Posts

Microsoft Security Bulletin Coverage (Jun 12, 2012)

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of June, 2012. A list of issues reported, along with SonicWALL coverage information follows:

MS12-036 Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)

  • CVE-2012-0173 Remote Desktop Protocol Vulnerability
    There is no feasible method of detection at gateway level.

MS12-037 Cumulative Security Update for Internet Explorer (2699988)

  • CVE-2012-1523 Center Element Remote Code Execution Vulnerability
    IPS: 7959 – Microsoft IE Center Element Exploit
  • CVE-2012-1858 HTML Sanitization Vulnerability
    IPS: 7960 – Cross-Site Scripting (XSS) Attempt 32
  • CVE-2012-1872 EUC-JP Character Encoding Vulnerability
    There is no feasible method of detection.
  • CVE-2012-1873 Null Byte Information Disclosure Vulnerability
    IPS: 7961 – Microsoft IE Null Byte Information Disclosure Exploit
  • CVE-2012-1874 Developer Toolbar Remote Code Execution Vulnerability
    IPS: 7962 – Microsoft IE Developer Toolbar Memory Corruption
  • CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability
    IPS: 7963 – Microsoft IE Same ID Property Exploit
  • CVE-2012-1876 Col Element Remote Code Execution Vulnerability
    IPS: 7454 – HTTP Client Shellcode Exploit 35a
  • CVE-2012-1877 Title Element Change Remote Code Execution Vulnerability
    GAV: 20231 – Malformed-File html.MP.5
  • CVE-2012-1878 OnBeforeDeactivate Event Remote Code Execution Vulnerability
    GAV: 20228 – Malformed-File html.MP.4
  • CVE-2012-1879 insertAdjacentText Remote Code Execution Vulnerability
    IPS: 4665 – HTTP Client Shellcode Exploit 13a
  • CVE-2012-1880 insertRow Remote Code Execution Vulnerability
    GAV: 20227 – Malformed-File html.MP.3
  • CVE-2012-1881 OnRowsInserted Event Remote Code Execution Vulnerability
    GAV: 20225 – Malformed-File html.MP.2
  • CVE-2012-1882 Scrolling Events Information Disclosure Vulnerability
    There is no feasible method of detection.

MS12-038 Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)

  • CVE-2012-1855 .NET Framework Memory Access Vulnerability
    IPS: 7964 – Malformed ZIP File 12

MS12-039 Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)

  • CVE-2011-3402 TrueType Font Parsing Vulnerability
    GAV: 19421 – Malformed.ttf.MP.1
  • CVE-2012-0159 TrueType Font Parsing Vulnerability
    GAV: 18601 – Malformed-File ttf.MP.2
  • CVE-2012-1849 Lync Insecure Library Loading Vulnerability
    IPS: 1023 – Binary Planting Attempt 1
    IPS: 5726 – Binary Planting Attempt 2
    IPS: 6847 – Binary Planting Attempt 3
  • CVE-2012-1858 HTML Sanitization Vulnerability
    IPS: 7960 – Cross-Site Scripting (XSS) Attempt 32

MS12-040 Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)

  • CVE-2012-1857 Dynamics AX Enterprise Portal XSS Vulnerability
    IPS: 1369 – Cross-Site Scripting (XSS) Attempt 1

MS12-041 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)

  • CVE-2012-1864 String Atom Class Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1865 String Atom Class Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1866 Clipboard Format Atom Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1867 Font Resource Refcount Integer Overflow Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1868 Win32k.sys Race Condition Vulnerability
    This is a local elevation of privilege vulnerability.

MS12-042 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)

  • CVE-2012-0217 User Mode Scheduler Memory Corruption Vulnerability
    This
    is a local elevation of privilege vulnerability.
  • CVE-2012-1515 BIOS ROM Corruption Vulnerability
    This is a local elevation of privilege vulnerability.

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2719615)

  • CVE-2012-1889 MSXML Uninitialized Memory Corruption Vulnerability
    IPS: 7967 – ACTIVEX Suspicious ActiveX Method 7
    IPS: 7968 – ACTIVEX Suspicious ActiveX Method 8
    IPS: 7969 – ACTIVEX Suspicious ActiveX Method 9
    IPS: 7970 – ACTIVEX Suspicious ActiveX Method 10
    IPS: 7971 – ACTIVEX Suspicious ActiveX Method 11

Microsoft Security Bulletin Coverage (May 8, 2012)

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2012. A list of issues reported, along with SonicWALL coverage information follows:

MS12-029 Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352)

  • CVE-2012-0183 RTF Mismatch Vulnerability
    GAV: 18584 – Malformed-File rtf.MP.2

MS12-030 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830)

  • CVE-2012-0141 Excel File Format Memory Corruption Vulnerability
    GAV: 18668 – Malformed-File xls.MP.9
  • CVE-2012-0142 Excel File Format Memory Corruption in OBJECTLINK Record Vulnerability
    GAV: 18672 – Malformed-File xls.MP.10
  • CVE-2012-0143 Excel Memory Corruption Using Various Modified Bytes Vulnerability
    GAV: 18675 – Malformed-File xls.MP.11
  • CVE-2012-0184 Excel SXLI Record Memory Corruption Vulnerability
    GAV: 18676 – Malformed-File xls.MP.12
  • CVE-2012-0185 Excel MergeCells Record Heap Overflow Vulnerability
    GAV: 18677 – Malformed-File xls.MP.13
  • CVE-2012-1847 Excel Series Record Parsing Type Mismatch Could Result in Remote Code Execution Vulnerability
    GAV: 18678 – Malformed-File xls.MP.14
    GAV: 18679 – Malformed-File xls.MP.15

MS12-031 Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)

  • CVE-2012-0018 VSD File Format Memory Corruption Vulnerability
    GAV: 18603 – Malformed-File vsd.MP.1

MS12-032 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)

  • CVE-2012-0174 Windows Firewall Bypass Vulnerability
    There is no feasible method of detection at gateway level.
  • CVE-2012-0179 TCP/IP Double Free Vulnerability
    This is a local vulnerability.

MS12-033 Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)

  • CVE-2012-0178 Plug and Play (PnP) Configuration Manager Vulnerability
    This is a local vulnerability.

MS12-034 Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)

  • CVE-2011-3402 TrueType Font Parsing Vulnerability
    GAV: 18600 – Malformed-File ttf.MP.1
  • CVE-2011-0159 TrueType Font Parsing Vulnerability
    GAV: 18601 – Malformed-File ttf.MP.2
  • CVE-2012-0162 .NET Framework Buffer Allocation Vulnerability
    GAV: 18521 – Malformed-File exe.MP.3
  • CVE-2012-0164 .NET Framework Index Comparison Vulnerability
    There is no feasible method of detection.
  • CVE-2012-0165 GDI+ Record Type Vulnerability
    GAV: 18516 – Malformed-File emf.MP.3
    GAV: 18680 – Malformed-File xls.MP.16
  • CVE-2012-0167 GDI+ Heap Overflow Vulnerability
    GAV: 18510 – Malformed-File emf.MP.1
    GAV: 18514 – Malformed-File emf.MP.2
  • CVE-2012-0176 Silverlight Double-Free Vulnerability
    There is no feasible method of detection.
  • CVE-2012-0180 Windows and Messages Vulnerability
    This is a local vulnerability.
  • CVE-2012-0181 Keyboard Layout File Vulnerability
    This is a local vulnerability.
  • CVE-2012-1848 Scrollbar Calculation Vulnerability
    This is a local vulnerability.

MS12-035 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)

  • CVE-2012-0160 .NET Framework Serialization Vulnerability
    This is a local vulnerability.
  • CVE-2012-0161 .NET Framework Serialization Vulnerability
    GAV: 18522 – Malformed-File exe.MP.4

Microsoft Security Bulletin Coverage (Dec 13, 2011)

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-087 Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)

  • CVE-2011-3402 TrueType Font Parsing Vulnerability
    GAV: Malformed.ttf.MP.1

MS11-088 Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)

  • CVE-2011-2010 Pinyin IME Elevation Vulnerability
    This is a local vulnerability.

MS11-089 Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)

  • CVE-2011-1983 Word Use After Free Vulnerability
    GAV: Malformed.doc.MP.4

MS11-090 Cumulative Security Update of ActiveX Kill Bits (2618451)

  • CVE-2011-3397 Microsoft Time Remote Code Execution Vulnerability
    IPS: 7224 – MS IE Time Element Remote Code Execution 1
    IPS: 7225 – MS IE Time Element Remote Code Execution 2

MS11-091 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)

  • CVE-2011-1508 Publisher Function Pointer Overwrite Vulnerability
    No details available.
  • CVE-2011-3410 Publisher Out-of-bounds Array Index Vulnerability
    IPS: 7226 – Malformed Publisher Document 3b
  • CVE-2011-3411 Publisher Invalid Pointer Vulnerability
    IPS: 7227 – Malformed Publisher Document 4b
  • CVE-2011-3412 Publisher Memory Corruption Vulnerability
    IPS: 7228 – Malformed Publisher Document 5b

MS11-092 Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)

  • CVE-2011-3401 Windows Media Player DVR-MS Memory Corruption Vulnerability
    GAV: MsApp.Exp.MP.2

MS11-093 Vulnerability in OLE Could Allow Remote Code Execution (2624667)

  • CVE-2011-3400 OLE Property Vulnerability
    IPS: 7230 – Malformed Visio Document 4b

MS11-094 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)

  • CVE-2011-3396 PowerPoint Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt 1
    IPS: 1023 – Possible Binary Planting Attempt 2
    IPS: 6847 – Possible Binary Planting Attempt 3
  • CVE-2011-3413 OfficeArt Shape RCE Vulnerability
    GAV: Malformed.ppt.MP.2

MS11-095 Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)

  • CVE-2011-3396 PowerPoint Insecure Library Loading Vulnerability
    It is not possible to distinguish attack from normal traffic.

MS11-096 Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)

  • CVE-2011-3403 Record Memory Corruption Vulnerability
    GAV: Malformed.xls.MP.11

MS11-097 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)

  • CVE-2011-3408 CSRSS Local Privilege Elevation Vulnerability
    This is a local vulnerability.

MS11-098 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)

  • CVE-2011-2018 Windows Kernel Exception Handler Vulnerability
    This is a local vulnerability.

MS11-099 Cumulative Security Update for Internet Explorer (2618444)

  • CVE-2011-1992 XSS Filter Information Disclosure Vulnerability
    This is a cross domain vulnerability. It is not possible to distinguish attack from normal traffic.
  • CVE-2011-2019 Internet Explorer Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt 1
    IPS: 1023 – Possible Binary Planting Attempt 2
    IPS: 6847 – Possible Binary Planting Attempt 3
  • CVE-2011-3404 Content-Disposition Information Disclosure Vulnerability
    It is not possible to distinguish attack from normal traffic.

Microsoft Windows TrueType Parsing Engine Code Execution (Nov 3, 2011)

TrueType is an outline font standard originally developed by Apple Computer in the late 1980s as a competitor to Adobe’s Type 1 fonts used in PostScript. TrueType has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems. In Microsoft Windows, the OS uses a Windows component, the Win32k TrueType font parsing engine to analyze the TTF data.

A remote code execution vulnerability has been found in Microsoft Windows. Especially the vulnerability was found in the Win32k TrueType font parsing engine. By exploiting this vulnerability, an attacker could run arbitrary code in kernel mode on the target system. This vulnerability is related to the Duqu malware.

SonicWALL UTM team has researched this vulnerability and released a GAV signature as following:

  • 56984 TTF.Exp.MP.1

The vulnerability has been referred by the vendor, Microsoft as 2639658, and it’s referred by CVE as CVE-2011-3402.