A memory corruption flaw exists in Threat Management Gateway (TMG) client. The function NSPLookupServiceNext fails to sanitize user-supplied input for specific requests made through TMG Firewall Client resulting in memory corruption. With a specially crafted request, a remote attacker can execute arbitrary code.

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

• Security Tracker: 1025637
• OVAL ID: 12642
• CVE ID: 2011-1889 (see also: NVD)
• Microsoft Knowledge Base Article: 2520426
• Secunia Advisory ID: 44857
• Bugtraq ID: 48181
• ISS X-Force ID: 67736
• Vendor Specific News/Changelog Entry: http://blogs.technet.com/b/msrc/archive/2011/06/14/autorun-related-malware-declines-and-the-june-2011-security-bulletin-release.aspx
• News Article: http://nakedsecurity.sophos.com/2011/06/14/patch-tuesday-june-2011-16-bulletins-9-critical/
  http://www.scmagazineus.com/patch-tuesday-sees-16-fixes/article/205290/
  http://www.thetechherald.com/article.php/201124/7275/Patch-Tuesday-Microsoft-hits-34-vulnerabilities-in-16-bulletins
• Microsoft Security Bulletin: MS11-040

• Not Available