• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Five Vulnerabilities in Windows and its Components; Two Critical

June 8, 2010 By The Editor

Bulletins Affect Media Decompression Components, Kernel-mode Drivers, and More

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious media or to visit specially crafted websites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released five security bulletins describing at least 10 vulnerabilities (perhaps more, depending how you count them) that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-033: Two Media Decompression Code Execution Vulnerabilities

Windows ships with various components that help it process and play media files, such as videos. According to Microsoft, these media handling components suffer from two unspecified code execution vulnerabilities, involving the way they handle compressed data within specially crafted media. Though the flaws differ technically, an attacker could exploit them all  in the same way.  By enticing one of your users to download and play a specially crafted media file, or by luring them to a website containing such media, an attacker can exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-034: Cumulative ActiveX Kill Bit Update

Microsoft and external researchers have identified several Microsoft and third party ActiveX controls that suffer various security vulnerabilities. By enticing one of your users to a malicious website, an attacker could exploit any of these ActiveX controls to execute code on your user’s computer, with that user’s privileges. Like most Windows vulnerabilities, if your user has administrative privileges, the attacker would gain complete control of the user’s PC. This update sets the Kill Bit for all the vulnerable ActiveX controls, thereby disabling them in Windows. For more details about which ActiveX controls are disabled, see the Vulnerability Information section of Microsoft’s bulletin.
Microsoft rating: Critical.

  • MS10-032: Three Privilege Elevation Vulnerabilities in the Kernel-mode Driver (Win32k.sys)

The kernel is the core component of any computer operating system. In Windows, access to the kernel is provided via the Windows kernel-mode device driver (Win32k.sys). Win32k.sys suffers from three elevation of privilege (EoP) vulnerabilities. The three EoP flaws differ technically, but share a similar scope. By running a specially crafted program on one of your Windows computers, an attacker can leverage any of these flaws to gain complete control of that system, regardless of his original user privileges. However, the attacker needs to have local access to one of your computers in order to run a malicious program. So these vulnerabilities primarily pose an internal risk. That said, one of these three kernel-mode driver vulnerabilities involves the way Windows handles specially crafted TrueType fonts. While no Microsoft applications expose this font related vulnerability to remote attacks, theoretically, third party applications may. In this theoretical case, attackers could exploit one of these flaws remotely by luring your users into viewing content with specially crafted fonts.
Microsoft rating: Important.

  • MS10-041: .NET Framework Data Tampering Vulnerability

The .NET Framework is software framework used by developers to create new Windows and web applications. Among other things, the .NET framework includes capabilities to handle cryptographically signed XML content, to ensure unauthorized attackers can’t alter XML messages being sent to your application. Unfortunately, the .NET framework doesn’t implement XML signature checking properly. As a result, attackers could potentially send maliciously altered XML messages to applications you’ve created with the .NET framework. The impact of this vulnerability differs greatly depending on the application you’ve designed, and what type of data you passed in your XML. If you haven’t exposed any web applications that rely on signed XML, then the flaw doesn’t affect you at all.
Microsoft rating: Important.

  • MS10-037: OpenType Compact Font Format (CFF) Driver Privilege Elevation Vulnerability

Windows ships with many fonts, including the OpenType Compact Font Format (CFF) font. Unfortunately, the driver that helps Windows display the OpenType CFF font doesn’t properly validate certain data passed from user space to kernel space. By running a specially crafted program on one of your Windows computers, an attacker can exploit this flaw to gain complete control of that system, regardless of the attacker’s original user privileges. However, the attacker needs to have local access to one of your computers in order to run his malicious program. So this vulnerability primarily poses an internal risk.
Microsoft rating: Critical.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-033:

Note: In order to correct the vulnerabilities described in this security bulletin, you may have to install multiple patches on each of your Windows machines. If you have trouble figuring out which patches you really need for each version of Windows, we recommend you use Windows Update instead, as it will figure out what you need automatically.

  • Windows 2000
    • Quartz.dll (DirectShow) (DirectX 9) (KB975562)
    • Windows Media Format Runtime 9 (KB978695)
    • Windows Media Encoder 9 x86 (KB979332)
    • Asycfilt.dll (COM component) (KB979482)
  • Windows XP
    • Quartz.dll (DirectShow) (KB975562)
    • Windows Media Format Runtime 9, Windows Media Format Runtime 9.5 and Windows Media Format Runtime 11 (KB978695)
    • Windows Media Format Runtime 9, Windows Media Format Runtime 9.5 and Windows Media Format Runtime 11 (KB978695)
    • Windows Media Encoder 9 x86 (KB979332)
    • Asycfilt.dll (COM component) (KB979482)
  • Windows XP x64
    • Quartz.dll (DirectShow) (KB975562)
    • Windows Media Format Runtime 9.5 (KB978695)
    • Windows Media Format Runtime 9.5 x64 Edition (KB978695)
    • Windows Media Format Runtime 11 (KB978695)
    • Windows Media Encoder 9 x86 (KB979332)
    • Windows Media Encoder 9 x64 (KB979332)
    • Asycfilt.dll (COM component) (KB979482)
  • Windows Server 2003
    • Quartz.dll (DirectShow) (KB975562)
    • Windows Media Format Runtime 9.5 (KB978695)
    • Windows Media Encoder 9 x86 (KB979332)
    • Asycfilt.dll (COM component) (KB979482)
  • Windows Server 2003 x64
    • Quartz.dll (DirectShow) (KB975562)
    • Windows Media Format Runtime 9.5 (KB978695)
    • Windows Media Format Runtime 9.5 x64 Edition(KB978695)
    • Windows Media Encoder 9 x86 (KB979332)
    • Windows Media Encoder 9 x64 (KB979332)
    • Asycfilt.dll (COM component) (KB979482)
  • Windows Server 2003 Itanium
    • Quartz.dll (DirectShow) (KB975562)
    • Asycfilt.dll (COM component) (KB979482)
  • Windows Vista
    • Quartz.dll (DirectShow) (KB975562)
    • Asycfilt.dll (COM component) (KB979482)
    • Windows Media Encoder 9 x86 (KB979332)
  • Windows Vista x64
    • Quartz.dll (DirectShow) (KB975562)
    • Asycfilt.dll (COM component) (KB979482)
    • Windows Media Encoder 9 x86 (KB979332)
    • Windows Media Encoder 9 x64 (KB979332)
  • Windows Server 2008
    • Quartz.dll (DirectShow) (KB975562)
    • Asycfilt.dll (COM component) (KB979482)
    • Windows Media Encoder 9 x86 (KB979332)
  • Windows Server 2008 x64
    • Quartz.dll (DirectShow) (KB975562)
    • Asycfilt.dll (COM component) (KB979482)
    • Windows Media Encoder 9 x86 (KB979332)
    • Windows Media Encoder 9 x64 (KB979332)
  • Windows Server 2008 Itanium
    • Quartz.dll (DirectShow) (KB975562)
    • Asycfilt.dll (COM component) (KB979482)
  • Windows 7
    • Asycfilt.dll (COM component) (KB979482)
  • Windows 7 x64
    • Asycfilt.dll (COM component) (KB979482)
  • Windows Server 2008 R2 x64
    • Asycfilt.dll (COM component) (KB979482)
  • Windows Server 2008 R2 Itanium
    • Asycfilt.dll (COM component) (KB979482)

MS10-034:

  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
  • Windows Vista
  • Windows Vista x64
  • Windows Server 2008
  • Windows Server 2008 x64
  • Windows Server 2008 Itanium
  • Windows 7
  • Windows 7 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 Itanium

MS10-032:

  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
  • Windows Vista
  • Windows Vista x64
  • Windows Server 2008
  • Windows Server 2008 x64
  • Windows Server 2008 Itanium
  • Windows 7
  • Windows 7 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 Itanium

MS10-041:

We recommend you see the “Affected Software” section of this Microsoft bulletin to find all the potential .NET framework patches. With all the different versions of .NET Framework, combined with the different Windows and Framework Service Pack variants, there are actually many confusing possibilities for which patches to apply. If it fits your organization’s policy, we highly recommend you use Windows’ automatic update feature to download the right patch.

MS10-037:

  • Windows 2000
  • Windows XP
  • Windows XP x64
  • Windows Server 2003
  • Windows Server 2003 x64
  • Windows Server 2003 Itanium
  • Windows Vista
  • Windows Vista x64
  • Windows Server 2008
  • Windows Server 2008 x64
  • Windows Server 2008 Itanium
  • Windows 7
  • Windows 7 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 Itanium

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods, including some that require local access to your computers. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS10-032
  • Microsoft Security Bulletin MS10-033
  • Microsoft Security Bulletin MS10-034
  • Microsoft Security Bulletin MS10-037
  • Microsoft Security Bulletin MS10-041

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: Microsoft

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use