Summary:
- These vulnerabilities affect: All current versions of Windows and components that ship with it (also the .NET Framework)
- How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, or enticing your users to websites containing malicious media
- Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released a dozen security bulletins describing 15 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS10-075: Media Player Network Sharing Code Execution Vulnerability
Windows Media Player (WMP) is the popular multimedia playback application that ships with Windows. By default, many Windows computers start the Media Player Network Sharing Service, which allows other computers on your network to share media from your computer. However, Windows Vista and 7 do not start this service by default.
According to Microsoft, the Media Player Network Sharing Service that ships with Windows Vista and 7 suffers from a security vulnerability involving the way it handles Real Time Streaming Protocol (RTSP) packets. By sending a specially crafted RTSP packet to a computer with the Network Sharing Service, an attacker can exploit this vulnerability to execute code on that computer under the context of the Network Services account. Though the Network Services account has limited privileges, the attacker could then leverage other vulnerabilities described in this alert to gain complete control of that computer. Typically, Windows only allows computers within your local network to access the Media Player Network Sharing Service, which tends to limit this to an internal threat. Furthermore, Neither Vista nor Windows 7 starts this service by default, which further mitigates this attack.
Microsoft rating: Critical
- MS10-076: OpenType Font Engine Integer Overflow Vulnerability
Windows ships with an OpenType Font Engine to handle documents, emails, and web pages that contain OpenType fonts. The OpenType Font Engine suffers from an integer overflow vulnerability that has to do with how it handles certain tables within content that contains OpenType fonts. By luring one of your users into visiting a web page, or opening content that contains maliciously crafted OpenType fonts, an attacker could leverage this flaw to gain complete control of that user’s computer.
Microsoft rating: Critical
- MS10-077: Code Execution Vulnerability in .NET Framework 4.0
Microsoft’s .NET Framework is an optional Windows component used to help developers create rich web applications, as well as to display said web content. Windows doesn’t ship with it by default, but many users install it. The 64-bit version of the .NET Framework 4.0 suffers from a code execution vulnerability that has to do with how one of it’s compilers optimizes code incorrectly. By enticing one of your users to a website containing a specially crafted web application, or into running a malicious .NET application, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As usual, attackers could gain complete control of the computer if the user has local administrative privileges.
Microsoft rating: Critical
- MS10-073 Windows Kernel-Mode Drivers Elevation of Privilege Vulnerabilities
The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from multiple elevation of privilege vulnerabilities. Though these flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws. That said, despite the lower severity of these flaws, attackers have exploited one of them in the wild — specifically, within the Stuxnet worm, which has received significant media attention.
Microsoft rating: Important
- MS10-078: OpenType Font Format Driver Elevation of Privilege Vulnerability
The OpenType Font format driver is another component Windows uses to handle OpenType fonts. The OpenType Font format driver suffers from two elevation of privilege vulnerabilities involving its inability to handle specially crafted OpenType fonts. These flaws are similar in concept to the OpenType Engine flaw described above, except that an attacker needs to locally log into a vulnerable Windows machine, and execute a specially crafted program in order to exploit these flaws. Assuming the attacker can gain access to one of your Windows computers, his malicious program could then leverage either of these flaws to gain complete control of that computer. Granted, these vulnerabilities only affect XP and Server 2003.
Microsoft rating: Important
- MS10-081: Common Control Library Buffer Overflow Vulnerability
Windows ships with a library of functions called the Common Control Library (Comctl32.dll), which helps it create the interactive windows it’s know for. This Common Control Library suffers from a heap buffer overflow vulnerability having to do with how it handles Scalable Vector Graphics (SVG) passed to it from 3rd party applications. By enticing your user to a website containing specially crafted code, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. As usual, attackers could gain complete control of the computer if the user has local administrative privileges.
Microsoft rating: Important
- MS10-082 Media Player Code Execution Vulnerability
As mentioned earlier, Windows Media Player (WMP) is the popular multimedia playback application that ships with Windows. Windows Media Player suffers from a second code execution vulnerability that has to do with how it handles web-based media. By enticing one of your users to a website containing specially crafted media, an attacker could gain complete control of that user’s computer. However, the user would have to click through at least one pop-up dialog from the website in order for this attack to succeed. This significantly reduces this flaws’ severity (compared to the first Media Player flaw, which requires no user interaction at all).
Microsoft rating: Important
- MS10-083: WordPad and Windows Shell COM Object Code Execution Vulnerability
WordPad is a very basic word processing program and text editor that ships with Windows, and the Windows Shell is the primary GUI component for Windows. Both of these Windows components suffer from a flaw having to do with how they handle COM objects. Without going into technically detail, if an attacker can either entice you to a specially crafted web page, trick you into opening a malicious document with WordPad, or lure you into interacting with a malicious shortcut, he could leverage this flaw to execute code on your computer with your privileges. If you are a local administrator, the attack would gain total control of your computers.
Microsoft rating: Important
- MS10-084: LPC Buffer Overflow Vulnerability
Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. Windows RPC also includes a Local Procedure Call (LPC) component, which Windows uses to exchange messages between local processes and threads.The Windows LPC component suffers from a buffer overflow vulnerability involving its inability to handle specially crafted LPC requests. By running a specially crafted program, a local attacker could leverage this flaw to execute code under the context of the Network Services account. Though the Network Services account has limited privileges, the attacker could then leverage other vulnerabilities described in this alert to gain complete control of that computer. However, by their very nature, LPC calls are only sent locally. That means the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw. Furthermore, this flaw only affects XP and Server 2003.
Microsoft rating: Important
- MS10-085: SChannel DoS Vulnerability
The Secure Channel (SChannel) is a Windows security package that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols. According to today’s bulletin, SChannel suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted SSL/TLS handshake requests. By sending an SSL-enabled web server specially crafted requests, an attacker could leverage this flaw to cause your server to stop responding. You’d have to reboot the server to resume service. However, this flaw obviously only affects servers accepting incoming SSL connection — typically IIS web servers with secure pages. Unless you have such servers, and you have allowed the SSL connections through your firewall, you are not vulnerable to this attack.
Microsoft rating: Important
- MS10-074: Microsoft Foundation Class Code Execution Vulnerability
Windows ships with a library of functions called the Foundation Class Library, which developers can use to write programs implementing many of Windows’ basic OS and GUI functions. In short, the Foundation Class Library suffers from a vulnerability that has to do with how it handles window titles. If your computer has a 3rd party application that was created using the Foundation Class Library, and that application allows some way for user input to change a windows title, and an external attacker can somehow manipulate the input in a way to change the windows title, he could exploit this flaw to execute code on your computer, with your privileges. As you can tell, that is a lot of “ifs.” Microsoft has established that none of their software is vulnerable to this flaw. So you are only affected by it if you have installed some 3rd party application that was coded in a very specific way. This flaw poses a very low risk.
Microsoft rating: Moderate
- MS10-086: Shared Cluster Disk Tampering Vulnerability
Microsoft Cluster Server (MSCS) is a Windows component that allows you to cluster servers and disks. MSCS incorrectly sets permissions when adding news disks to a disk cluster. As a result, an internal attacker that can remotely access the file system of a cluster disk administrative share will have full control of that share, regardless of his privilege. However, usually only users on the local network will have access to disk shares. The flaw only affects Windows Server 2008 R2.
Microsoft rating: Moderate
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.
Note: Other versions of Windows are not affected by this vulnerability.
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2) *
- For Windows Server 2008 x64 (w/SP2) *
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64 *
- For Windows Server 2008 R2 Itanium
* Note: Server Core installations not affected.
- Microsoft .NET Framework 4.0 Update for all 64-bit versions of Windows.
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64
- For Windows Server 2008 R2 Itanium
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
Note: Other versions of Windows are not affected.
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2) *
- For Windows Server 2008 x64 (w/SP2) *
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64 *
- For Windows Server 2008 R2 Itanium
* Note: Server Core installations not affected.
All versions of Windows Media Player for:
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2) *
- For Windows Server 2008 x64 (w/SP2) *
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64 *
* Note: Server Core installations not affected.
Updates for WordPad:
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2) *
- For Windows Server 2008 x64 (w/SP2) *
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64 *
- For Windows Server 2008 R2 Itanium
Updates for Windows Shell:
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2) *
- For Windows Server 2008 x64 (w/SP2) *
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64 *
- For Windows Server 2008 R2 Itanium
* Note: Server Core installations not affected.
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
Note: Other versions of Windows are not affected.
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64
- For Windows Server 2008 R2 Itanium
Note: Other versions of Windows are not affected.
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2) *
- For Windows Server 2008 x64 (w/SP2) *
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64 *
- For Windows Server 2008 R2 Itanium
* Note: Server Core installations not affected.
Note: Other versions of Windows are not affected.
For All WatchGuard Users:
Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues (the ones that rely on access to local resources). That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS10-073
- Microsoft Security Bulletin MS10-074
- Microsoft Security Bulletin MS10-075
- Microsoft Security Bulletin MS10-076
- Microsoft Security Bulletin MS10-077
- Microsoft Security Bulletin MS10-078
- Microsoft Security Bulletin MS10-081
- Microsoft Security Bulletin MS10-082
- Microsoft Security Bulletin MS10-083
- Microsoft Security Bulletin MS10-084
- Microsoft Security Bulletin MS10-085
- Microsoft Security Bulletin MS10-086
This alert was researched and written by Corey Nachreiner, CISSP.
Leave a Reply