Executive Summary

Summary
Title Microsoft Updates for Multiple Vulnerabilities
Informations
Name TA11-067A First vendor Publication 2011-03-08
Vendor US-CERT Last vendor Modification 2011-03-08
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

There are multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address these vulnerabilities.

I. Description

The Microsoft Security Bulletin Summary for March 2011 describes multiple vulnerabilities in Microsoft Windows and Microsoft Office.
Microsoft has released updates to address the vulnerabilities.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

III. Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2011. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA11-067A.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11910
 
Oval ID: oval:org.mitre.oval:def:11910
Title: DEPRECATED: Untrusted search path vulnerability in Microsoft Office Groove 2007
Description: Multiple untrusted search path vulnerabilities in Microsoft Groove 2007 SP2 allow local users to gain privileges via a Trojan horse (1) mso.dll or (2) GroovePerfmon.dll file in the current working directory, as demonstrated by a directory that contains a Groove vCard (.vcg) or Groove Tool Archive (.gta) file, aka "Microsoft Groove Insecure Library Loading Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2010-3146
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Microsoft Office Groove 2007
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12281
 
Oval ID: oval:org.mitre.oval:def:12281
Title: DVR-MS Vulnerability
Description: SBE.dll in the Stream Buffer Engine in Windows Media Player and Windows Media Center in Microsoft Windows XP SP2 and SP3, Windows XP Media Center Edition 2005 SP3, Windows Vista SP1 and SP2, Windows 7 Gold and SP1, and Windows Media Center TV Pack for Windows Vista does not properly parse Digital Video Recording (.dvr-ms) files, which allows remote attackers to execute arbitrary code via a crafted file, aka "DVR-MS Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2011-0042
Version: 7
Platform(s): Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12480
 
Oval ID: oval:org.mitre.oval:def:12480
Title: Remote Desktop Insecure Library Loading Vulnerability
Description: Untrusted search path vulnerability in the client in Microsoft Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .rdp file, aka "Remote Desktop Insecure Library Loading Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2011-0029
Version: 5
Platform(s): Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12506
 
Oval ID: oval:org.mitre.oval:def:12506
Title: DirectShow Insecure Library Loading Vulnerability
Description: Untrusted search path vulnerability in DirectShow in Microsoft Windows Vista SP1 and SP2, Windows 7 Gold and SP1, Windows Server 2008 R2 and R2 SP1, and Windows Media Center TV Pack for Windows Vista allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Digital Video Recording (.dvr-ms), Windows Recorded TV Show (.wtv), or .mpg file, aka "DirectShow Insecure Library Loading Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2011-0032
Version: 7
Platform(s): Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12632
 
Oval ID: oval:org.mitre.oval:def:12632
Title: Microsoft Groove Insecure Library Loading Vulnerability
Description: Multiple untrusted search path vulnerabilities in Microsoft Groove 2007 SP2 allow local users to gain privileges via a Trojan horse (1) mso.dll or (2) GroovePerfmon.dll file in the current working directory, as demonstrated by a directory that contains a Groove vCard (.vcg) or Groove Tool Archive (.gta) file, aka "Microsoft Groove Insecure Library Loading Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2010-3146
Version: 4
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Product(s): Microsoft Office Groove 2007
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 4
Application 1
Os 1
Os 3
Os 1
Os 8
Os 4
Os 3

SAINT Exploits

Description Link
Microsoft Office Groove Insecure Library Loading More info here
Microsoft Windows Media Player DVR-MS File Code Execution More info here
Microsoft Remote Desktop Connection Insecure Library Injection More info here

OpenVAS Exploits

Date Description
2011-03-09 Name : Microsoft Windows Media Remote Code Execution Vulnerabilities (2510030)
File : nvt/secpod_ms11-015.nasl
2011-03-09 Name : Microsoft Groove Remote Code Execution Vulnerability (2494047)
File : nvt/secpod_ms11-016.nasl
2011-03-09 Name : Microsoft Remote Desktop Client Remote Code Execution Vulnerability (2508062)
File : nvt/secpod_ms11-017.nasl
2010-09-29 Name : Microsoft Office Products Insecure Library Loading Vulnerability
File : nvt/secpod_ms_office_prdts_insecure_lib_load_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
71016 Microsoft Windows Media Player / Center .dvr-ms File Handling Arbitrary Code ...

Microsoft Windows Media Player and Center contain a flaw related to the Stream Buffer Engine (SBE.dll) not properly parsing Microsoft Digital Video Recording (.dvr-ms) media files that may allow an attacker to execute arbitrary code. No further details have been provided.
71015 Microsoft Windows DirectShow Path Subversion Arbitrary DLL Injection Code Exe...

Microsoft Windows DirectShow is prone to a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done by tricking a user into opening a .wtv, .drv-ms or .mpg file from the local file system or a USB drive in some cases. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source.
71014 Microsoft Windows Remote Desktop Client Path Subversion Arbitrary DLL Injecti...

Microsoft Windows is prone to a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done by tricking a user into opening a Remote Desktop configuration (.rdp) file from the local file system or a USB drive in some cases. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source.
67484 Microsoft Office Groove Path Subversion Arbitrary DLL Injection Code Execution

Microsoft Groove is prone to a flaw in the way it loads dynamic-link libraries (e.g. GroovePerfmon.dll and mso.dll). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done by tricking a user into opening a VCG or GTA file from the local file system or a USB drive in some cases. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source.

Information Assurance Vulnerability Management (IAVM)

Date Description
2011-03-10 IAVM : 2011-A-0031 - Multiple Vulnerabilities in Microsoft Windows Media
Severity : Category II - VMSKEY : V0026088
2011-03-10 IAVM : 2011-B-0033 - Microsoft Remote Desktop Connection Client Remote Code Execution Vulnerability
Severity : Category II - VMSKEY : V0026091
2011-03-10 IAVM : 2011-B-0034 - Microsoft Groove Remote Code Execution Vulnerability
Severity : Category II - VMSKEY : V0026092

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft product fputlsat.dll dll-load exploit attempt
RuleID : 21310 - Revision : 7 - Type : OS-WINDOWS
2014-01-10 Microsoft product request for fputlsat.dll over SMB attempt
RuleID : 21309 - Revision : 7 - Type : OS-WINDOWS
2014-01-10 Microsoft Groove GroovePerfmon.dll dll-load exploit attempt
RuleID : 19315 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Groove GroovePerfmon.dll dll-load exploit attempt
RuleID : 19314 - Revision : 12 - Type : OS-WINDOWS
2014-01-10 Microsoft Groove mso.dll dll-load exploit attempt
RuleID : 18500 - Revision : 19 - Type : OS-WINDOWS
2014-01-10 Microsoft Groove mso.dll dll-load exploit attempt
RuleID : 18499 - Revision : 17 - Type : OS-WINDOWS
2014-01-10 Microsoft Media Player dvr-ms file parsing remote code execution attempt
RuleID : 18498 - Revision : 16 - Type : FILE-OTHER
2014-01-10 Microsoft Windows Media Player and shell extension request for ehtrace.dll ov...
RuleID : 18497 - Revision : 17 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows Media Player and shell extension ehtrace.dll dll-load explo...
RuleID : 18496 - Revision : 15 - Type : OS-WINDOWS
2014-01-10 Microsoft product .dll dll-load exploit attempt
RuleID : 18495 - Revision : 21 - Type : OS-WINDOWS
2014-01-10 Microsoft product .dll dll-load exploit attempt
RuleID : 18494 - Revision : 25 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2011-03-08 Name : The version of Windows Media installed on the remote host has multiple code e...
File : smb_nt_ms11-015.nasl - Type : ACT_GATHER_INFO
2011-03-08 Name : Arbitrary code can be executed on the remote host through Microsoft Office.
File : smb_nt_ms11-016.nasl - Type : ACT_GATHER_INFO
2011-03-08 Name : It is possible to execute arbitrary code on the remote host through the Remot...
File : smb_nt_ms11-017.nasl - Type : ACT_GATHER_INFO