April 2011 Microsoft Black Tuesday Summary - SANS Internet Storm Center

Here are the April 2011 Black Tuesday patches. Enjoy!

Overview of the April 2011 Microsoft Patches and their status.

#	Affected	Contra Indications	Known Exploits	Microsoft rating	ISC rating(*)
#	Affected	Contra Indications	Known Exploits	Microsoft rating	clients	servers
MS11-018	Cumulative Security Update for Internet Explorer ( Replaces MS11-003 )
MS11-018	Internet Explorer 6-8 CVE-2011-0094 CVE-2011-0346 CVE-2011-1244 CVE-2011-1245 CVE-2011-1345	KB 2497640	No Known Exploits.	Severity:Critical Exploitability: 1,1,?,3,1	Critical	Critical
MS11-019	Vulnerabilities in SMB Client Could Allow Remote Code Execution ( Replaces MS10-020 )
MS11-019	Windows CVE-2011-0654 CVE-2011-0660	KB 2511455	No Known Exploits.	Severity:Critical Exploitability: 2,1	Critical	Critical
MS11-020	Vulnerability in SMB Server Could Allow Remote Code Execution ( Replaces MS10-012 MS10-054 )
MS11-020	Windows CVE-2011-0661	KB 2508429	No Known Exploits.	Severity:Critical Exploitability: 1	Critical	Critical
MS11-021	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution ( Replaces MS10-080 MS10-087 )
MS11-021	Office XP SP3-2010, Office 2004-2011 for Mac, Open XML File Format Converter, Excel Viewer SP2, Office Compatibility Pack for 2007 file formats CVE-2011-0097 CVE-2011-0098 CVE-2011-0101 CVE-2011-0103 CVE-2011-0104 CVE-2011-0105 CVE-2011-0978 CVE-2011-0979 CVE-2011-0980	KB 2489279	No Known Exploits.	Severity:Important Exploitability: 1,1,1,2,2,2,1,1,1	Important	Important
MS11-022	Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution ( Replaces MS09-017 MS10-036 MS10-087 MS10-088 )
MS11-022	PowerPoint CVE-2011-0655 CVE-2011-0656 CVE-2011-0976	KB 2489283	No Known Exploits.	Severity:Important Exploitability: 2,2,1	Important	Important
MS11-023	Vulnerabilities in Microsoft Office Could Allow Remote Code Execution ( Replaces MS10-087 )
MS11-023	Office XP - 2007, Office 2004 - 2008 for Mac, Open XML File Format Converter CVE-2011-0107 CVE-2011-0977	KB 2489293	POC Available.	Severity:Important Exploitability: 1,2	Important	Important
MS11-024	Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution
MS11-024	Fax Services, Fax Server Role CVE-2010-3974	KB 2527308	POC Available.	Severity:Important Exploitability: 3	Critical	Important
MS11-025	Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution
MS11-025	Visual Studio .NET 2003 - 2010, Visual C++ 2005 - 2010 Redistributable Package CVE-2010-3190	KB 2500212	No Known Exploits.	Severity:Important Exploitability: 1	Important	Important
MS11-026	Vulnerability in MHTML Could Allow Information Disclosure
MS11-026	MHTML CVE-2011-0096	KB 2503658	ACTIVELY EXPLOITED.	Severity:Important Exploitability: 3	PATCH NOW!	Important
MS11-027	Cumulative Security Update of ActiveX Kill Bits ( Replaces MS10-034 )
MS11-027	Windows XP- 7, Server 2003-2008 CVE-2010-0811 CVE-2010-3973 CVE-2011-1243	KB 2508272	POC Available.	Severity:Critical Exploitability: ?,?,?	Critical	Critical
MS11-028	Vulnerability in .NET Framework Could Allow Remote Code Execution ( Replaces MS09-061 MS10-060 MS10-077 )
MS11-028	.NET framework (all supported version) CVE-2010-3958	KB 2484015	No Known Exploits.	Severity:Critical Exploitability: 1	Critical	Critical
MS11-029	Vulnerability in GDI+ Could Allow Remote Code Execution ( Replaces MS09-062 MS10-087 )
MS11-029	Windows XP-Vista, Windows Server 2003-2008, Office XP CVE-2011-0041	KB 2489979	No Known Exploits.	Severity:Critical Exploitability: 1	Critical	Critical
MS11-030	Vulnerability in DNS Resolution Could Allow Remote Code Execution ( Replaces MS08-020 MS08-037 MS08-066 )
MS11-030	Windows XP - 7, Windows Server 2008 CVE-2011-0657	KB 2509553	No Known Exploits.	Severity:Critical Exploitability: 2	Critical	Critical
MS11-031	Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution ( Replaces MS09-045 MS10-022 MS11-009 )
MS11-031	OpenType Compact Font Format (CFF) driver CVE-2011-0663	KB 2514666	No Known Exploits.	Severity:Critical Exploitability: 2	Critical	Important
MS11-032	Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution ( Replaces MS11-007 )
MS11-032	OpenType Compact Font Format (CFF) driver CVE-2011-0034	KB 2507618	No Known Exploits.	Severity:Critical Exploitability: 3	Critical	Important
MS11-033	Vulnerability in WordPad Text Converters Could Allow Remote Code Execution ( Replaces MS10-067 )
MS11-033	Microsoft Wordpad CVE-2011-0028	KB 2485663	No Known Exploits.	Severity:Important Exploitability: 1	Important	Important
MS11-034	Elevation of Privilege Vulnerabilities in Windows Kernel-Mode Drivers (Replaces MS10-012 )
MS11-034	Kernel Mode Drivers CVE-2011-0662 CVE-2011-0665 CVE-2011-0666 CVE-2011-0667 CVE-2011-0670 CVE-2011-0671 CVE-2011-0672 CVE-2011-0673 CVE-2011-0674 CVE-2011-0675 CVE-2011-0676 CVE-2011-0677 CVE-2011-1225 CVE-2011-1226 CVE-2011-1227 CVE-2011-1228 CVE-2011-1229 CVE-2011-1230 CVE-2011-1231 CVE-2011-1232 CVE-2011-1233 CVE-2011-1234 CVE-2011-1235 CVE-2011-1236 CVE-2011-1237 CVE-2011-1238 CVE-2011-1239 CVE-2011-1240 CVE-2011-1241 CVE-2011-1242	KB 2506223	No Known Exploits.	Severity:Important Exploitability: 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,1,1,1,3,1,1,1,1	Important	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

SANS SEC401 coming to central OH in May, see http://www.sans.org/mentor/details.php?nid=24678

Jim

400 Posts
ISC Handler

How come for example MS11-019 is listed as no known exploits but checking the security focus link via CVE-2011-0654, there are two PoC available (i.e. www.securityfocus.com/bid/46360/exploit)?

Anonymous
Posts

Please refer people to the "Frequently Asked Questions (FAQ) Related to This Security Update" section of MS11-025.

<i><b>I am a third-party application developer and I use Visual C++. How do I update my application?</b>
For developers of applications who statically link the MFC libraries, applying this update is the only action. If you dynamically link MFC within your application, you will need to apply the update and recompile your program.</i>

I suspect that, unless MS is using a different terminology, they mixed up "static" and "dynamic", but the point that developers need to recompile after applying the update is an important one and should be spread to a wider audience.

Josh

4 Posts Posts

Watcher60, that was probably an oversight on my part. The Microsoft bulletin didn't suggest the existence of PoC and, frankly, with the huge number of CVEs, I didn't look at all the CVE entries (some of which are often not yet public when we get the bulletins). I'll update the diary entry.

Jim

400 Posts Posts
ISC Handler

Update broke my Calendar sidebar app. Before, a white numeral on orange background for today's date. Now, only orange background.

Win 7 64-bit SP1

Anonymous
Posts

Might be worth mentioning http://www.microsoft.com/technet/security/advisory/2506014.mspx

Fix to Windows Operating System Loader for unsigned OS component loading - e.g. root kits.

Anonymous
Posts

This round of patches have left both ISA 2006 servers unavailable by RDP access after reboot.

Tony

1 Posts Posts

@Tony what OS? If 2003 make sure an old dns issue isn't biting you - http://support.microsoft.com/kb/956188

Susan

34 Posts Posts

@Pevensey
You may wanna try http://support.microsoft.com/kb/2515657/en-us

Anonymous
Posts

A heads-up for anyone forced by budget constraints to work with slightly(!) out of date software follows: Update KB2467175 (MS11-025: security update for Visual C++ 2005 SP1 Redistributable Package: April 12, 2011) prevented the Information Store service of Exchange 2000 Server (yes, I know...) on Windows 2000 Server (yes, I KNOW...) from starting with Event ID 26 and message "Application popup: store.exe - Entry Point Not Found : The procedure entry point FindActCtxSectionStringW could not be located in the dynamic link library KERNEL32.dll." This caused a further event ID 7024 "The Microsoft Exchange Information Store service terminated with service-specific error 0." to be logged by the Service Control Manager

Uninstalling the update did not fix the problem, even after a reboot. I had to manually restore from backup the dll files replaced by the update and then reboot. Those files are listed in the MS KB here: http://support.microsoft.com/kb/2467175

The update also caused the AVG 8.5 user interface to fail to start with a similar "FindActCtxSectionStringW could not be located" message.

NB: the problem with the Exchange Store did not come to light straight away but only when the service was stopped for the offline part of the nightly backup. Here's hoping you don't waste 2 hours reinstalling & re-patching Exchange like I did... on the plus side the store itself was intact & started fine once the dll files were restored.

Hope this helps someone!

Anonymous
Posts

While one of my colleagues was speaking to Microsoft yesterday they indicated some initial feedback on MS11-028 indicated there may be some concerns with this patch. No specific details but tread carefully and as always, test thoroughly before deploying.

Anonymous
Posts

Is anyone else having a problem with their ISA servers after applying patches, like Tony who posted on Wednesday. I applied on one ISA with no trouble but approaching the others with caution.

Anonymous
Posts

Was also unable to RDP after applying updates and rebooting certain servers. Rebooted each problem server a second time and RDP started working fine. Very odd, but easily resolved in my case.

Anonymous
Posts

@Tony & John Sheats I've run into this problem a few times, it is mainly do to with not being connected as console when doing the reboot. Ms have this to say on the matter:

blogs.technet.com/b/askperf/archive/2008/03/18/…

@Louisa I've patched a bunch of ISA 2006 and TMG 2010 without any problems

Chris

105 Posts Posts
ISC Handler

MS011-022 for PowerPoint has known issues with PowerPoint 2003 - see http://support.microsoft.com/kb/2464588

"Presentations that contain layouts with a background images may cause an error when opened in PowerPoint 2003. A dialog will notify you that some contents (text, images or objects) have corrupted; the specific content lost will be what is specified in the layout, not the actual slide content itself. Items that were removed will display a blank box or a box containing “cleansed”."

They offer a workaround, but if you have been using a template with background images for "all" your PPT files then you will have to manually recover all these files...

It is tempting to wait for Microsoft to post "more information" and hopefully an updated update.

dotBATman

65 Posts Posts

- http://blogs.technet.com/b/srd/archive/2011/04/12/assessing-the-risk-of-the-april-security-updates.aspx
12 Apr 2011 - "... The second advisory, KB 2506014*, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family..."
[MS11-034 - "30 of this month’s 64 vulnerabilities being addressed in this bulletin..."]
Update April 13: Corrected the MS11-028 bulletin severity and affected products. Also moved this bulletin up higher in priority due to this correction.
*Update April 15: Corrected the MS11-032 bulletin exploitability due to a rating error. Also moved MS11-032 higher in priority order.
* http://www.microsoft.com/technet/security/advisory/2506014.mspx
___

- http://blog.trendmicro.com/stalking-tdl4-all-access-pass-to-the-hard-drive/
April 15, 2011 - "... patch specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. More information can be found in the security bulletin for MS11-034*..."
* http://www.microsoft.com/technet/security/bulletin/ms11-034.mspx
.

Jack

160 Posts Posts

MS11-028 (KB2449742)
Causes problems on Server 2008 SP2 with Exchange 2010 SP1. After installing, OWA was crashing, free/busy time didn't work and offline address book distribution didn't work.

This also causes event viewer to crash, powershell and exchange management console to crash.

Removal of this update on the CAS server seems to fix the problem. It doesn't appear to affect servers with the mailbox role.

Some people think that this could be only an issue if using Symantec antivirus. We're using SEP 11 RU6a MP3 and have the issue.

http://support.microsoft.com/kb/2449742
http://blogs.technet.com/b/exchange/archive/2011/04/15/exchange-2010-management-tools-do-not-start-after-the-installation-of-net-hotfix-kb-2449742.aspx

Anonymous
Posts