Site icon Secplicity – Security Simplified

Eleven Windows Bulletins Patch 23 Security Vulnerabilities

The Editor

Bulletins Affect SMB Server, XML Core Services, the Kernel, and More

Severity: High

Summary:

Exposure:

(Editor’s note: Due to an unforeseen technical difficulty, we were unable to post and email the LiveSecurity alerts that were written for Microsoft Patch Day. Please see yesterday’s Wire post)

Today, Microsoft released eleven security bulletins describing 23 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB Server suffers from three security vulnerabilities, one of which could allow attackers to execute malicious code. Though the flaws differ technically, an attacker could exploit them all  in the same way. By sending a specially crafted network message, an attacker can exploit the worst of these flaws to gain complete control of a vulnerable Windows computer. The remaining two SMB Server flaws only result in Denial of Service (DoS) situations. Attackers often leverage these type of SMB Server vulnerabilities to help their malware automatically propagate within local networks. We recommend you apply this update immediately.
Microsoft rating: Critical.

The Secure Channel (SChannel) is a Windows security package that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols. According to today’s bulletin, SChannel suffers from two security vulnerabilities. By luring one of your users to a specially crafted website, an attacker could leverage the worst of these two flaws to execute code with full system privileges, gaining complete control of that user’s computer. This update also fixes the TLS/SSL renegotiation vulnerability that attackers could leverage for a Man-in-the-Middle (MitM) attack on secured connections.
Microsoft rating: Critical.

Microsoft XML (MSXML) Core Services is a Windows component that handles XML content. Unfortunately, it suffers from a memory corruption vulnerability involving the way it handles specially malformed HTTP responses. By enticing one of your users to visit a malicious website, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

MPEG Layer-3, otherwise known as MP3, is an audio encoding format used to compress audio for playback on digital devices, like computers. Windows ships with special codecs used to decode and playback MP3 audio within music files or videos. Windows’ MP3 codecs suffer from a buffer overflow vulnerability, involving their inability to handle specially crafted audio files. By luring one of your users into downloading and playing a specially crafted audio file, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This flaw only affects Windows XP and Server 2003.
Microsoft rating: Critical.

Cinepak is another media encoding and decoding codec used to compress video for playback on digital devices, like computers. Windows ships with the Cinepak codec to handle video files encoded using this codec. Unfortunately, the Windows Cinepak codec suffers from an unspecified vulnerability involving its inability to handle specially crafted video files. By luring one of your users into downloading and playing a specially crafted video file, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This flaw only affects the client versions of Windows (XP, Vista, and 7).
Microsoft rating: Critical.

Microsoft Silverlight and the .NET Framework are two optional Windows components used to help developers create rich web applications. Windows doesn’t ship with these components by default, but many users install them. Both components suffer from two code execution vulnerabilities. Though the flaws differ technically, an attacker can exploit them in the same way, with generally the same result. By enticing your user to a website containing a specially crafted web application, an attacker could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. As usual, attackers could gain complete control of the computer if the user has local administrative privileges.
Microsoft rating: Critical

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The Windows kernel and this kernel-mode driver suffer from multiple Denial of Service (DoS) and elevation of privilege vulnerabilities. Though these flaws differ technically, most of them share the same scope and impact. By running a specially crafted program, an attacker could leverage these flaws to either crash or lock up your computer, or to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

Windows Movie Maker is a video capturing and editing application that you get free with Windows. Movie Maker actually ships with older versions of Windows, such as Windows XP and 2000. However, the latest versions of Windows (Windows Vista and 7), don’t provide the Movie Maker application on the installation disc. Instead, you have the option to download it for free as part of the Windows Live Essentials package. In short, if you have Windows XP, you have Windows Movie Maker. However, if you have Windows Vista or 7, you only have it if you chose to download and install the Live Essentials package. Movie Maker suffers from a memory corruption vulnerability involving its inability to properly parse specially crafted project files. If an attacker can entice you to download a specially crafted project file, then open that file in Movie Maker or Producer, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control your computer. This flaw does not affect the Windows 7 versions of Movie Maker.
Microsoft rating: Important.

The TCP/IP stack that ships with many versions of Windows suffers from an Elevation of Privilege (EoP) and Denial of Service (DoS) vulnerability. By sending specially crafted IPv6 packets, an attacker could leverage the DoS flaw to cause your Windows systems to become unresponsive. Exploiting the EoP vulnerability is a little more difficult. In order to exploit this flaw, an attacker would need to log into an affected system using valid Windows credentials, and then execute a specially crafted program on the local computer. However, doing so gives the attacker complete control of that computer, regardless of the user privileges he logged in with.
Microsoft rating: Important.

Windows ships with  a component called the Tracing Feature for Services. This component suffers from two technically different vulnerabilities that share the same scope and impact. If an attacker can log into an affected Windows system using valid Windows credentials, he can execute a specially crafted program that gives him complete control of that computer, regardless of the user privileges he logged in with.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-054:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-049:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-051:

Microsoft XML Core Services 3.0 for:

MS10-052:

Note: Other versions of Windows are not affected.

MS10-055:

Note: Other versions of Windows are not affected.

MS10-060:

MS10-047:

Note: Other versions of Windows are not affected.

MS10-048:

MS10-050:

Updates for Movie Maker:

MS10-058:

Note: Other versions of Windows are not affected.

MS10-059:

Note: Other versions of Windows are not affected

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. In fact, by default your Firebox will prevent most of the Microsoft flaws that require network access – specifically, the SMB-related vulnerabilities. You can also configure your Firebox to block the files types necessary to carry out some of these attacks (.AVI, .MP3 files, etc…). That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Exit mobile version