Since Microsoft is on this new staggered pattern of releases, we can expect a feast or famine every other month...so get used to it. Depending on what side of the desk you sit on you can adjust the context. With that being said, this month's release brought us 3 patches addressing 4 vulnerabilities. I think we were all expecting to see the MHTML protocol handler issue resolved, however it didn't make the cut. Make sure IE is in restricted mode or at least you're restricting ActiveX and Active Scripting for your users until the fix is released. This vulnerability is already being leveraged for geo-political warfare according to Google.
The honorable mention of this release goes to MS11-015. MS11-015 is classified as the only "Critical" update this release.
This vulnerability is exposed when the Stream Buffer Engine (SBE) trys to parse “.dvs-ms” files. This limitation will allow any of your IE users to be remotely exploited when using Windows Media Center or Media Player to play these files. You can expect social engineering vectors to be used here… emails pointing to a DVS file or an iFrame rendering one.
The last two I won't spend too much time on them, as they fall in line with the not so surprising DLL Hijacking exposures we've been seeing from Microsoft. You'll also see them called “binary planting vulnerabilities"...at the end of the day they're the same issue. HD has a great post detailing the characteristics of this exposure here.
Below is the official breakdown of the March 2011 Patch Tuesday Release:
MS11-015/KB2510030 - Critical (XP, Vista, 7)/Important (2008 R2) Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030) This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so. **PATCH ASAP**
MS11-016/KB2494047 - Important (Microsoft Groove 2007): Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062) This security update resolves a publicly disclosed vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user opens a legitimate Remote Desktop configuration (.rdp) file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
MS11-017/KB2508062 - Important (CP, Vista, 7, 2003, 2008, 2008 R2): Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047) This security update resolves a publicly disclosed vulnerability in Microsoft Groove that could allow remote code execution if a user opens a legitimate Groove-related file that is located in the same network directory as a specially crafted library file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Until next time….