Microsoft issued its latest round of Patch Tuesday updates this week.
The company fixed a critical flaw in all supported versions of Windows. If exploited, the vulnerability could allow an attacker to distribute a specially-crafted Microsoft Digital Video Recording (.dvr-ms) file to remotely execute code on a system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Microsoft rated the patch Important for Windows Server 2008 R2 x64 installs.
- MS11-015. This bulletin resolves one Critical-level and one Important-level vulnerability affecting certain media files in all versions of Microsoft Windows. It has an Exploitability Index rating of 1. Due to the nature of the affected software, this bulletin carries a Critical-level severity rating for all affected client systems, but only an Important-level rating for Windows Server 2008 R2 for x64. Other versions of Windows Server – 2003, 2008 and 2008 R2 – are unaffected. For both the Critical- and Important-level vulnerabilities, an attacker would have to convince a user to open a maliciously crafted file for an attack to work.
Microsoft also issued fixes to address DLL preloading flaws in Office and Windows Remote Client Desktop:
- MS11-016 is a DLL-preloading issue affecting Microsoft Groove 2007 Service Pack 2, which makes this an Office bulletin. Versions 2007 and 2010 of Groove are unaffected, as is Microsoft SharePoint Workspace 2010.
- MS11-017 is also a DLL-preloading issue, in this instance in Microsoft Windows Remote Client Desktop. This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client.
Microsoft neglected to fix an unpatched vulnerability in all supported versions of Windows. The vulnerability affects Windows XP, Vista, Windows 7 and all supported Windows Server releases. The flaw exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context. An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.
Angela Gunn of Microsoft’s Trustworth Computing team provided an update on the MHTML flaw. “Microsoft is actively monitoring the threat landscape in conjunction with our Microsoft Active Protections Program (MAPP) partners. We are currently working to provide a solution through our monthly security update release process and will continue to monitor the issue as we prepare that.”