reliable exploit developed in next 30 days.||Office 2003 and later versions of Office are not affected. Windows 7 also not affected.|
(VBScript / JScript)
|Victim browses to a malicious webpage.||Critical||2||Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in next 30 days.||32-bit platforms unlikely to be exploited for code execution unless running with /3GB boot option.|
(DNS link-local name resolution)
|Attacker sends a malicious link local multicast name resolution (LLMNR) request to victims on the same local link, potentially executing code as NetworkService on nearby systems.||Critical||2||Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in first 30 days.||Does not affect systems using the (default) Public network profile.|
|Victim browses to a malicious website that steals browser cookies for other trusted website.||Important||n/a||We are aware of public exploits that attempt to leverage CVE-2011-0096.||No direct code execution. This is an information disclosure threat.|
|Victim opens a malicious Excel spreadsheet (XLS).||Important||1||Likely to see reliable exploit developed in next 30 days.|
|Victim opens a malicious PowerPoint presentation (PPT).||Important||1||Likely to see reliable exploit developed in next 30 days.|
|Victim opens a malicious Excel spreadsheet (XLS).||Important||1||CVE-2011-0107 (DLL Preloading vulnerability) has been disclosed publicly.
The other CVE addressed in this bulletin (CVE-2011-0977) would be more difficult to exploit for code execution.
|Office 2010 not affected.|
|Victim opens malicious RTF, WRI, or DOC file with Wordpad.||Important||2||Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in first 30 days.||Windows Vista and later versions of Windows are not affected.|
|Attacker running code on a machine already elevates from low-privileged account to SYSTEM.||Important||1||Likely to see an exploit released granting a local attacker SYSTEM level access.||30 of this month’s 64 vulnerabilities being addressed in this bulletin. More information about the high vulnerability count in this month’s SRD blog post.|
|Victim browses to a malicious WebDAV share and launches an application by double-clicking a content file hosted on the attacker-controlled WebDAV share.||Important||1||Exploiting DLL preloading cases is straightforward. Therefore, exploit code is likely to appear.|
(Fax cover sheet)
|Victim opens a malicious fax cover sheet (COV, CPE).||Important||3||Less likely to see real-world effective exploits for this filetype due to mitigating factors.||No version of Windows will open a .cov file by default via a registered file extension (double-clicking the file). The affected component is not installed by default or is not registered.|
In addition to the bulletins, two interesting advisories are being released today. Security advisory 2501584 describes a great protection mechanism available for Office 2003 and Office 2007 customers to download and install. The Office team’s blog post about the tool is available at http://blogs.technet.com/b/office_sustained_engineering/archive/2011/04/11/office-file-validation-general-availability-announcement.aspx.
The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. It is an update available on WU and WSUS, pushed out automatically to customers who have opt-in to Automatic Updates.
If you have any questions about these updates, please email us at switech [at] microsoft [dot] com. You can also tune into the MSRC webcast tomorrow where I’ll be answering questions on-the-air. The MSRC blog post has all the information for that.
Update April 13: Corrected the MS11-028 bulletin severity and affected products. Also moved this bulletin up higher in priority due to this correction.
*Update April 15: Corrected the MS11-032 bulletin exploitability due to a rating error. Also moved MS11-032 higher in priority order.
– Jonathan Ness, MSRC Engineering