Secplicity - Security Simplified

Powered by WatchGuard Technologies

Five Vulnerabilities in Windows and its Components; Two Critical

By

Bulletins Affect Media Decompression Components, Kernel-mode Drivers, and More

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious media or to visit specially crafted websites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released five security bulletins describing at least 10 vulnerabilities (perhaps more, depending how you count them) that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-033: Two Media Decompression Code Execution Vulnerabilities

Windows ships with various components that help it process and play media files, such as videos. According to Microsoft, these media handling components suffer from two unspecified code execution vulnerabilities, involving the way they handle compressed data within specially crafted media. Though the flaws differ technically, an attacker could exploit them all  in the same way.  By enticing one of your users to download and play a specially crafted media file, or by luring them to a website containing such media, an attacker can exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-034: Cumulative ActiveX Kill Bit Update

Microsoft and external researchers have identified several Microsoft and third party ActiveX controls that suffer various security vulnerabilities. By enticing one of your users to a malicious website, an attacker could exploit any of these ActiveX controls to execute code on your user’s computer, with that user’s privileges. Like most Windows vulnerabilities, if your user has administrative privileges, the attacker would gain complete control of the user’s PC. This update sets the Kill Bit for all the vulnerable ActiveX controls, thereby disabling them in Windows. For more details about which ActiveX controls are disabled, see the Vulnerability Information section of Microsoft’s bulletin.
Microsoft rating: Critical.

  • MS10-032: Three Privilege Elevation Vulnerabilities in the Kernel-mode Driver (Win32k.sys)

The kernel is the core component of any computer operating system. In Windows, access to the kernel is provided via the Windows kernel-mode device driver (Win32k.sys). Win32k.sys suffers from three elevation of privilege (EoP) vulnerabilities. The three EoP flaws differ technically, but share a similar scope. By running a specially crafted program on one of your Windows computers, an attacker can leverage any of these flaws to gain complete control of that system, regardless of his original user privileges. However, the attacker needs to have local access to one of your computers in order to run a malicious program. So these vulnerabilities primarily pose an internal risk. That said, one of these three kernel-mode driver vulnerabilities involves the way Windows handles specially crafted TrueType fonts. While no Microsoft applications expose this font related vulnerability to remote attacks, theoretically, third party applications may. In this theoretical case, attackers could exploit one of these flaws remotely by luring your users into viewing content with specially crafted fonts.
Microsoft rating: Important.

  • MS10-041: .NET Framework Data Tampering Vulnerability

The .NET Framework is software framework used by developers to create new Windows and web applications. Among other things, the .NET framework includes capabilities to handle cryptographically signed XML content, to ensure unauthorized attackers can’t alter XML messages being sent to your application. Unfortunately, the .NET framework doesn’t implement XML signature checking properly. As a result, attackers could potentially send maliciously altered XML messages to applications you’ve created with the .NET framework. The impact of this vulnerability differs greatly depending on the application you’ve designed, and what type of data you passed in your XML. If you haven’t exposed any web applications that rely on signed XML, then the flaw doesn’t affect you at all.
Microsoft rating: Important.

  • MS10-037: OpenType Compact Font Format (CFF) Driver Privilege Elevation Vulnerability

Windows ships with many fonts, including the OpenType Compact Font Format (CFF) font. Unfortunately, the driver that helps Windows display the OpenType CFF font doesn’t properly validate certain data passed from user space to kernel space. By running a specially crafted program on one of your Windows computers, an attacker can exploit this flaw to gain complete control of that system, regardless of the attacker’s original user privileges. However, the attacker needs to have local access to one of your computers in order to run his malicious program. So this vulnerability primarily poses an internal risk.
Microsoft rating: Critical.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-033:

Note: In order to correct the vulnerabilities described in this security bulletin, you may have to install multiple patches on each of your Windows machines. If you have trouble figuring out which patches you really need for each version of Windows, we recommend you use Windows Update instead, as it will figure out what you need automatically.

MS10-034:

MS10-032:

MS10-041:

We recommend you see the “Affected Software” section of this Microsoft bulletin to find all the potential .NET framework patches. With all the different versions of .NET Framework, combined with the different Windows and Framework Service Pack variants, there are actually many confusing possibilities for which patches to apply. If it fits your organization’s policy, we highly recommend you use Windows’ automatic update feature to download the right patch.

MS10-037:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods, including some that require local access to your computers. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Leave a Reply

Your email address will not be published. Required fields are marked *


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

View All

Archives