THE OFFICIAL BLOG OF THE SBS "DIVA"

Bulletin

Most likely attack vector

Max Bulletin Severity

Max Exploit-ability

Likely first 30 days impact

Platform mitigations and key notes

MS11-057
(IE)

Victim browses to a malicious webpage.

Critical

1

Likely to see reliable exploits developed within next 30 days.

SEB:  All IE Browsers - Priority on Workstations, not so on Server – mandatory reboot   - no known issues at this time

MS11-058
(DNS Server)

Attacker sends name resolution request to victim DNS server that is configured to issue requests to a malicious DNS server. Response from malicious DNS server to victim DNS server is improperly handled, resulting in denial of service on victim DNS server.

Critical

3

Unlikely to see exploits developed in next 30 days.

See SRD blog post for more information about exploitability and affected configurations (not all DNS servers will be vulnerable to potential attacks).

SEB:  http://blogs.technet.com/b/srd/archive/2011/08/09/vulnerabilities-in-dns-server-could-allow-remote-code-execution.aspx  

Since SBS doesn’t “publish” and expose our DNS externally I don’t see this as a big fat hairy deal.  Given that many of us use DNS forwarders to our ISP or Open DNS if this turns into a big fat hairy deal, the entire Internet is owned and it’s time to go back to paper cups and string.

I’ll ultimately patch, but I’m not freaking out.

MS11-063
(CSRSS)

Attacker running code on a machine already elevates from low-privileged account to SYSTEM.

Important

1

Likely to see reliable exploits developed within next 30 days.

SEB:  Stuxnet type of exploit – they have to be on your system already,  No known issues – I’ll patch but I’m not freaking

MS11-062
(NDISTAPI)

Attacker running code on a machine already elevates from low-privileged account to SYSTEM.

Important

1

Likely to see reliable exploits developed within next 30 days.

Windows Vista and later platforms not affected.

SEB:  No known issues.  XP and Server 2003 only

Test this over and rdp session on your local box first – that may break your rdp patching connection but I’m not 100% sure – so test the remote patching experience before doing this on client boxes.

MS11-064
(TCP/IP DoS)

An attacker sends malicious network request causing victim system to bugcheck (blue screen).

Important

3

No exploit possible for code execution. This vulnerability has potential for denial-of-service only.

SEB:  Denial of service only?  Heck I’m not worrying they will go after someone bigger than I, I’ll patch but not freaking out.  No known issues at this time.

MS11-065
(RDP)

An attacker sends a malicious remote desktop protocol connection request to victim that allows incoming remote desktop connections, causing victim’s system to bugcheck (blue screen).

Important

3

No exploit possible for code execution. This vulnerability has potential for denial-of-service only.

SEB:  XP and 2003 only.  I forgot to check if this makes the RWW kick a refresh of the activeX control.  This is updating rdpwd.sys which as I recall does not kick a refresh/reoffering of the RWW control, but you might want to test the experience between a patched XP and an unpatched SBS 2003 just to be sure and/or only patch the server and the client at the same time.

RDP means – low priority for me, not freaking out.

MS11-060
(Visio)

Victim opens a malicious Visio document (VSD).

Important

1

Likely to see reliable exploits developed within next 30 days.

SEB:  Low risk, no known issues, only on my machine, not widely deployed

MS11-066
(Chart Web Control)

An attacker targets a website that uses the Microsoft Chart Web Control. Attacker sends web request that incorrectly reveals content of file stored on the web server.

Important

3

No exploit possible for direct code execution. This vulnerability has potential for information disclosure only.

Websites not using the Microsoft Chart Control are not vulnerable.

.NET 4 UPDATE – SBS 2011 is officially the only versions that should be offered it unless you sucked down .net 4 or have an app that needs it.   if you have it patch it, but if you don’t have it, ignore this

SEB:  I HATE .NET

I don’t’ think we use Chart control

Info disclosure only means I DON”T CARE BECAUSE AN ATTACKER WOULD NEED CREDS TO GET THIS INFO

 Known issues:

Known issues and additional information about this security update

The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed under each article link.

2500170  (http://support.microsoft.com/kb/2500170/ ) MS11-066: Description of the security update for SQL Server 2008: August 9, 2011

The following are the known issues in security update 2500170. For more information about these known issues, see security update 2500170.

By default, this update tries to write a log file to a temp directory that is specified in the registry (%USERPROFILE%\Local Settings\Temp). If this directory does not exist or is unavailable, the installation will fail. To resolve this issue, try the following:

Run the installation from the command line, and provide the valid path of a directory to which the log file will be written. For example, run the following command, where the placeholder <directory> represents a valid directory path (for example, C:\Temp):

MSChart_KB2500170.exe /log <directory>

MS11-067
(Report Viewer Web Control XSS)

Victim clicks a link with embedded Javascript causing the script to run in the context of the web site to which the link points. Target web site must have incorporated the Microsoft ReportViewer control.

Important

3

No exploit possible for direct code execution. This vulnerability has potential for information disclosure only.

Websites not using the Microsoft Report Viewer control could not be used to facilitate attack.

SEB:  this only impacts report viewer 2005 which was WSUS 3 pre whatever service pack we’re on.  If you have a WSUS sp2 /SBS 2008 or SBS 2011 you won’t get this offered.

Don’t think you’ll see this on SBS 2003 either but I’ll have to double check.

MS11-061
(Remote Desktop Web Access Login Page XSS)

Victim clicks a link with embedded Javascript causing the script to run on the victim system in the context of the remote desktop web access server.

Important

1

Likely to see a XSS exploit, causing victim to run attacker-controlled Javascript in context of an internal Remote Desktop Web Access webpage.

SEB:  SBS 2011 only :  KNOWN ISSUE DOCUMENTED – CANNOT BE UNINSTALLED.  Anytime I see a “you cannot uninstall this security update” I go slow with a deployment.  While this is not what SBS 2011 uses directly, there’s still no need to rush this out to boxes in a panic.

MS11-059
(DLL Preloading)

Victim browses to a malicious WebDAV or SMB share and opens Excel file that leverages MDAC to retrieve external data. Victim clicks through security dialog causing Excel to load a malicious DLL housed on the same WebDAV or SMB share.

Important

1

While exploiting DLL preloading cases is normally straightforward, we rarely see them exploited in the wild due to user interaction requirement.

SEB:  Win8 and R2 only.  No known issues,  another one of those dll preloading things that we’ll be patching until kingdom come.  As long as you don’t open xlsx files from a malicious SharePoint/shared folder on a cloud somewhere you should be fine

I’ll patch but I’m not freaking out.

No known issues at this time.

MS11-068
(Kernel)

Attacker already able to run code on a machine causes the machine to bugcheck (blue screen)

Moderate

n/a

No exploit possible for code execution. This vulnerability has potential for local denial-of-service only.

SEB:  no known issues – denial of service means I’m not rushing this. XP 2003 not impacted.  Attacker has to be on the machine already/I have bigger problems then.

MS11-069 (.NET Framework)

Victim browses to a malicious website that attempts to run a .NET XBAP managed code application on the victim’s system. A security warning will prevent unwitting execution of XBAP applications in the Internet Zone.

Moderate

n/a

Less likely to see real-world exploit due to security warning.

SEB:  I HATE .NET – and to boot we have two non security updates to deal with.  Standard known issues of .net rules apply.

Get the Aaron tool out as needed or decide the risk of non patching isn't large enough and decide to not patch for this.