Alert – Critical Product Vulnerability – March 2011 Microsoft Security Bulletin Release

What is the purpose of this alert?

This alert is to provide you with an overview of the new security bulletin(s) being released on March 08, 2011. Security bulletins are released monthly to resolve critical problem vulnerabilities.

New Security Bulletins

Microsoft is releasing the following three new security bulletins for newly discovered vulnerabilities:

 

Bulletin ID Bulletin Title Max Severity Rating Vulnerability Impact Restart Requirement Affected Software
MS11-015 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030) Critical Remote Code Execution May require restart Microsoft Windows XP, Windows Vista, Windows 7, Windows Server 2008 R2, and Windows Media Center TV Pack for Windows Vista.
MS11-016 Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047) Important Remote Code Execution May require restart Microsoft Groove 2007
MS11-017 Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062) Important Remote Code Execution May require restart Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

 

Summaries for new bulletin(s) may be found at https://www.microsoft.com/technet/security/bulletin/MS11-mar.mspx.

 

Microsoft Windows Malicious Software Removal Tool

Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center. Information on the Microsoft Windows Malicious Software Removal Tool is available at https://support.microsoft.com/?kbid=890830.

 

High Priority Non-Security Updates

High priority non-security updates Microsoft releases to be available on Microsoft Update (MU), Windows Update (WU), or Windows Server Update Services (WSUS) will be detailed in the KB article found at https://support.microsoft.com/?id=894199.

 

Public Bulletin Webcast

 

Microsoft will host a webcast to address customer questions on these bulletins:

Title: Information about Microsoft March Security Bulletins (Level 200)

Date: Wednesday, March 09, 2011, 11:00 A.M. Pacific Time (U.S. and Canada)

URL: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032455049

 

NEW SECURITY BULLETIN TECHNICAL DETAILS

 

In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle website at https://support.microsoft.com/lifecycle/.

 

Bulletin Identifier Microsoft Security Bulletin MS11-015
Bulletin Title Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
Executive Summary This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.

 

The security update addresses the vulnerabilities by modifying the way library files and Windows media files are opened.

Severity Ratings and Affected Software This security update is rated Critical for affected editions of Windows XP (including Windows XP Media Center Edition 2005); all supported editions of Windows Vista and Windows 7; and Windows Media Center TV Pack for Windows Vista. This security update is also rated Important for all supported editions of Windows Server 2008 R2 for x64-based systems.
Attack Vectors
  • A specially crafted .dvr-ms file.
  • A legitimate WMP file that is located in the same directory as a specially crafted dynamic link library (DLL) file.
  • A maliciously crafted DLL.
Mitigating Factors
  • A user must visit a remote file system location or WebDAV share and open a WMP file.
  • SMB is commonly disabled on perimeter firewalls.
  • Users must be persuaded to visit a malicious site.
  • Exploit only gains the logged-on account user rights.
  • Cannot be exploited automatically through email, because a user must open an attachment that is sent in an email message.
Restart Requirement May require restart.
Bulletins Replaced by This Update None
Full Details https://www.microsoft.com/technet/security/bulletin/MS11-015.mspx

 

 

Bulletin Identifier Microsoft Security Bulletin MS11-016
Bulletin Title Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)
Executive Summary This security update resolves a publicly disclosed vulnerability in Microsoft Groove that could allow remote code execution if a user opens a legitimate Groove-related file that is located in the same network directory as a specially crafted library file.

 

The update addresses this vulnerability by correcting the manner in which Microsoft Groove 2007 loads external libraries.

Severity Ratings and Affected Software This security update is rated Important for Microsoft Groove 2007 Service Pack 2.
Attack Vectors
  • A legitimate Groove-related file (such as a .vcg or .gta file) that is located in the same directory as a specially crafted dynamic link library (DLL) file.
  • A maliciously crafted DLL.
Mitigating Factors
  • Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a Groove-related file (such as a .vcg or .gta file).
  • SMB is commonly disabled on the perimeter firewall.
Restart Requirement May require restart.
Bulletins Replaced by This Update None
Full Details https://www.microsoft.com/technet/security/bulletin/MS11-016.mspx

 

 

Bulletin Identifier Microsoft Security Bulletin MS11-017
Bulletin Title Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)
Executive Summary This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user opens a legitimate Remote Desktop configuration (.rdp) file located in the same network folder as a specially crafted library file.

 

The security update addresses the vulnerability by correcting the manner in which the Windows Remote Desktop Client loads external libraries.

Severity Ratings and Affected Software This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client.
Attack Vectors
  • A legitimate Remote Desktop configuration file (.rdp) that is located in the same directory as a specially crafted dynamic link library (DLL) file.
  • A maliciously crafted DLL.
Mitigating Factors
  • For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a Remote Desktop configuration file (.rdp).
  • SMB is commonly disabled on the perimeter firewall.
Restart Requirement May require restart.
Bulletins Replaced by This Update None
Full Details https://www.microsoft.com/technet/security/bulletin/MS11-017.mspx

 

Regarding Information Consistency

 

We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.

 

If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.

Thank you,

 

Microsoft CSS Security Team