Assessing the risk of the June security updates
Today we released 16 security bulletins. Nine have a maximum severity rating of Critical and seven have a maximum severity rating of Important. This release addresses several publicly disclosed vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability rating | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS11-050(IE) |
Victim browses to a malicious webpage.
|
Critical
|
1
|
Likely to see reliable exploit developed in next 30 days.
|
IE9 not affected by several of these issues due to attack surface reduction and advances in fuzzing during IE9 development. More detail [here].
|
| MS11-052(Vector Markup Language) |
Victim browses to a malicious webpage.
|
Critical
|
1
|
Likely to see reliable exploit developed in next 30 days.
|
IE9 not affected. Outlook preview pane not affected due to scripting requirement.
|
| MS11-043(SMB Client) |
Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0.
|
Critical
|
1
|
Likely to see reliable exploit developed in next 30 days.
|
Many enterprise perimeter firewalls and consumer ISP’s block outbound SMB ports (139, 445), preventing internet-based attacks.
|
| MS11-042(DFS Client) |
Victim makes an outbound connection to a malicious DFS server which responds with a malicious DFS packet, potentially executing code on the client in ring0.
|
Critical
|
1
|
Likely to see reliable exploit developed in next 30 days.
|
Many enterprise perimeter firewalls and consumer ISP’s block outbound SMB ports (139, 445), preventing internet-based attacks.
|
| MS11-038(OLE Automation) |
Victim browses to a malicious webpage that uses VBScript to load a WMF file from a SMB or WebDAV path.
|
Critical
|
1
|
Likely to see reliable exploit developed in next 30 days.
|
|
| MS11-040(Forefront TMG firewall client) |
Victim running TMG client browses to a malicious webpage that initiates DNS hostname lookup to malicious DNS server. Malicious response is parsed by application that initiated request and could potentially allow code execution in that context.
|
Critical
|
1
|
Likely to see reliable exploit developed in next 30 days.
|
Clients for ISA Server 2004 and ISA Server 2006 are not affected. Client for TMG, Medium Business Edition is not affected.
|
| MS11-039(.NET/Silverlight) |
Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions.
|
Critical
|
1
|
Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this.
|
Latest version of Silverlight not affected.
|
| MS11-044(.NET Framework) |
Attack vector is application-dependent and limited to .NET applications relying on a certain kind of check to make security decisions. Read more [here] about potential attack vectors.
|
Critical
|
2
|
Likely to be difficult to build a reliable exploit, once a vulnerable application is found.
|
|
| MS11-041(Opentype Font driver) |
Victim using explorer.exe browses to a folder containing a malicious OTF file.
|
Critical
|
2
|
Difficult to build a reliable exploit.
|
Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector.
|
| MS11-046(AFD.sys driver) |
Attacker running code on a machine already elevates from low-privileged account to SYSTEM.
|
Important
|
1
|
Exploits known to exist already.
|
|
| MS11-045(Excel) |
Victim opens a malicious Excel spreadsheet (XLS).
|
Important
|
1
|
Likely to see reliable exploit developed in next 30 days.
|
Excel 2010 affected by only one of the eight vulnerabilities.
|
| MS11-051(Active Directory Certificate Server) |
Victim clicks on a malicious link directing them to Active Directory Certificate Server which initiates attacker actions on the certificate server in the context of the user clicking the link. (XSS)
|
Important
|
1
|
Likely to see reliable exploit developed in next 30 days.
|
|
| MS11-037(MHTML) |
Victim browses to a malicious webpage that attempts to steal cookies belonging to a different website. (Cross-Domain Information Disclosure)
|
Important
|
3
|
No chance for direct code execution – Information Disclosure only. However, proof-of-concept code is publicly available.
|
|
| MS11-048(SMB Server) |
Attacker sends malicious SMB request which causes denial-of-service on victim workstation.
|
Important
|
3
|
No chance for direct code execution – Denial of Service only.
|
|
| MS11-047(Hyper-V) |
Attacker who is local administrator on a guest OS VM can cause a resource exhaustion denial-of-service on host OS.
|
Important
|
3
|
No chance for direct code execution – Denial of Service only.
|
|
| MS11-049(Visual Studio XML Editor) |
Victim opens a malicious .disco files inside Visual Studio, leaking file content on the workstation to remote attacker.
|
Important
|
3
|
No chance for direct code execution – Information Disclosure only.
|
Please let us know (switech at microsoft dot com) if you have any questions about these updates.
Jonathan Ness, MSRC Engineering