Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Five Remote Code Execution Vulnerabilities Discovered in Microsoft's CSRSS


( Microsoft Security Bulletin MS11-056 )

Summary

Five vulnerabilities have been discovered in the Client/Server Runtime SubSystem (CSRSS) component of Microsoft Windows, with two being ranked as Critical and three as High in severity. Successful exploitation of any of these vulnerabilities could result in an attacker taking complete control of a targeted system.

Details

CSRSS is a Microsoft Windows component that provides the user mode of the Win32 subsystem, and handles Win32 console handling and GUI shutdown.

These issues are all elevation of privilege vulnerabilities. Successful exploitation of any of them may lead to arbitrary code execution in kernel mode, allowing an attacker to take complete control of an affected system. The attacker could then install programs; view, change, or delete data; and/or create new accounts with full user rights.

Affected Products


Windows XP SP 3 and XP Professional x64 Edition SP2
Windows Server 2003 SP2, Server x64 Edition SP2, and Server 2003 SP2 for Itanium-based Systems
Windows Vista SP1 and SP2
Windows Vista x64 Edition SP1 and SP2
Windows Server 2008 for 32-bit Systems - original release and SP2
Windows Server 2008 for x64-based Systems - original release and SP2
Windows Server 2008 for Itanium-based Systems - original release and SP2
Windows 7 for 32-bit Systems - original release and SP1
Windows 7 for x64-based Systems - original release and SP1
Windows Server 2008 R2 for x64-based Systems - original release and SP1
Windows Server 2008 R2 for Itanium-based Systems - original release and SP1

Solution


Check Point's IPS Software Blade provides immediate network protection in the latest IPS update by detecting and blocking attempts to exploit these remote code execution vulnerabilities. The following table lists each vulnerability with its severity as well as the associated CVE reference and Check Point Protection.

Microsoft CSRSS VulnerabilitySeverity Industry Reference Check Point Protection
winsrv Integer Overflow RCE Critical CVE-2011-1870 CPAI-2011-335
CONSOLE_ALLOC_MSG RCE Critical CVE-2011-1281 CPAI-2011-336
winsrv NULL Pointer RCE High CVE-2011-1282 CPAI-2011-337
ConsoleNumberOfCommand RCE High CVE-2011-1283 CPAI-2011-332
SrvWriteConsoleOutput RCE High CVE-2011-1284 CPAI-2011-333

 

Originally Published:

Last Updated: 12-Jul-2011

Legal Notice for Threat Center Advisories