Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Microsoft adds CVE-2010-4701 to MS11-024

Get this blog as an RSS Feed
8:50 CET on the 28th April 2011
Entry written by Carsten Eiram.

The latest round of patches issued by Microsoft includes a fix via MS11-024 for a publicly known vulnerability, CVE-2010-3974, in the Microsoft Windows Fax Cover Page Editor provided by all supported versions of Windows when "Fax Services" / "Windows Fax and Scan" is installed. When originally released, the bulletin, however, did not mention also covering another publicly known vulnerability, CVE-2010-4701, but testing conducted by Secunia Research when evaluating the security bulletin indicated that both vulnerabilities were patched.

When reaching out to Microsoft for clarification, we received confirmation that CVE-2010-4701 was fixed, but not listed in the security bulletin as it was believed to be a variant discovered internally during their HfV (Hacking for Variations) process with the same root cause and root fix as CVE-2010-3974. Microsoft recently elaborated on this process and policy in a blog post: "As part of Microsoft's comprehensive security update process, Microsoft will address variants of reported issues. Variants are internally found issues similar to the reported vulnerability, and are not documented in security bulletins.".

Based on the response from Microsoft, it seemed that duplicate CVE identifiers were covering the same vulnerability. In order to evaluate whether the Secunia advisory should merge the two vulnerabilities and CVE should mark one identifier as a dupe, we reverse-engineered the vulnerable component to determine the root cause of each vulnerability and how the fixes were implemented.

The root cause of CVE-2010-3974 is that one value is used to allocate a buffer and another to copy data within CDrawPoly::Serialize(), which leads to a heap-based buffer overflow. A fix is implemented by adding size checks to CDrawPoly::Serialize() to ensure the larger of the two values is used to allocate memory.

The publicly available PoC for CVE-2010-4701 does not trigger a call to this function at all. This already proves that they do not share root cause and that the fix for CVE-2010-3974 should have no impact on CVE-2010-4701.

CVE-2010-4701 is a use-after-free triggered by CDrawDoc::Remove() as an object is retrieved from already freed memory before calling CObject::IsKindOf() and using the invalid object reference in a virtual function call. The core problem is CDrawDoc::Serialize() not checking if an object has already been serialized. This triggers the use-after-free when closing the document (happens automatically if the COV file is detected as corrupted). The fix changes CDrawDoc::Serialize() to check if an object has already been serialized and removes it from the object list if that is the case.

The analysis performed by Secunia Research clearly proves that there are two distinct vulnerabilities and two distinct fixes.

After further dialogue with Microsoft and presenting the analysis, Microsoft confirmed that CVE-2010-4701 is not a variant and should have been included in the security bulletin as it was publicly known at the time of the security bulletin release. To properly reflect all publicly known vulnerabilities addressed by MS11-024, Microsoft has now updated MS11-024 to also include information on CVE-2010-4701. It should be noted that this is an informational change only and no actions are required by users having already applied the patches.

Stay Secure,

Carsten Eiram
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Microsoft adds CVE-2010-4701 to MS11-024
 
User Message
donnaslinky RE: Microsoft adds CVE-2010-4701 to MS11-024
Member 10th Jun, 2011 02:09
Score: 0
Posts: 1
User Since: 10th Jun 2011
System Score: N/A
Location: US
Last edited on 10th Jun, 2011 02:09
Has anyone heard of Microsoft downloading a program that caused an error screen R6025 - Money Runtime located in my C drive. I can't seem to find it to uninstall it..........it is causing me to not be able to sign in to my Verizon homepage acct.

--
d huber
Pgh, PA
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft adds CVE-2010-4701 to MS11-024
Handling Contributor 10th Jun, 2011 10:43
Score: 11560
Posts: 8,886
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Your subject matter does not appear remotely connected to the informational Thread created by Secunia. It is not a good idea to "tag on" to open threads for two main reasons:

1. The originator can lock a thread at any time & prevent further communication.

2. Secunia Support (it is their thread) & Forum members may well score it on relevance resulting in your post being hidden from viewing.

That said, I will try & help but require more details:

1. Which version of Windows are U using with which Service Pack?

2. Is it 32 or a 64 Bit system?

3. Have U got Microsoft Money installed? If so. which version.

4. If not what makes U think that MS Money is creating the error message. The more details U give the better.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: Microsoft adds CVE-2010-4701 to MS11-024
Expert Contributor 10th Jun, 2011 14:37
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Maurice ,

This may be of help to the OP :-

http://support.microsoft.com/kb/240437

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft adds CVE-2010-4701 to MS11-024
Handling Contributor 10th Jun, 2011 18:02
Score: 11560
Posts: 8,886
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Anthony,
Thank you. It is a general error message including one that can be created by MS Money.

Untill I get the details requested it is anyone's guess what is causing it.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0

izattsolo

RE: Microsoft adds CVE-2010-4701 to MS11-024
[+]
This reply has been deleted

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability