Title

Microsoft Windows Components Remote Code Execution Vulnerability (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing a vulnerability in Windows Components. To exploit this vulnerability, an attacker would entice a user to open a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) located in the same network directory as a malicious dynamic link library (DLL) file. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code and compromise the affected system. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Windows Components Insecure Library Loading Vulnerability - (CVE-2011-1991): A remote code execution vulnerability exists in the way that certain Windows components handle the loading of DLL files. The vulnerability is caused when specific Windows components incorrectly restrict the path used for loading external libraries. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-071 (2570947). Vulnerable Applications/Systems: Windows XP SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64, and Itanium) Windows Vista SP2 (x86 and x64) Windows Server 2008 SP2 (x86*, x64*, and Itanium) Windows 7 (x86 and x64) Windows 7 SP1 (x86 and x64) Windows Server 2008 (x64* and Itanium) Windows Server 2008 R2 SP1 (x64* and Itanium) *Server Core installation affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Imjpapi.dll Windows Vista SP2 / 2008 SP2 – 10.0.6002.18495 or 22684 Windows 7 / 2008 R2 – 10.1.7600.16856 or 21016 Windows 7 SP1 / 2008 R2 SP1 – 10.1.7601.17658 or 21779 Verify if the patch has been installed by checking for the existence of the following registry key for the systems below. Windows XP For all supported 32-bit editions of Windows XP: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2570947\Filelist For all supported x64-based editions of Windows XP: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2570947\Filelist Windows 2003 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2570947\Filelist

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-30932

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.