Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

April 2011 Microsoft Black Tuesday Summary

Published: 2011-04-11
Last Updated: 2011-04-15 12:10:35 UTC
by Jim Clausing (Version: 4)
16 comment(s)

Here are the April 2011 Black Tuesday patches.  Enjoy!

Overview of the April 2011 Microsoft Patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS11-018 Cumulative Security Update for Internet Explorer ( Replaces MS11-003 )
Internet Explorer 6-8
KB 2497640 ACTIVELY EXPLOITED. Severity:Critical
Exploitability: 1,1,?,3,1
PATCH NOW! Critical
MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution ( Replaces MS10-020 )
KB 2511455 POC Available. Severity:Critical
Exploitability: 2,1
Critical Critical
MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution ( Replaces MS10-012 MS10-054 )
KB 2508429 No Known Exploits. Severity:Critical
Exploitability: 1
MS11-021 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution ( Replaces MS10-080 MS10-087 )
Office XP SP3-2010, Office 2004-2011 for Mac, Open XML File Format Converter, Excel Viewer SP2, Office Compatibility Pack for 2007 file formats
KB 2489279 No Known Exploits. Severity:Important
Exploitability: 1,1,1,2,2,2,1,1,1
Important Important
MS11-022 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution ( Replaces MS09-017 MS10-036 MS10-087 MS10-088 )
KB 2489283 No Known Exploits. Severity:Important
Exploitability: 2,2,1
Important Important
MS11-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution ( Replaces MS10-087 )
Office XP - 2007, Office 2004 - 2008 for Mac, Open XML File Format Converter
KB 2489293 POC Available. Severity:Important
Exploitability: 1,2
Important Important
MS11-024 Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution
Fax Services, Fax Server Role
KB 2527308 POC Available. Severity:Important
Exploitability: 3
Critical Important
MS11-025 Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution
Visual Studio .NET 2003 - 2010, Visual C++ 2005 - 2010 Redistributable Package
KB 2500212 No Known Exploits. Severity:Important
Exploitability: 1
Important Important
MS11-026 Vulnerability in MHTML Could Allow Information Disclosure
KB 2503658 ACTIVELY EXPLOITED. Severity:Important
Exploitability: 3
PATCH NOW! Important
MS11-027 Cumulative Security Update of ActiveX Kill Bits ( Replaces MS10-034 )
Windows XP- 7, Server 2003-2008
KB 2508272 POC Available. Severity:Critical
Exploitability: ?,?,?
Critical Critical
MS11-028 Vulnerability in .NET Framework Could Allow Remote Code Execution ( Replaces MS09-061 MS10-060 MS10-077 )
.NET framework (all supported version)
KB 2484015 No Known Exploits. Severity:Critical
Exploitability: 1
Critical Critical
MS11-029 Vulnerability in GDI+ Could Allow Remote Code Execution ( Replaces MS09-062 MS10-087 )
Windows XP-Vista, Windows Server 2003-2008, Office XP
KB 2489979 No Known Exploits. Severity:Critical
Exploitability: 1
Critical Critical
MS11-030 Vulnerability in DNS Resolution Could Allow Remote Code Execution ( Replaces MS08-020 MS08-037 MS08-066 )
Windows XP - 7, Windows Server 2008
KB 2509553 No Known Exploits. Severity:Critical
Exploitability: 2
Critical Critical
MS11-031 Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution ( Replaces MS09-045 MS10-022 MS11-009 )
OpenType Compact Font Format (CFF) driver
KB 2514666 No Known Exploits. Severity:Critical
Exploitability: 2
Critical Important
MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution ( Replaces MS11-007 )
OpenType Compact Font Format (CFF) driver
KB 2507618 No Known Exploits. Severity:Critical
Exploitability: 3
Critical Important
MS11-033 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution ( Replaces MS10-067 )
Microsoft Wordpad
KB 2485663 No Known Exploits. Severity:Important
Exploitability: 1
Important Important
MS11-034 Elevation of Privilege Vulnerabilities in Windows Kernel-Mode Drivers (Replaces MS10-012 )
Kernel Mode Drivers
KB 2506223 No Known Exploits. Severity:Important
Exploitability: 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 ,1 , 1 , 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 3, 1, 1, 1, 1
Important Important


We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

SANS SEC401 coming to central OH in May, see

16 comment(s)

Yet another Adobe Flash/Reader/Acrobat 0 day

Published: 2011-04-11
Last Updated: 2011-04-11 22:33:13 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

Adobe released that a so far unpatched vulnerability has been used in recent targeted attacks.

Flash Player is vulnerable, as is the flash player component used to execute flash in Adobe Reader / Acrobat. Adobe Reader X is vulnerable bu but not exploitable. 

At this time, according to Adobe, the attack is performed using Flash files embedded in Word documents. 

Note that Flash may be embedded in other Office document formats like Excel. Adobe is not planning on an out of band patch at this point, as Adobe Reader X is not exploitable.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: adobe flash
10 comment(s)

Layer 2 DoS and other IPv6 Tricks

Published: 2011-04-11
Last Updated: 2011-04-11 18:28:18 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.

Of course, this hasn't been true for most networks. Wireless access, access to unsecured network jacks in public areas and even remote access via compromised hosts inside the network have been shown to provide access to layer 2. 802.1x is probably the best option to mitigate most of these threats, but even 802.1x will not protect you from a compromised authenticated workstation, and 802.1x can be difficult to implement in many scenarios.

So how does this all apply to IPv6? One of the big changes in IPv6 is that ARP is replaced with the Neighbor Discovery Protocol (NDP). NDP is based on ICMPv6. In addition, Router Advertisements (RA) are used to configure hosts. 

Probably the most important thing to understand: Neither NDP or RA prevent by default any attacks we have seen against ARP or DHCP. Just like for ARP and DHCP, we need to be able to detect and mitigate spoofing.

NDP Spoofing

By default, NDP messages are not authenticated, just like ARP is not authenticated. In its simplest form, we can use the NDP to impersonate a legitimate host on the local network to play man in the middle (MITM). MITM attacks work and can be applied just like with IPv4

Variations of the attack can be used in denial of service as well. Just like for IPv4, an IPv6 host will check if the address it is about to use is already used. By just responding to these checks ("gratuitous ARP" in IPv4), we are able to to prevent a host from obtaining an address.

RA Spoofing

The RA protocol replaces DHCP in many cases and can be used to assign IP addresses. Spoofing router advertisements can help with MITM attacks as the attack is now pretending to be a router. In a regular IPv6 network, this may only be partially successful as the rogue router is competing with legitimate routers. But by assigning itself a high priority and creating a DoS against the legitimate router, the attack has a decent chance of succeeding. 

Recently (see a few diaries back), this attack was demonstrated against IPv4 networks by combining it with NAT-PT and the preference of current operating systems to route over IPv6 if both IPv4 and IPv6 are available.

Of course, if you just spoof random RA, you will be able to mess up hosts sufficiently to stop responding at all.

Attack Tools

There is probably at least one tweet/slashdot/digg "event" a day advertising a new tool to implement these attacks. To save yourself some time: Check out the THC IPv6 attack library. It already implements a lot of these tools including a nice library to implement more. Implementing the same tools again in scappy gets you some python brownie points though.


For the IPv4 versions of these attacks, many vendors implemented defenses, and there are open source tools like arpwatch to help you detect these attacks. In addition, we have just gotten used to watching out for these attacks and a reasonably skilled network admin is usually able to spot ARP spoofing.

For IPv6, we are a bit behind the curve when it comes to defenses. RFC 6105 outlines a mechanism calls "RA Guard" [1] that can be used to identify legitimate routers and only allow RA messages from switch ports connected to authorized routers, just like we are used to when configuring DHCP Snooping.

RFC3971 defines a mechanism called "SEND" (Secure Neighbor Discovery" which uses PKI to sign ND messages. In addition, cryptographically generated addresses (CGA) are used to avoid spoofing on the local network. However, this protocol is not yet widely implemented and the overhead associated with it can cause DoS conditions itself. 

Unlike ARP messages, the ICMPv6 messages could be routed. However, a host is not supposed to accept any ND or RA message with a TTL of less then 255.


Layer 2 defense is not easy. In particular defending against DoS. The best thing you can probably do is to know what's supposed to be on your network, and be able to quickly detect and disconnect misbehaving hosts. 






Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: ethernet ipv6 layer 2
2 comment(s)

GMail User Using 2FA Warned of Access From China

Published: 2011-04-11
Last Updated: 2011-04-11 01:51:45 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

A few months ago, after the infamous "Aurora" attack, it became known that GMail accounts are under active attack from entities in China. In response, Google added a warning banner to its GMail accounts notifying users if someone logged into the account from China recently.

We had one user reporting such an incident, and are wondering if others have seen this warning recently. This user did use Google's two factor authentication, which is of course in particular concerning.

What security precautions do you take if you use GMail? Do you archive/delete old email? Any scripts you use for it that you could share? Do you use Google's two factor authentication?

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: china gmail
10 comment(s)
Diary Archives