Application Compatibility Update
By: Greg Lambert
Executive Summary
With this November Microsoft Patch Tuesday update, we see again a relatively small set of updates. In total there are 4 Microsoft Security Updates; 1 with the rating of Critical, 2 with the rating of Important, and 1 with the rating of Moderate. This is a small update from Microsoft and the potential impact for the updates is likely to be minor.
As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE AOK team, we have seen little cause for potential compatibility issues.
Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this November Patch Tuesday release cycle.
Sample Results
Here is a sample of the results for one application and a summary of the Patch Tuesday results for one of our AOK Sample databases:
MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution.
And here is a sample AOK Summary report for a sample database where the AOK Patch Impact team has run the latest Microsoft Updates against a small application portfolio:
A RED issue is generally one that pertains to how the code or actual program works. In this case we will flag as Red issues where a package tries to use objects or functions that have been deprecated from the OS or where their use has been restricted. In this case there are no changes that a packager (or AOK Workbench) can make to the install routine to fix the problem. The problem needs to be dealt with at the program code level by the programmer that wrote it or by providing a more up to date driver. However it is reasonably straightforward once a programmer has the information provided by AOK Workbench to make these changes. For vendor MSIs an upgrade may be required.
An AMBER issue is one that pertains to the installation routine. A packager can change things in the installation routine and so can AOK Workbench. Anywhere an issue is found and a change can be made to the installation routine to get rid of it we will flag it as amber. AOK Workbench fixes almost all of the issues it flags as amber. For the few issues that require a decision to be made, a packager can manually remediate these using the issue data provided by AOK Workbench.
Applications flagged as GREEN have no issues identified against them.
Testing Summary
| Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) | |
| MS11-084 | Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657) |
| MS11-085 | Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704) |
| MS11-086 | Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837) |
Security Update Detailed Summary
*All results are based on a ChangeBASE Application Compatibility Lab’s test portfolio of over 1,000 applications.
| MS11-083 | Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) |
| Description | This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. |
| Payload | Tcpipreg.sys, Tcpip.sys |
| Impact | Critical - Remote Code Execution |
| MS11-084 | Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657) |
| Description | This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message. |
| Payload | Win32k.sys |
| Impact | Moderate - Denial of Service |
| MS11-085 | Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704) |
| Description | This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application. |
| Payload | Wab32.dll, Wab32res.dll, Wabimp.dll |
| Impact | Important - Remote Code Execution |
| MS11-086 | Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837) |
| Description | This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain. By default, Active Directory is not configured to use LDAP over SSL. |
| Payload | Adamdsa.dll |
| Impact | Important - Elevation of Privilege |