12345

6/30/2011

[Warning] A malicious file masqueraded as a Melon player is spreading.

1. Introduction

Recently, malicious file spreading technique using Flash player’s vulnerability trying to download or execute additional malicious file is prevalent.
In case of being infected with this malicious file, various malicious behaviors can be performed in user’s computer unconsciously.
Therefore, user needs special attention about prevalent malicious file to avoid it.



2. Spreading path and symptoms of infection

Masqueraded as a Korean famous music service player, malicious file can be downloaded and installed user’s PC by malicious SWF file using Flash Player Vulnerability (CVE-2011-2110).

The initial spread has begun with inserted Script file such as following URL. And it will perform additionally after checking the version of Internet Explorer and Adobe Flash Player Version.

* Malicious Script for spreading Melon Player’s malicious

- http://(omit)/share/a1.html

* Html, SWF files included malicious Script

This following figure is internal code of a1.html and shows routine about checking version of IE and Flash Player Version and executing SWF file matching.


The following URL is the list to download additional malicious script files.

* Additional malicious Script file downloadable URL list

- http://(~~)/share/a1.html
- http://(~~)/share/a2.html (MS10-018 vulnerability)
- http://(~~)/share/a3.html (CVE-2011-2110 vulnerability)

a2.html and a3.html files are containing code, which is using MS10-018 vulnerability and CVE-2011-2110 vulnerability by each.


* Vulnerability of MS10-018 (a2.html)



function sclick()
{
var zmaqwekjsax = document.createElement("B"+"O"+"D"+"Y");
zmaqwekjsax.addBehavior("#"+"d"+"e"+"f"+"a"+"u"+"l"+"t"+"#"+"u"+"s"+"e"+"r"+"Da"+"t"+"a");
document.appendChild(zmaqwekjsax);
try
{
for (i=0;i<10;i++)
{
zmaqwekjsax.setAttribute('s',window);
}
}
catch(e)
{}
window.status+='';
}

* Vulnerability of CVE-2011-2110 (a3.html)



<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="550" height="400" id="test" align="middle">
<param name="movie" value="basic.swf?info=02E6B(~~)B51D3527B7AF28B7394" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="play" value="true" />
<param name="loop" value="true" />
<param name="wmode" value="window" />
<param name="scale" value="showall" />
<param name="menu" value="true" />
<param name="devicefont" value="false" />
<param name="salign" value="" />
<param name="allowScriptAccess" value="sameDomain" />
<!--[if !IE]>-->
<object type="application/x-shockwave-flash" data="basic.swf?info=02E6B(~~)B7394" width="550" height="400">
<param name="movie" value="basic.swf?info=02E6B(~~)B51D3527B7AF28B7394" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="play" value="true" />
<param name="loop" value="true" />
<param name="wmode" value="window" />
<param name="scale" value="showall" />
<param name="menu" value="true" />
<param name="devicefont" value="false" />
<param name="salign" value="" />
<param name="allowScriptAccess" value="sameDomain" />


This following figure shows internal code of SWF file including malicious code which can be executable by malicious Script. In addition, it shows Shellcode information (Load library, download malicious file disguised as Melon Player) and decoded screen.



* Adobe Flash Player latest security patch
http://www.adobe.com/go/getflash

* Malicious file masqueraded as Melon Player 3.0

Finally, malicious script and SWF file using vulnerability will download "fatt.txt" file. At a glance, it looks like .TXT file. But after decoding process, it will be converted .EXE file to have an ability to infect..

The following image shows the comparison of preference between masqueraded malicious file and normal Melon Player 3.0’s installation file.
 

Original Melon Player’s installation file has the file name “MelonSetup", which is integrated installation file, therefore it doesn’t contain version information.

If being infected with decoded “fatt.txt”, it will make its clone and try to add register by itself.
  
* Generated file
- C:\WINDOWS\winntp\cr.exe (239,108 bytes)

* Register registry value- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Name : HKLM
- Data : "C:\WINDOWS\winntp\cr.exe"

In addition, if this file is executed, it can perform sending collected information, downloading additional malicious file or working as a backdoor in case of maintaining session connecting status continuously such as following figure.
  

3. How to prevent

As above, in this kind of spreading malicious file for stealing online game account, its various variants are emerging and identified. It spreads itself via famous and various social-commerce sites, therefore; the range of infected can be widened considerably and, a huge financial loss, damage can be followed.

Especially, it's hard to detect being infected or not for general user because this kind of malicious files spread unconsciously. To keep safe from this kind of spreading malicious files that we recommend following tips "Security management tips" for general users.
  
Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Script-JS/W32.Agent.AAD
- Script-JS/W32.Agent.CGF
- Script-JS/W32.Agent.CHI
- Trojan-Exploit/W32.SWFlash.3436
- Trojan-Exploit/W32.SWFlash.3437.B
- Trojan/W32.Buzus.239108
- Trojan/W32.Buzus.239108
 

6/20/2011

[Warning] Variant malicious files changing Windows system files are increasing

1. Introduction

Recently, user needs special attention about prevalent malicious file to steal online game account information.
In case of infected by malicious file, leaking account information and abnormal quit of Internet Explorer can occur easily.
What is more, there is a limitation to diagnose with anti-virus due to continuous spreading of variant malicious file.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2. Spreading path and symptoms of infection

This malicious file spreads especially high on weekend through domestic file sharing site. In case of file sharing site, access frequency of general user might be highly increased against weekdays relatively; therefore the range of infection might also be enlarged.

Malicious file creator and distributor can add malicious URL to be downloaded and executed additional malicious file with using vulnerability of domestic file sharing site.

After that progress, a user can be infected malicious file with just accessing tampered website and easily stolen online game account information.

Below image shows decrypted malicious Script inserted file sharing site via malicious URL.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

* Decrypted malicious Script



━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Also, such as tampered domestic social commerce site, we mentioned before, trying download and execute additional malicious file with using IE and Flash’s vulnerability is another feature.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

* Malicious code in malicious Flash file (character conversion)


It can also set preference to download other malicious things using some part of malicious Flash file code.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

After the procedure, original Windows system file will be tampered; it is possible to be stolen online game account due to malicious function.
   

* Generated files- (User temporary folder)\nsp9.tmp\SelfDel.dll
- (User temporary folder)\ws2help.dll
- (program folder)\%NXU32YHysu3YDU3IDd46TGh%\6549302827346110393.exe
- (Windows system folder)\(yyyymmddhhmmss).dll (ex:2011619162132)
- (Windows system folder)\ws2help.dll
- (Windows system folder)\ws3help.dll(normal file)

* Generally (user temporary folder) is C:\Documents and Settings\(user account)\Local Settings\Temp.

* Generally (Windows system folder) is C:\WINDOWS\SYSTEM on at Windows 95,98,ME, C:\WINNT\SYSTEM32, at Windows 2000, and C:\WINDOWS\SYSTEM32 at Windows NT,XP.

Those following online game lists are possible to be leaked by infected malicious file.
 
* Online game account information leakage list- dnf.exe(Dungeon and fighter)
- MapleStory.exe(Maplestory)
- FF2Client.exe(Fifa online 2)
- lin.bin(Lineage)
- DarkBlood.exe(Dark blood)
- heroes.exe(Mabinogi heroes)
- LOB.exe(Legend of blood)
- x2.exe(elsword)

* Module monitoring about OTP- PCOTP.exe

Also, those malicious files have quit function against specific anti-virus software.
 

3. How to prevent

This kind of malicious file tries to spread especially during weekend in file sharing site; therefore, this security issue will appear frequently. Not only weekends but weekdays, a bunch of user are accessing file sharing site and playing online game. To keep safe from this kind of spreading malicious files that we recommend following tips "Security management tips" for general users.
 
Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

Diagnosis treatment

- Script-JS/W32.Agent.CFH
- Script-JS/W32.Agent.CFE
- Trojan-Exploit/W32.SWFlash.3467.JT
- Script-JS/W32.Agent.CFG
- Trojan/W32.Agent.85104.B
- Script-JS/W32.Agent.ZV
- Trojan/W32.Agent.44096.IJ
- Trojan/W32.Agent.33588742.B
- Trojan/W32.Agent.33600522
 


6/17/2011

[Warning] Detected malicious file on Android disguised as a Flash Player file



1. Introduction

Malicious application masqueraded as a Flash Player-related application for android has been found.
So users are urged to take precautions.
This app was masqueraded as a Flash Player and its similar icon, and tries various malicious behavior on background without screen while.
On infected, information of smartphone, SMS may be leaked.
Therefore, user needs caution to download and install application.
 


2. Spreading path and symptoms of infection

This malicious applicationmay be spread through black market and 3rd party market; sometimes it can be downloaded installed such as access malicious URL or attached file on e-mail.

* Features can be checked on install malicious application

This malicious application shows permission requirement screen on installation, like as following image.


This following image is a part of permission requirement declaration.
Check "Permission explanation" for detail information.



* Permission explanation

- android:name="android.permission.INTERNET"-> Permission for using internet
- android:name="android.permission.SEND_SMS"
-> Permission for sending SMS
- android:name="android.permission.RECEIVE_SMS"-> Permission for receiving SMS
- android:name="android.permission.WRITE_SMS"
-> Permission for writing SMS
- android:name="android.permission.READ_SMS"-> Permission for reading SMS
- android:name="android.permission.READ_PHONE_STATE"
-> Permission for getting cellular phone information
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"-> Permission for saving information to SD card
- android:name="android.permission.MODIFY_AUDIO_SETTINGS"
-> Permission for audio settings

There are some other malicious applications which have same symptom but didn’t masquerade as a Flash Player, such as a following image.


Also, these malicious applications are shown as a masqueraded icon below. And they don’t have execution screen.




After being installed, the malicious application is running as a service and will behave various malicious behaviors after certain period of time.

* Spreading malicious application lists- FlashCom
- FlashP29
- Flashpom
- MMS29

* Detailed analysis of symptoms
 
After being installed, the malicious application is running as a service and will behave various malicious behaviors after certain period of time.

This following figure describes stealing and utilizing information of smartphone such as IMEI.



Collected IMEI information may be used generating cloned phone, those applications’ most common function. This malicious application can also acquire information such as installed application list with following codes.


This code above describes obtaining application list. It collects all installed application list information and sends to SD card, and sending the information external site after certain period of time.

In addition, the malicious application was analyzed trying to leak SMS and caller number to external site.


This following figure is captured screen for external leakage packet among installed application lists.


* Captured screen of external leakage packet about installed application lists


- All the application list information of infected smartphone can be leaked externally.

* Captured screen of cellular phone information like IMEI, android platform version
 

- Red box contains leaking phone’s information, blue box contains IMEI information.


In addition, the malicious application is checking its product name and version and tries to update if it isn’t latest version.


3. How to prevent

Recently, malicious application is spreading as a various variant type such as packaging techniques, masquerading as a normal program, and so on. Compared to previous years, malicious applications are significantly increased. Like most malicious application, it’s very difficult to find being infected or symptom for a normal user; therefore we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

* Malicious application diagnosis name added nProtect Mobile for Android product family

- Trojan-Spy/Android.CrWind.A
- Trojan-Spy/Android.CrWind.B
- Trojan-Spy/Android.CrWind.C
- Trojan-Spy/Android.CrWind.D

6/16/2011

[Material] Android’s malicious file disguised as a Hello Kitty desktop application.

1. Introduction


Founded March, 2011, this malicious file has been included malicious function and repackaged of previous wallpaper application.
This malicious application is a variant of known as "ADRD"that referred to in the past, and remaines user’s smartphone inside without icon just like most of the wallpaper application.
In this case, user can’t figure out what happens in his smartphone by malicious application.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2. Spreading path and symptoms of infection

* Comparison against original application

In case of this kind of repackaged malicious application, it spreads via black market and 3rd party market, it shows permission requirement screen on installation.


This following figure describes declaration on permission requirement.


* Permission explanation

- android.permission.WRITE_APN_SETTINGS
-> Permission for APN settings
- android.permission.RECEIVE_BOOT_COMPLETED
-> Permission for background task after reboot
- android.permission.ACCESS_NETWORK_STATE
-> Permission for access network
- android.permission.READ_PHONE_STATE
-> Permission for obtain smartphone information
- android.permission.WRITE_EXTERNAL_STORAGE
-> Permission for writing data to SD card
- android.permission.INTERNET
-> Permission for using internet
- android.permission.MODIFY_PHONE_STATE
-> Permission for modifying smartphone information

This malicious application needs Android 2.1 or higher versions. It doesn’t have execution icon after installation. And in case of original application, it doesn’t ask for permission like the following image.


However, if you move the "Applications" menu, you can check icon for wallpaper application. Both original and tampered applications are using same icon.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Following different file trees shows how different between original and tampered applications.


* Detailed analysis of symptoms

After downloaded and installation, this malicious application tries to steal IMEI, IMSI information with following codes.
 

Also it those collected information has been confirmed to send to certain external site by AlarmManager periodically.
 

Currently additional symptoms such as accessing C&C server work in progress, so we will renew the information after being analyzed.

This malicious application has difference in trying to download additional file compared with previous malicious application known as ADRD. That is, trying download after referring external access site URL and specific variable through DES algorithm.

This following figure describes encrypting code used DES algorithm.
 

In addition, this malicious application contains APN setting through CMWAP, UNIWAP and check related code, it can be supposed to be made for targeting Chinese user.

Following image shows CMWAP, UNIWAP setting and part of checking and concerning code.
 

These malicious functions are activated in system background and set started automatically on reboot.

Following images are same on both this malicious application and original application.
 

3. How to prevent

Recently in this case of spreading malicious applications, they are trying to infect smartphone with various techniques such as "Repackaging", "Double packaging", and "Try rooting". In addition, there are a lot of malicious applications that doesn’t leave icon, mentioned above. In this case, for an ordinary user, it’s very difficult to diagnose that what’s going on his smartphone.

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
 
Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.


INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

[Status of nProtect Mobile for Android diagnosis]

Trojan-Spy/Android.ADRD.D
 

6/15/2011

Microsoft Security Bulletin Summary for June 2011

1. Introduction

Microsoft (MS) regular security updates were released of June 2011.
Strongly recommended general user updates To be safe from the malicious file through updating Windows OS security Update for Internet Explorer users, OLE Automation, Windows kernel-mode drivers, distributed file systems, and SMS Client Remote Code Execution.

Microsoft Security notice summary for June 2011

 http://www.microsoft.com/technet/security/bulletin/ms11-jun.mspx

2. Updates details

[Important]
[MS11-037] Information leakage due to MHTML vulnerability

Vulnerability: MHTML MIME type’s request vulnerability (CVE-2011-1894)


This security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user opens a specially crafted URL from an attacker's web site. An attacker would have to convince the user to visit the web site, typically by getting them to follow a link in an e-mail message or Instant Messenger message

◈ Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-037.mspx



[Critical]
[MS11-038] Vulnerability in OLE Automation Could Allow Remote Code Execution


Vulnerability: OLE Automation Underflow Vulnerability (CVE-2011-0658)

This security update resolves a privately reported vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user visits a Web site containing a specially crafted Windows Metafile (WMF) image. In all cases, however, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to convince users to visit a malicious Web site, typically by getting them to click a link in an e-mail message or Instant Messenger request.

◈ Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-038.mspx



[Critical]
[MS11-039] Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution


Vulnerability: .NET Framework Array Offset Vulnerability (CVE-2011-0664)

This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

◈ Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-039.mspx



[Critical]
[MS11-040] Vulnerability in Threat Management Gateway Firewall Client Could Allow Remote Code Execution

Vulnerability: TMG Firewall Client Memory Corruption Vulnerability (CVE-2011-1889)


This security update resolves a privately reported vulnerability in the Microsoft Forefront Threat Management Gateway (TMG) 2010 Client, formerly named the Microsoft Forefront Threat Management Gateway Firewall Client. The vulnerability could allow remote code execution if an attacker leveraged a client computer to make specific requests on a system where the TMG firewall client is used.

◈ Affected Software

- Microsoft Forefront Threat Management Gateway 2010 Clent

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-040.mspx



[Critical]
[MS11-041] Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution


Vulnerability: Win32k OTF Validation Vulnerability (CVE-2011-1873)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a network share (or visits a web site that points to a network share) containing a specially crafted OpenType font (OTF). In all cases, however, an attacker would have no way to force a user to visit such a web site or network share. Instead, an attacker would have to convince a user to visit the web site or network share, typically by getting them to click a link in an e-mail message or Instant Messenger message.

◈ Affected Software

- Windows XP Professional x64 Edition SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista x64 Edition SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-041.mspx



[Critical]
[MS11-042] Vulnerabilities in Distributed File System Could Allow Remote Code Execution

Vulnerability: DFS Memory Corruption Vulnerability (CVE-2011-1868)
DFS Referral Response Vulnerability (CVE-2011-1869)


This security update resolves two privately reported vulnerabilities in the Microsoft Distributed File System (DFS). The more severe of these vulnerabilities could allow remote code execution when an attacker sends a specially crafted DFS response to a client-initiated DFS request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

◈ Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-042.mspx



[Critical]
[MS11-043] Vulnerability in SMB Client Could Allow Remote Code Execution

Vulnerability: SMB Response Parsing Vulnerability (CVE-2011-1268)
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.

◈ Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-043.mspx



[Critical]
[MS11-044] Vulnerability in .NET Framework Could Allow Remote Code Execution

Vulnerability: .NET Framework JIT Optimization Vulnerability (CVE-2011-1271)

This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

◈ Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-044.mspx



[Important]
[MS11-045] Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

Vulnerability: Excel Insufficient Record Validation Vulnerability (CVE-2011-1272)
Excel Improper Record Parsing Vulnerability (CVE-2011-1273)
Excel Out of Bounds Array Access Vulnerability (CVE-2011-1274)
Excel Memory Heap Overwrite Vulnerability (CVE-2011-1275)
Excel Buffer Overrun Vulnerability (CVE-2011-1276)
Excel WriteAV vulnerability (CVE-2011-1278)
Excel Out of Bounds WriteAV vulnerability (CVE-2011-1279)


This security update resolves eight privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-1272, CVE-2011-1273, and CVE-2011-1279. See the section; Frequently Asked Questions (FAQ) Related to This Security Update, for more information about how the Office File Validation feature can be configured to block the attack vectors. Microsoft Excel 2010 is only affected by CVE-2011-1273 described in this bulletin. The automated Microsoft Fix it solution, "Disable Edit in Protected View for Excel 2010," available in Microsoft Knowledge Base Article 2501584, blocks the attack vectors for exploiting CVE-2011-1273.

◈ Affected Software

- Microsoft Office XP SP3
- Microsoft Office 2003 SP3
- Microsoft Office 2007 SP2
- Microsoft Office 2010 ( 32-bit editions )
- Microsoft Office 2010 ( 64-bit editions )
- Microsoft InfoPath 2007 SP2
- Microsoft InfoPath 2010 ( 32-bit editins )
- Microsoft InfoPath 2010 ( 64-bit editins )
- Microsoft Excel Viewer
- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File ForMats SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-045.mspx



[Important]
[MS11-046] Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege

Vulnerability: Ancillary Function Driver Elevation of Privilege Vulnerability (CVE-2011-1249)


This security update resolves a publicly disclosed vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

◈ Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-046.mspx



[Important]
[MS11-047] Vulnerability in Hyper-V Could Allow Denial of Service

Vulnerability: VMBus Persistent DoS Vulnerability (CVE-2011-1872)

This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a specially crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to send specially crafted content from a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

◈ Affected Software

- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-047.mspx



[Important]
[MS11-048] Vulnerability in SMB Server Could Allow Denial of Service

Vulnerability: SMB Request Parsing Vulnerability (CVE-2011-1267)


This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit this vulnerability..

◈ Affected Software

- Windows Vista SP1, SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP2

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-048.mspx



[Important]
[MS11-049] Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure

Vulnerability: XML External Entities Resolution Vulnerability (CVE-2011-1280)


This security update resolves a privately reported vulnerability in Microsoft XML Editor. The vulnerability could allow information disclosure if a user opened a specially crafted Web Service Discovery (.disco) file with one of the affected software listed in this bulletin. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.

◈ Affected Software

- SQL Server 2005 SP3
- SQL Server 2005 x64 Edition SP3
- SQL Server 2005 for Itanium-based SP3
- SQL Server 2005 SP4
- SQL Server 2005 x64 Edition SP4
- SQL Server 2005 for Itanium-based SP4
- SQL Server 2005 Express Edition SP3
- SQL Server 2005 Express Edition SP4
- SQL Server 2005 Express Edition with Advanced SP3
- SQL Server 2005 Express Edition with Advanced SP4
- SQL Server Management Studio Express (SSMSE) 2005
- SQL Server Management Studio Express (SSMSE) 2005 x64 Edition
- SQL Server 2005 for 32-bit SP1
- SQL Server 2005 for x64-based SP1
- SQL Server 2008 for Itanium-based SP1
- SQL Server 2008 for 32-bit SP2
- SQL Server 2005 for x64-based SP2
- SQL Server 2008 for Itanium-based SP2
- SQL Server 2008 R2 for 32-bit
- SQL Server 2008 R2 for x64-based
- SQL Server 2008 R2 for Itaium-based

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-049.mspx



[Critical]
[MS11-050] Cumulative Security Update for Internet Explorer

Vulnerability: MIME Sniffing Information Disclosure Vulnerability (CVE-2011-1246)
DOM Manipulation Memory Corruption Vulnerability (CVE-2011-1251)
toStaticHTML Information Disclosure Vulnerability (CVE-2011-1252)
Drag and Drop Memory Corruption Vulnerability (CVE-2011-1254)
Time Element Memory Corruption Vulnerability (CVE-2011-1255)
DOM Modification Memory Corruption Vulnerability (CVE-2011-1256)
Drag and Drop Information Disclosure Vulnerability (CVE-2011-1258)
Layout Memory Corruption Vulnerability (CVE-2011-1260)
Selection Object Memory Corruption Vulnerability (CVE-2011-1261)
HTTP Redirect Memory Corruption Vulnerability (CVE-2011-1262)


This security update resolves eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

◈ Affected Software

- Internet Explorer 6 with Windows XP Service Pack 3
- Internet Explorer 6 with Windows XP Professional x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 SP2
- Internet Explorer 6 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 with Windows XP SP3
- Internet Explorer 7 with Windows XP Professional x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 SP2
- Internet Explorer 7 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 with Windows Vista SP1
- Internet Explorer 7 whit Windows Vista SP2
- Internet Explorer 7 with Windows Vista x64 Edition SP1
- Internet Explorer 7 with Windows Vista x64 Edition SP2
- Internet Explorer 7 with Windows Server 2008 for 32-bit Systems
- Internet Explorer 7 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 7 with Windows Server 2008 for x64-based Systems
- Internet Explorer 7 with Windows Server 2008 for x64-based Systems SP2
- Internet Explorer 7 with Windows Server 2008 for Itanium-based Systems
- Internet Explorer 7 with Windows Server 2008 for Itanium-based Systems SP2
- Internet Explorer 8 with Windows XP SP3
- Internet Explorer 8 with Windows XP Professional x64 Edition SP2
- Internet Explorer 8 with Windows Server 2003 SP2
- Internet Explorer 8 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 8 with Windows Vista SP1
- Internet Explorer 8 whit Windows Vista SP2
- Internet Explorer 8 with Windows Vista x64 Edition SP1
- Internet Explorer 8 with Windows Vista x64 Edition SP2
- Internet Explorer 8 with Windows Server 2008 for 32-bit Systems
- Internet Explorer 8 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 8 with Windows 7 for 32-bit Systems
- Internet Explorer 8 with Windows 7 for x64-based Systems
- Internet Explorer 8 with Windows 2008 R2 for x64-based Systems
- Internet Explorer 8 with Windows 2008 R2 for Itanium-based Systems
- Internet Explorer 9 with Windows Vista SP2
- Internet Explorer 9 with Windows Vista x64 Edition SP2
- Internet Explorer 9 with Windows Server 2008 for 32-bit SP2
- Internet Explorer 9 with Windows Server 2008 for 64-bit SP2
- Internet Explorer 9 with Windows 7 for 32-bit and Windows 7 for 32-bit SP1
- Internet Explorer 9 with Windows 7 for x64-based and Windows 7 for x64-based SP1
- Internet Explorer 9 with Windows Server 2008 R2 for 64-bit and Windows Server 2008 R2 for 64-bit SP1

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-050.mspx



[Important]
[MS11-051] Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege

Vulnerability: Active Directory Certificate Services Vulnerability (CVE-2011-1264)


This security update resolves a privately reported vulnerability in Active Directory Certificate Services Web Enrollment. The vulnerability is a cross-site scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the site in the context of the target user. An attacker who successfully exploited this vulnerability would need to send a specially crafted link and convince a user to click the link. In all cases, however, an attacker would have no way to force a user to visit the Web site. Instead, an attacker would have to persuade a user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the vulnerable Web site.

◈ Affected Software

- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-051.mspx



[Critical]
[MS11-052] Vulnerability in Vector Markup Language Could Allow Remote Code Execution 


Vulnerability: VML Memory Corruption Vulnerability (CVE-2011-1266)

This security update resolves a privately reported vulnerability in the Microsoft implementation of Vector Markup Language (VML). This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

◈ Affected Software

- Internet Explorer 6 with Windows XP Service Pack 3
- Internet Explorer 6 with Windows XP Professional x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 SP2
- Internet Explorer 6 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 with Windows XP SP3
- Internet Explorer 7 with Windows XP Professional x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 SP2
- Internet Explorer 7 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 with Windows Vista SP1
- Internet Explorer 7 whit Windows Vista SP2
- Internet Explorer 7 with Windows Vista x64 Edition SP1
- Internet Explorer 7 with Windows Vista x64 Edition SP2
- Internet Explorer 7 with Windows Server 2008 for 32-bit Systems
- Internet Explorer 7 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 7 with Windows Server 2008 for x64-based Systems
- Internet Explorer 7 with Windows Server 2008 for x64-based Systems SP2
- Internet Explorer 7 with Windows Server 2008 for Itanium-based Systems
- Internet Explorer 7 with Windows Server 2008 for Itanium-based Systems SP2
- Internet Explorer 8 with Windows XP SP3
- Internet Explorer 8 with Windows XP Professional x64 Edition SP2
- Internet Explorer 8 with Windows Server 2003 SP2
- Internet Explorer 8 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 8 with Windows Vista SP1
- Internet Explorer 8 whit Windows Vista SP2
- Internet Explorer 8 with Windows Vista x64 Edition SP1
- Internet Explorer 8 with Windows Vista x64 Edition SP2
- Internet Explorer 8 with Windows Server 2008 for 32-bit Systems
- Internet Explorer 8 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 8 with Windows 7 for 32-bit Systems
- Internet Explorer 8 with Windows 7 for x64-based Systems
- Internet Explorer 8 with Windows 2008 R2 for x64-based Systems
- Internet Explorer 8 with Windows 2008 R2 for Itanium-based Systems

- Reference site
http://www.microsoft.com/technet/security/bulletin/MS11-052.mspx