By Carsten Eiram
The latest round of patches issued by Microsoft includes a fix via MS11-024 for a publicly known vulnerability, CVE-2010-3974, in the Microsoft Windows Fax Cover Page Editor provided by all supported versions of Windows when "Fax Services" / "Windows Fax and Scan" is installed. When originally released, the bulletin, however, did not mention also covering another publicly known vulnerability, CVE-2010-4701, but testing conducted by Secunia Research when evaluating the security bulletin indicated that both vulnerabilities were patched.
When reaching out to Microsoft for clarification, we received confirmation that CVE-2010-4701 was fixed, but not listed in the security bulletin as it was believed to be a variant discovered internally during their HfV (Hacking for Variations) process with the same root cause and root fix as CVE-2010-3974. Microsoft recently elaborated on this process and policy in a blog post: "As part of Microsoft's comprehensive security update process, Microsoft will address variants of reported issues. Variants are internally found issues similar to the reported vulnerability, and are not documented in security bulletins.".
Based on the response from Microsoft, it seemed that duplicate CVE identifiers were covering the same vulnerability. In order to evaluate whether the Secunia advisory should merge the two vulnerabilities and CVE should mark one identifier as a dupe, we reverse-engineered the vulnerable component to determine the root cause of each vulnerability and how the fixes were implemented.
The root cause of CVE-2010-3974 is that one value is used to allocate a buffer and another to copy data within CDrawPoly::Serialize(), which leads to a heap-based buffer overflow. A fix is implemented by adding size checks to CDrawPoly::Serialize() to ensure the larger of the two values is used to allocate memory.
The publicly available PoC for CVE-2010-4701 does not trigger a call to this function at all. This already proves that they do not share root cause and that the fix for CVE-2010-3974 should have no impact on CVE-2010-4701.
CVE-2010-4701 is a use-after-free triggered by CDrawDoc::Remove() as an object is retrieved from already freed memory before calling CObject::IsKindOf() and using the invalid object reference in a virtual function call. The core problem is CDrawDoc::Serialize() not checking if an object has already been serialized. This triggers the use-after-free when closing the document (happens automatically if the COV file is detected as corrupted). The fix changes CDrawDoc::Serialize() to check if an object has already been serialized and removes it from the object list if that is the case.
The analysis performed by Secunia Research clearly proves that there are two distinct vulnerabilities and two distinct fixes.
After further dialogue with Microsoft and presenting the analysis, Microsoft confirmed that CVE-2010-4701 is not a variant and should have been included in the security bulletin as it was publicly known at the time of the security bulletin release. To properly reflect all publicly known vulnerabilities addressed by MS11-024, Microsoft has now updated MS11-024 to also include information on CVE-2010-4701. It should be noted that this is an informational change only and no actions are required by users having already applied the patches.
Chief Security Specialist