Security

It's Microsoft Patch Tuesday: June 2011

Justin James gathers the information you need to make the right decision on applying Microsoft's June 2011 patches in your organization.

The out-of-band and non-security stories were great this month. Unfortunately, we are getting pounded with a stunning sixteen patches, which cover a large number of problems. To make it worse, a number of patches have known issues and surprises when installing them, I've highlighted these patches for you, so look before you leap on these.

This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS11-037/KB2544893 - Important (XP, Vista, W7)/Low (2003, 2008, 2008R2): The way Windows handles the MHTML protocol can result in "information disclosure" (it looks like it would be similar in effect to a cross site scripting attack). You will want to patch this on your usual schedule. MS11-038/KB2476490 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): Image files in the WMF format can be used to perform remote code execution attacks, thanks to a vulnerability in the OLE Automation subsystem, this patch fixes it. Since it is easy to get a Web browser to display an image file, you should apply this patch immediately. MS11-039/KB2514842 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): A security hole in the handling of Silverlight is allowing Silverlight and XAML Browser Applications (XBAP's) to be used to perform remote code execution attacks. Isn't the whole point of Silverlight to make these things harder? Install this patch as soon as you can. Also, there are a lot of known issues with the patch, check out the KB article before installing it. MS11-040/KB2520426 - Critical (Threat Management Gateway 2010 Client): The TMG client has a flaw that allows remote code execution attacks to be performed. If you use the TMG client, you should install this patch. MS11-041/KB2525694 - Critical (Vista, W7, 2008, 2008 R2)/Important (XP, 2003): Problems with the OpenType font handler can allow remote code execution and escalation of privilege attacks. This patch closes those holes. Since an attacker can point a Web page to a network share to get a font file, you will want to close the hole with this patch as soon as you can. MS11-042/KB2535512 - Critical (XP, 2003), Important (Vista, W7, 2008, 2008 R2): A flaw in the way Windows handles DFS processing can allow DoS and remote code execution attacks to be performed. Of course, you should be blocking DFS at the firewall, but this is still a concerning issue that you will want to patch immediately. MS11-043/KB2536276 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): SMB packets can be used to exploit a vulnerability and perform remote code execution attacks. Like the DFS patch, you should be blocking this at the firewall, but you will still want to install this patch quickly. MS11-044/KB2538814 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): A flaw in the .NET Framework and the XBAP handling system can allow applications to run code that they are not allowed to run. This is a critical issue and should be treated as an emergency patch scenario. The patch has some known issues that you should review first, though. MS11-045/KB2537146 - Important (Office XP, Office 2003, Office 2007, Office 2010, Office 2004 for Mac, Office 2008 for Mac, Office 2011 for Max, Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack): This patch resolves a whopping eight vulnerabilities when opening Excel files, which can give the attacker the same rights as the logged on user. Microsoft says this is an "important" patch, but Excel files are so widespread that I recommend that you not hesitate to install the patch. MS11-046/KB2503665 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): A problem with the Ancillary Function Driver (used to hook Winsock to the kernel) can be exploited to perform escalation of privileges attacks. This is a good example of Microsoft rating a patch as "important" when it really should be "critical." Install the patch quickly. MS11-047/KB2525835 - Important (2008, 2008 R2): In the "odd bug of the month" category, a logged on user in a Hyper-V guest VM can send a malformed packet to the Hyper-V host in order to perform a denial of services attack. If you use Hyper-V, you should install this patch during your normal patch time. MS11-048/KB2536275 - Important (Vista, W7, 2008, 2008 R2): A problem with SMB packet processing can lead to DoS attacks. Your firewall should block these out, but you will still watch to install the patch when you have the chance. MS11-049/KB2543893 - Important (InfoPath 2007, InfoPath 2010, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, Visual Studio 2005, Visual Studio 2008, Visual Studio 2010): An XML editor control used in a number of Microsoft data handling products can be exploited to perform information disclosure attacks. Install this patch as needed for systems using the affected software, but check the KB article first for known vulnerabilities. MS11-050/KB2530548 - Critical (IE 6, IE 7, IE 8, IE 9): This is a big cumulative update for IE 6 - IE 9 that resolves eleven vulnerabilities. Install it ASAP. MS11-051/KB2518295 - Important (2003, 2008, 2008 R2): The Active Directory Certificate Services Web Enrollment is vulnerable to cross site scripting attacks that this patch fixes. This shouldn't be available outside your network, and the patch only needs to be applied to your servers that support this functionality. Beware, the patch has some known "gotchas." MS11-052/KB2544521 - Critical (IE 6, IE 7, IE 8, IE 9): Vector Markup Language (VML) can be exploited in IE to perform remote code execution attacks. I didn't even know that VML was still around. You will want to patch as soon as you can.

Other Updates

There are no non-security patches released with this Patch Tuesday.

"The Usual Suspects": Updates to the Malicious Software Removal Tool (12.9 - 13.3MB) and the Junk Email Filter (2.1MB).

Changed, but not significantly: None.

Updates since the last Patch Tuesday

There were no security updates released out-of-band.

Minor items added or updated since the last Patch Tuesday:

KB2541014 - Fixes issues with hibernation in 2008R2 and W7 after installing SP1. KB947821 - System Readiness Tool for Vista, W7, 2008, and 2008 R2.

Changed, but not significantly:

About

Justin James is the Lead Architect for Conigent.

40 comments
tanny_man
tanny_man

Applied all June updates (bar Windows Malicious Removal Tool) to our 1000+ Citrix Farm made up of XP SP3 VMs. They have powered off (which they shouldn't) after installation of the updates and we have had to reset them to enable them to work again. Any suggestions what could be causing this?

Ntoure
Ntoure

Since the June update which has an Outlook update, I have noticed it has slowed down when updating or just clicking on different folders. I thought the patches were meant to improve it in some way?

donallsop
donallsop

The process of opening an Excel file on a network share slowed to a crawl. Looked at Wireshark, the SMB packets were 4 or 8 bytes! After I uninstalled this patch, all was well again. Anyone else have this? XP workstations, Office 2003, Server 2003.

fiosdave
fiosdave

Lately, my system is giving me more of these messages. I believe it is due to system overload. I have about 100 processes running. If I pare this down, I do get fewer error messages. When I get the time, I will use msconfig to slim down the system and see which processes cause the most trouble.

AnsuGisalas
AnsuGisalas

All of a sudden my computer rebooted, informing me of updates installing. That took less than a normal reboot, actually. After that... all done. But then, I just have Home Premium.

Michael.Slifer
Michael.Slifer

I have been stuck on an update for over 6 hours two nights in a row. Tonight it is update 12 of 17. Vista Home Premium, HP 64 bit processor. Good thing I still have a WinXP laptop to at least run a browser.

BlueCollarCritic
BlueCollarCritic

Why is it no one is asking why the hack exploits that these patches often address seem to lead to remote control or remote access to the system? If a software application like a word processor did not already have built into it some way to communicate with or send data to something outside the system then what is the chance that a bug in the software that is exploited by a hacker would result in the hacker being able to remotely acce3ss/control your system? It seems to me the answer to addressing a good bit of software bug issues is to STOP putting remote control/access capabilities into the darn applications and that way if a hacker finds a way to exploit a bug it won???t in turn give the hacker a way to remotely access or control the system.

rpost
rpost

I haven't identified which patch did it but after rebooting my Windows 7 box, a calendar gadget (the default calendar shipped with Win7) stopped displaying the calendar, just an orange square where the day should be. I'm reasonably certain it is not SP1, since I have identical machines at home and office, the office PC displays the calendar just fine, home not so. Any ideas? And, btw, even on relatively fast Win7 boxes, be prepared to take a siesta while it's doing its thing.

promytius1
promytius1

Microsoft OS - any version - is VAPORWARE. If you think you're safe, you're in the wrong business. Unemployment may be up but programmers are flocking to international sites to continue to exploit the buggiest, deeply unsafe, wide-open OS ever invented, in any incarnation. There's great job opportunities exploiting the data of others, and you support that exploding industry by using OSs that leak like a sponge on the counter.

ess
ess

Anyone having the Not Responding issue with Win7 lately..!!??

l.kobiernicki
l.kobiernicki

If you use the built-in M$ Windows Update or M$ Update services, you're using a M$-capped - ie. a truncated - connection ( it used to run @ a miserly 4kb/sec .. ) - rather like dropping down to the old modem-speed connectivity ... Why not install & use Autopatcher ? It queries the M$ download sites for your OS directly, and then downloads whatever it can find there - usually finding a more varied selection than the M$ updating services are able to display. You can then apply those patches you wish to authorize. A bit like the Administrator-managed SUS/WSUS, but better - with fewer overheads, because directly end user-controlled It's also a good deal faster, customizable, storing downloaded patches on a logical drive or even a 2nd physical drive, ie. wherever you choose - and allow sufficient drive space - say 5 GB so they can be updated & redone if needed ( whereas M$ updating defaults to its own choice of directory & doesn't allow user-defined destination selection ) Applied patches are shown in BLUE. Ones not yet applied to the system, are shown in BLACK

pbw
pbw

On an older XP-SP3 machine, the 19 updates took almost 5 hours to complete. Especially the various .NET Framework updates took a very long time to recompile all sorts of stuff. If I had known that it would take so long, I would have run the updates overnight.

pgit
pgit

I better get hopping...

Rhydz
Rhydz

Just a heads up in case anyone else has similar issue to this: After installing KB2536276 on Windows 7 (Professional & Ultimate, SP1) machines, our Apple OS X Server (v10.2.8) could not be accessed. It could be seen on the network, shares could be seen, but not accessed. Said insufficient privileges. After un-installing KB2536276, server worked fine. Windows Vista and XP machines on the network were not affected, even after installing the same update - only machines running Windows 7 were affected. It could be an incorrect setting our end, but it's a heads up none the less, in case anyone else is in the same situation.

Mark W. Kaelin
Mark W. Kaelin

Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe the TechRepublic Community can help?

eric_170
eric_170

Same thing here. It has locked up Excel 2003 on at least four XP PCs where I work. Excel was fine after I removed it. I'm just going to hide the update for now.

rpost
rpost

I've run into this issue when MS updates are greater than a handful, slower machine and/or slow Internet connection. My solution, cancel the install and go back, uncheck half or so and proceed in chunks. In the end, it appears to run much quicker.

Who Am I Really
Who Am I Really

because Windows Is Internet Exploder it has been since the win 95 IE integration although, with IE7 they made a small distinction between Windows Exploder and IE but not much, on Vista you can't use Windows Exploder as a browser to surf the web and if you install IE7 or IE8 on XP you can no longer use Windows Exploder as a browser to surf the web entering a web address in the address bar of Windows Exploder on XP with IE7 or IE8 installed, it will start the default browser and transfer the contents of the address bar to the browser since the IE integration in win 95 windows became IE and IE became windows Favorites is a function of IE but is also accessible from Windows Exploder Quick Launch is an extension / feature of IE not windows here's the Path on XP C:\Documents and Settings\[i]User Name[/i]\Application Data\Microsoft\Internet Explorer\Quick Launch do this on XP running IE6 in Internet options select the Advanced tab scroll down to the multimedia section untick the box for "Show Pictures" guess what the Icons on the Desktop and Quick Launch items etc. all disappear, including the desktop wall paper what does show pictures in IE have to do with the desktop Windows is IE _ There is No, None, Zero, 0, etc. such capability in win 3.10 WFWG to be remote controlled how many "security updates were there for win3.10" None, Zero there was a calculator bugfix update to fix: 3.89 - 3.88 = 0 bug there was a file manager Y2K update to fix dates after 2000 from being displayed wrong 2000 displayed as 19:0, 2001 displayed as 19:1, 2002 displayed as 19:2 , ... 2010 displayed as 19;0 but no "Security Updates"

Thack
Thack

(stifles a yawn....)

pgit
pgit

It hasn't taken that long for some of the XP units to update, the slowest was about an hour total. Just wondering if you really need .NET. I see a few XP boxes without it...

ScarF
ScarF

KB2536276 will block any unencrypted authentication. We found this the hard way, after this security upgrade blocked all the shares provided by Samba on our Linux servers. In our case, we just had to edit SMB.CONF and add "encrypt passwords = Yes", and reload the configuration using "smb reload". I am sure that in the OS X case should be something similar.

scott
scott

I just installed June's Microsoft updates or XP. One failed to install so, after rebooting I went back and installed that one. Now my PC is stuck, can't open any applications. So, I restored back to yesterday's restore point and that fixed all but my most used program shortcut. When I click on the shortcut I get the notorious send an error report window. I re-installed the shortcut but still have the problem. Open for any leads.

alopez
alopez

Anyone having issues after patching with opening messages in Outlook? "Custom actions could not be performed..." message is appearing for users who are doubleclicking messages. You OK out of it and the message then opens... Weird - any ideas??? Checked kb/2020427 but is this corruption caused by June Patches?

jclleung
jclleung

Ever since the mid-May update to the Windows Defender, my computer would, ever so often, send a "no signals" to my screen, and then turn itself off and reboot, but could not open the Windows properly without a "restore" to remove the new patch. The Windows Update kept update itself everyday with the Defender update, and the computer kept turning itself off and rebooted unsuccessfully. There is no way to turn off the Windows Update anymore, as it just ignores the "Do not install update" comment anymore. What am I to do??

Justin James
Justin James

"Remote code execution" has nothing to do with Internet Explorer. "Remote code execution" attacks are a result of poor programming by C/C++ developers. Here's what happens: 1. Application is parsing data, and expects, say, 16 bytes at the most. 2. Hacker sends bad data, that is, say, 39,017 bytes. 3. Application does not stop reading at 16 bytes, but reads until the data ends. 4. The 16 byte variable is filled with "good" data, but the memory addresses subsequent to it are now filled with the extra 39,001 bytes that they sent. If the original 16 byte variable was located at a known memory address (for example, it was being parsed by a part of the Windows networking system that always gets loaded at the same memory address due to the order of Windows bootup), then the excess bytes are also placed at known memory addresses. Which means that the person writing the bad data can overwrite executable code (such as drivers, networking components, and more) with their own code. It's like if someone took a bacteria cell, cut out a part of its DNA and swapped it with another cell's DNA and let it keep going. For the record, Macs, Linux, and more are vulnerable to these kinds of attacks as well. Macs are actually MORE vulnerable that Windows, because since Vista, Windows has done address randomization which makes it much harder to perform these attacks, while Macs are just now getting that and it is only partial. Linux and similar systems have a good number of built-in protections, and their applications tend to be stronger because of the way they are written and tested (lot of factors involved). But no, this whole "explanation" about Windows and Internet Explorer and allowing "remote connectivity" has no relationship to what a "remote code execution attack" is. J.Ja

pbw
pbw

Several applications need it, e.g. Visual Studio 2010 (Express).

Rhydz
Rhydz

Brilliant, thanks for the info, I'll look into it this week. After reading about KB2536276, I thought I'd have to end up tweaking some 'incorrect' settings, as apposed to blocking the update outright. I'll reply back here if I find the OSX solution to this. Strange how it's only Win7 that's affected though..

Justin James
Justin James

Glad to help! Yes, the overwrite goes immediately into the contiguous area. So all you then need to know is what actually is in that next bit of space. :) That's to OS boot order and well known file sizes, it isn't hard to make a map of where the OS puts what critical files. So you can poke around the memory, look at the contents of the memory for these critical files (stuff like the networking sub-system, or file storage system, or whatever), dump it out as machine instructions, examine it, and see what it does. Then, you figure out where the good stuff happens, like checking permissions. Your goal is to overwrite those areas with machine code of your own, like code that does NOT check permissions. :) Again, from Vista on, the OS randomizes the memory, so a lot of these basic attacks no longer work because there are no more known address spaces. That's also one reason why Vista seems less reliable than XP, you actually use 100% of your RAM, and randomly at that, so bad RAM in the upper addresses will be hit at random, sometimes for system stuff, when in the past it may never get touched or only by unimportant items. So a buffer overwrite does less damage, or just results in instability or data corruption more often. Again, OS X is just now moving to this, and their implementation doesn't do it for all RAM, and Linux, BSD, etc. have had it for a while too. From what I can tell, once you've come across an exploit that allows the initial overwrite, taking advantage of it is pretty trivial and routine. J.Ja

pgit
pgit

So a process writes it's 16 bytes properly in the example, and continues "normally," ie the system does not crash, but the extra code is written to an inappropriate location and overwrites something else's data. I got that part. So does this address space begin immediately above the space where the 16 bits resides? Or is it possible to get the original process to write to some other non-contiguous location? I ask because who knows what's in that adjacent, higher space? Does the attacker know exactly what other process they are targeting? Or doesn't that matter? I would think it does, the injected code would have to be close enough to what it replaced or you'd notice a loss of function, true? Maybe sometimes? Once again J.Ja you've blown the smoke out of the room and I'm beginning to see some of this stuff. Thanks for diving into these topics.

DJBBB
DJBBB

Well, yes but. Say you have a binary 100 kB long and it uses 10 kB for various buffers, then the executable code should be in first 90 kB and the buffers in the subsequent 10 kB. That way a buffer overflow in an application could not override the application code. You might not overwrite "Your" program, but you might flatten something else, then *Phut!* crash... (or worse!) In C/C++, one of the common problems is with string copying. There are two ways to do it, one just goes till it see a null (0x00) and stops. http://www.cplusplus.com/reference/clibrary/cstring/strcpy/ But sadly, note the comment that the destination should have enough room for the entire string and terminating Null. There by hangs the tail.. The other, you can tell it how many bytes at most to transfer, it can still quit at the first null, but otherwise it'll only do the most you say that it can. http://www.cplusplus.com/reference/clibrary/cstring/strncpy/ But, it can leave off the terminating Null, under some circumstances. However, it will not transfer "blind"... The goal of most malware, is to invoke something like this, fill up the buffer and then some, overwiting the return stack with any luck, so when the funciton eventualy returns, it can return back into the "data" it just received. Such code often is very simple, just calling some other OS function to then download the main payload from elsewhere and run it. DEP can sometimes prevent it from running, but you still get a crash of some sort. There are many many many other ways to compromise a computer, with similar techiques. See:- http://www.h-online.com/security/features/CSI-Internet-HQ-1050609.html for some good background reading... Cheers. DJBBB.

rpr.nospam
rpr.nospam

I'd say that the existence of buffer overflow also show that C/C++ compilers are poorly written. When compiling C/C++ code the compiler should put all static memory buffers at the end of application's virtual memory. Say you have a binary 100 kB long and it uses 10 kB for various buffers, then the executable code should be in first 90 kB and the buffers in the subsequent 10 kB. That way a buffer overflow in an application could not override the application code. Another issue is the memory management done by the kernel. A good kernel should not allow that one application overrides another one. As the kernel loads executables (and DLLs) into memory it knows about the memory ranges occupied by the executables and it should not allow that they override each other. There is also memory space dynamically allocated (and freed) during execution of an application. A good kernel should take care that an application cannot write outside of the currently allocated memory space.

AnsuGisalas
AnsuGisalas

Last time I checked, coding language used is not publicly available for most programs. Maybe a chain of blogs could help. "X popular Apple programs written in leprous languages" etc. etc.

Justin James
Justin James

Yup, that's exactly what these remote code execution attacks are. There's a LOT of automated tested to be done that helps find it. A company called Coverity has a tool to do this, periodically they release a report of open source software that has these bugs (it needs access to the source code), you be shocked at how riddled with these exact same issues even the supposed "secure" open source apps are. What do people need to do? Primarily, get off of C/C++, and get onto languages like Java, C#, Ruby, etc. where the developer can't make these mistakes because they aren't managing memory, and then just focus on getting the compilers/interpreters/runtime VMs for them straight. Look at the number of security patches for .NET or Java... three or four a year, tops, and always for a very specific bug (and often something where it is wrapping the underlying functionality of the system which is the REAL broken item). These are environments which are pretty secure to work in. Compare that to the number of bugs found in, say, parsing Excel documents every year... there are at LEAST 4+ security problems a year just parsing Excel, another 4+ parsing Word, etc. and almost always in the "legacy" formats (pre-XML). Those formats have been around for a decade if not longer, and so has the code for parsing it, yet it is STILL broken... and those bugs affect Macs too. We see the *exactly* same issue with Flash and Acrobat as well. The lesson learned is that parsing binary formats in applications written in C/C++ is insanely hazardous. It's not a "Microsoft" problem, it's an "everybody" problem. Apple has it too with QuickTime. J.Ja

AnsuGisalas
AnsuGisalas

Just out of curiosity, what's the overhead of capping those holes? I mean, how much is it that the developers have failed to do?

pbw
pbw

It's simple; if you have any application that were built with .NET, then you need the runtime environment (.NET Framework). I don't know if any Win7 components need it. I think that Win7 comes with .NET Framework 4 preinstalled (not sure; I'll get my first Win7 machine next week).

pgit
pgit

There's a solid measure of the local economy, I deal with more XP than probably all other systems (including Linux) combined. Maybe I should say "indictment" of the economy. The only 2008 system I've laid hands on is with a license the local community college has that gives students 30 days to play with it before self-destructing. (you can install it again, but every 30 days.. )

Justin James
Justin James

So much of the system uses .NET now. You can't even use a Windows 2008 "Core" install without it (since PowerShell uses it). And many applications require it too. Basically, the only system out there that can go without it is an old XP (or earlier) system with few modern applications installed (remember, .NET came out in 2001 or 2002). J.Ja

pgit
pgit

Yeah, it's really only a few boxes I see that don't need .NET. One thing I am uncertain of is whether it's possible to do without it in a win7 environment. I haven't tried it, of course the first thing that pops up when you do try is a warning that literally everything might break, and the sky could fall. You can normally go past such warnings safely, just haven't had the time to try.

Editor's Picks