[Security Update] November 2011 Microsoft Super Tuesday
Microsoft had a very light month for their mo regularly scheduled monthly update. Four CVEs were addressed in four separate bulletins. Here's our take on this month's critical and important bulletins.
MS11-083 : Vulnerability in TCP/IP Could Allow Remote Code Execution
This bulletin covers a critical severity in tcpip.sys for recent versions of Windows (Vista and later). A large number of specially crafted UDP packets can overflow a counter causing an inadvertent freeing of a memory structure. The resulting memory corruption can lead to a denial of service via bugcheck or potentially even kernel mode code execution. Blocking of unused UDP ports at the perimeter and/or in the Windows firewall can help to mitigate the problem. Although the potential exists for a worm, the large amount of traffic required to exploit this vulnerability wouldn't make it an attractive vehicle.
MS11-085 : Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution
This bulletin covers a dll hijacking vulnerability in a component of WIndows Mail. An attacker who entices a victim to open associated files such as a .eml or .wcinv on a remote share can supply an attacker controlled dll which will be loaded and executed. You've seen these vulnerabilities before, you know what to do. Block SMB and WebDAV at the network perimeter, adjust DLL loading behavior, etc.
MS11-086 : Vulnerability in Active Directory Could Allow Elevation of Privilege
SSL and certificate issues are definitely in vogue. The vulnerability addressed in this update is in Active Directory using LDAP over SSL. AD doesn't correctly check the certificate revocation list and can allow an attacker to authenticate with a revoked certificate for a valid domain user