Secplicity - Security Simplified

Powered by WatchGuard Technologies

Seven Windows Updates for an Equal Number of Vulnerabilities: Bulletins Affect Print Spooler, MPEG-4 Codec, RPC, and More

By

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (one flaw also affects Office to some extent)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to open malicious media or documents
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released seven security bulletins describing seven vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-061: Print Spooler Code Execution Vulnerability

The print spooler is a Windows service that manages printing. According to Microsoft, the print spooler does not adequately validate whether a remote user has adequate permissions to send it print jobs. By sending a specially crafted print request, an attacker can exploit this print spooler vulnerability to save a malicious file on your computer. Windows automatically executes files saved to certain locations. By placing a malicious executable in the right place, the attacker could exploit this flaw to gain complete control of your Windows machine. However, only computers with shared printers are vulnerable to this issue. Furthermore, most administrators do not allow the traffic necessary for print sharing (UDP and TCP ports 135, 137, 138, 445, and TCP port 593) through their firewall. So this flaw primarily poses an internal threat.
Microsoft rating: Critical.

  • MS10-062: MPEG-4 Codec Code Execution Vulnerability

MPEG Layer-4, is an audio and video encoding format used to compress media for playback on digital devices, like computers. Windows ships with special codec used to decode and playback MPEG-4 within music files or videos. Windows’ MPEG-4 codec suffers from an unspecified code execution vulnerability, involving its inability to handle specially crafted media files. By luring one of your users into downloading and playing a specially crafted media file, perhaps embedded on a website, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-063: Unicode Script Processor Memory Corruption Vulnerability

According to Microsoft, the Unicode Script Processor (USP10.DLL) is a collection of APIs that enables a text layout client to format complex scripts. Unfortunately, it suffers from a memory corruption vulnerability involving the way it handles specially crafted documents containing OpenType fonts. By enticing one of your users to download a malicious document, and then open it within an application that uses the Unicode Script Processor APIs, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. Keep in mind, third-party, non-Microsoft applications can also use the Unicode Script Processor. Note: Unicode Script Processor also ships with Office, so you will have to patch Office as well.
Microsoft rating: Critical.

  • MS10-066: RPC Memory Corruption Vulnerability

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. The Windows RPC client suffers from an unspecified memory corruption vulnerability involving its inability to handle specially crafted RPC requests. By sending a specially crafted response to an RPC request, an attacker could exploit this vulnerability to gain complete control of your Windows machines. That said, the attacker would have to find a way to lure the victim into making an RPC request to his malicious computer in the first place. Furthermore, most administrators do not allow RPC traffic through their firewall. Therefore, this flaw primarily poses an internal threat. Finally, this flaw only affects XP and Server 2003.
Microsoft rating: Important.

  • MS10-067: Wordpad Text Converter Memory Corruption Vulnerability

Wordpad is a very basic word processing program and text editor that ships with Windows. It also includes some text converter components that allow you to open various Word documents, even if you do not have Office or Word. Unfortunately, the Wordpad text converter suffers from an unspecified memory corruption vulnerability involving its inability to handle specially crafted Word 97 documents. By luring one of your users into downloading a malicious document, and opening it in Wordpad, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC. This flaw only affects XP and Server 2003.
Microsoft rating: Important.

  • MS10-068: LSASS Buffer Overflow Vulnerability

The Local Security Authority Subsystem Service (LSASS) is a Windows component that handles security policy and authentication tasks for Windows. LSASS suffers from a heap buffer overflow vulnerability caused when handling specially malformed LDAP messages. By sending a maliciously crafted LDAP message, an authenticated attacker could exploit this flaw to elevate his privileges, and gain complete control of your computer. Of course, the attacker would need valid credentials and access to your Active Directory server in order to exploit this vulnerability. It primarily poses an internal threat.
Microsoft rating: Important.

  • MS10-069: CSRSS Local Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It does not properly allocate memory when handling specific user transactions on Windows systems configured with Chinese, Japanese, or Korean system locales. By running a specially crafted program, an authenticated attacker could leverage this flaw to elevate privileges, gaining complete control of a Windows computer. However, the attacker would first need to gain local access to a Windows computer using valid credentials (Guest access would work) in order to exploit this flaw. Furthermore, this flaw only affects Windows systems with Chinese, Japanese, and Korean system locales installed. It also only affects XP and Server 2003.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-061:

MS10-062:

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

MS10-063:

MS10-066:

Note: Other versions of Windows are not affected.

MS10-067:

Note: Other versions of Windows are not affected.

MS10-068:

MS10-069:

Note: Other versions of Windows are not affected.

Does My Firewall Help?

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. You can configure your firewall to block the files types necessary to carry out some of these attacks (.DOC .MP4 files, etc…). That said, your firewall cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Leave a Reply

Your email address will not be published. Required fields are marked *


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

View All

Archives