AusCERT - ESB-2012.0444 - [Win][OSX] Microsoft Office, Microsoft Windows, Microsoft .NET Framework and Microsoft Silverlight: Multiple vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2012.0444 - [Win][OSX] Microsoft Office, Microsoft Windows, Microsoft .NET Framework and Microsoft Silverlight: Multiple vulnerabilities
Date: 09 May 2012
References: ESB-2011.1106 ESB-2011.1235.2 ESB-2012.0540

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0444
       Combined Security Update for Microsoft Office, Windows, .NET
                   Framework, and Silverlight (2681578)
                                9 May 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Office
                   Microsoft Windows
                   Microsoft .NET Framework
                   Microsoft Silverlight
Publisher:         Microsoft
Operating System:  Windows
                   Mac OS X
Impact/Access:     Administrator Compromise        -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-1848 CVE-2012-0181 CVE-2012-0180
                   CVE-2012-0176 CVE-2012-0167 CVE-2012-0165
                   CVE-2012-0164 CVE-2012-0162 CVE-2012-0159
                   CVE-2011-3402  

Reference:         ESB-2011.1235.2
                   ESB-2011.1106

Original Bulletin: 
   http://technet.microsoft.com/en-us/security/bulletin/ms12-034

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS12-034 - Critical
Combined Security Update for Microsoft Office, Windows, .NET Framework, and 
Silverlight (2681578)

Published: Tuesday, May 08, 2012

Version: 1.0
General Information
Executive Summary

This security update resolves three publicly disclosed vulnerabilities and 
seven privately reported vulnerabilities in Microsoft Office, Microsoft 
Windows, the Microsoft .NET Framework, and Microsoft Silverlight. The most 
severe of these vulnerabilities could allow remote code execution if a user 
opens a specially crafted document or visits a malicious webpage that embeds 
TrueType font files. An attacker would have no way to force users to visit a 
malicious website. Instead, an attacker would have to convince users to visit 
the website, typically by getting them to click a link in an email message or 
Instant Messenger message that takes them to the attacker's website.

This security update is rated Critical for all supported releases of Microsoft 
Windows; for Microsoft .NET Framework 4, except when installed on Itanium-based 
editions of Microsoft Windows; and for Microsoft Silverlight 4 and Microsoft 
Silverlight 5. This security update is rated Important for Microsoft Office 
2003, Microsoft Office 2007, and Microsoft Office 2010. For more information, 
see the subsection, Affected and Non-Affected Software, in this section.

Affected Software

Windows XP Service Pack 3 (Tablet PC Edition 2005 Service Pack 3 only)
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2007 Service Pack 3)
Microsoft Office 2010 (32-bit editions)
Microsoft Office 2010 Service Pack 1 (32-bit editions)
Microsoft Office 2010 (64-bit editions)
Microsoft Office 2010 Service Pack 1 (64-bit editions)
Microsoft Silverlight 4 when installed on Mac
Microsoft Silverlight 4 when installed on all supported releases of Microsoft 
  Windows clients
Microsoft Silverlight 4 when installed on all supported releases of Microsoft 
  Windows servers
Microsoft Silverlight 5 when installed on Mac
Microsoft Silverlight 5 when installed on all supported releases of Microsoft 
  Windows clients
Microsoft Silverlight 5 when installed on all supported releases of Microsoft 
  Windows servers

Vulnerability Information

TrueType Font Parsing Vulnerability - CVE-2011-3402

A remote code execution vulnerability exists in the way that affected
components handle a specially crafted TrueType font file. The vulnerability 
could allow remote code execution if a user opens a specially crafted TrueType 
font file. An attacker who successfully exploited this vulnerability could take 
complete control of an affected system. An attacker could then install 
programs; view, change, or delete data; or create new accounts with full user 
rights. Users whose accounts are configured to have fewer user rights on the 
system could be less impacted than users who operate with administrative user 
rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2011-3402.

TrueType Font Parsing Vulnerability - CVE-2012-0159

A remote code execution vulnerability exists in the way that affected 
components handle a specially crafted TrueType font file. The vulnerability 
could allow remote code execution if a user opens a specially crafted TrueType 
font file. An attacker who successfully exploited this vulnerability could take
complete control of an affected system. An attacker could then install 
programs; view, change, or delete data; or create new accounts with full user 
rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2012-0159.

.NET Framework Buffer Allocation Vulnerability - CVE-2012-0162

A remote code execution vulnerability exists in Microsoft .NET Framework that 
can allow a specially crafted Microsoft .NET Framework application to access 
memory in an unsafe manner. An attacker who successfully exploited this 
vulnerability could run arbitrary code in the security context of the logged-on 
user. An attacker could then install programs; view, change, or delete data; or 
create new accounts with full user rights. Users whose accounts are configured 
to have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2012-0162.

.NET Framework Index Comparison Vulnerability - CVE-2012-0164

A denial of service vulnerability exists in the way that .NET Framework 
compares the value of an index. An attacker who successfully exploited this 
vulnerability could cause applications created using WPF APIs to stop 
responding until manually restarted. Note that the denial of service 
vulnerability would not allow an attacker to execute code or to elevate their 
user rights in any fashion.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2012-0164.

GDI+ Record Type Vulnerability - CVE-2012-0165

A remote code execution vulnerability exists in the way that GDI+ handles 
validation of specially crafted EMF images. The vulnerability could allow 
remote code execution if a user opens a specially crafted EMF image file. An 
attacker who successfully exploited this vulnerability could take complete 
control of an affected system. An attacker could then install programs; view, 
change, or delete data; or create new accounts with full user rights. Users 
whose accounts are configured to have fewer user rights on the system could be 
less impacted than users who operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2012-0165.

GDI+ Heap Overflow Vulnerability - CVE-2012-0167

A remote code execution vulnerability exists in the way that the Office GDI+ 
library handles validation of specially crafted EMF images embedded within an 
Office document. The vulnerability could allow remote code execution if a user 
opens a specially crafted Office document. An attacker who successfully 
exploited this vulnerability could take complete control of an affected system.
An attacker could then install programs; view, change, or delete data; or 
create new accounts with full user rights. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than users who 
operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2012-0167.

Silverlight Double-Free Vulnerability - CVE-2012-0176

A remote code execution vulnerability exists in Microsoft Silverlight that can 
allow a specially crafted Silverlight application to access memory in an unsafe
manner. An attacker who successfully exploited this vulnerability could run 
arbitrary code in the security context of the logged-on user. An attacker could 
then install programs; view, change, or delete data; or create new accounts 
with full user rights. Users whose accounts are configured to have fewer user 
rights on the system could be less impacted than users who operate with 
administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities
and Exposures list, see CVE-2012-0176.

Windows and Messages Vulnerability - CVE-2012-0180

An elevation of privilege vulnerability exists in the way that the Windows 
kernel-mode driver manages the functions related to Windows and Messages 
handling. An attacker who successfully exploited this vulnerability could run 
arbitrary code in kernel mode. An attacker could then install programs; view, 
change, or delete data; or create new accounts with full administrative rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities
and Exposures list, see CVE-2012-0180.

Keyboard Layout File Vulnerability - CVE-2012-0181

An elevation of privilege vulnerability exists in the way that the Windows
kernel-mode driver manages Keyboard Layout files. An attacker who successfully 
exploited this vulnerability could run arbitrary code in kernel mode. An 
attacker could then install programs; view, change, or delete data; or create 
new accounts with full administrative rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2012-0181.

Scrollbar Calculation Vulnerability - CVE-2012-1848

An elevation of privilege vulnerability exists in the Windows kernel-mode 
driver. An attacker who successfully exploited this vulnerability could run 
arbitrary code in kernel mode. An attacker could then install programs; view, 
change, or delete data; or create new accounts with full administrative rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2012-1848.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT6m9cO4yVqjM2NGpAQKwnhAAlWmxOhDcCx3n/TY4sxcCTX2LENSwcxcF
goZgJ127dnbR9AGbjf1+6Qx0VnlmVlV39aI7KZJPP1NoOkfTMTSyxateUa6SU7ns
ZhhSqPG6APDS0fdjdUyTB3snZMRhay1bk5O8wvJs/h0beuOlj/qccN7q+gwwW96F
iUYv5nbH+6CrJvxyVLdxihXArM7I95sS3EBe0gK3epuqniZGidDeUev7eqdhvNRx
gZOxum+1oM0TI/uO6F54FSEYcf7ViOrwFROpjtqZXKQsxDJMVb1B6xx1m037fxoG
J+4lg4qOmTqbGq5P3SJGDccAvkepbhNPFViEWWELBR7nvUVXPgv5it6fsvCq0CWH
wbIfZ+6fhVUYwPUID4SMD6HEW2nYz51mI8FKh9fP0iexs7ps9MQBfDdh1GGg9mY8
5pQkgMAqKQpmgh9FmDDga78DS0XiIMKHqhIchMU4Wp9qGAKb7hvvzDhBCdarlCoi
OE2fPmJy4xyVCJs+nnZn5647Olu5CuQ86wShKwnFZM2iKjR9YXJtn3nIWx2X88nQ
WAwtRdoDMuPS/Si0FvAvu+JLxZ3S1DdehrN9q6D7y75nCN0TTZzTs2D/dX3RJ70E
Ap8lqE+8jCBtF5YD2QrzHxS79IQn4uDg7/MztrqzvV9H1yTs1gSJ9dOl0VP49nf5
iC5i4058JgY=
=Rsia
-----END PGP SIGNATURE-----