Bulletins Affect Task Scheduler, Movie Maker, the Kernel, and More
Summary:
- These vulnerabilities affect: All current versions of Windows and components that ship with it
- How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites or file shares
- Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released a dozen security bulletins describing 19 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS10-091: OpenType Font (OTF) Driver Code Execution Vulnerabilities
The OpenType Font (OTF) driver is a component that ships with Windows to handle documents, emails, and web pages that contain OpenType fonts. Unfortunately, the OTF driver suffers from three code execution vulnerabilities having to do with how it handles specially crafted OpenType fonts. By luring one of your users into visiting a web page, or opening content that contains maliciously crafted OpenType fonts, an attacker could leverage this flaw to gain complete control of that user’s computer. An attacker could also leverage this vulnerability against Windows Vista, 7, and Server 2008 computers simply by enticing victims to a file share containing an OpenType Font. The preview feature of these newer versions of Windows will automatically trigger these flaws.
Microsoft rating: Critical
- MS10-092: Windows Task Scheduler Elevation of Privilege Vulnerability
The Task Scheduler is a service that allows you to automate tasks in Windows. It suffers from an elevation of privilege vulnerability, which essentially allows any local user on a Windows computer to create scheduled tasks that run with full system privileges. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the risk of this vulnerability.
Microsoft rating: Important
- MS10-093: Windows Vista Movie Maker Code Execution Vulnerability
Movie Maker is an application that ships with Windows to allow you to create and edit movies or videos. Movie Maker suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, sometimes referred to as a binary planting flaw. We first described this flaw in a September Wire post, which describes this Microsoft security advisory. If an attacker can entice one of your users into opening a malicious Movie Maker (.mswmm) file from the same location as a specially crafted DLL, she could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This particular flaw only affects the version of Movie Maker that ships with Vista.
Microsoft rating: Important
- MS10-094: Windows Media Encoder Code Execution Vulnerability
Media Encoder is a Windows component that can save or convert video and audio content to the Windows Media Format. Like Movie Maker, it suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, which we first described in a September Wire post. If an attacker can entice one of your users to open a malicious media profile (.prx) file located in the same place as a specially crafted DLL, he could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw does not affect Windows 7 or Server 2008 R2.
Microsoft rating: Important
- MS10-095: BranchCache Code Execution Vulnerability
BranchCache is a WAN optimization feature that only ships with Windows 7 and Server 2008 R2. BranchCache suffers from the same type of insecure Dynamic Link Library (DLL) loading vulnerability as we’ve described in the bullets above. By enticing one of your users into opening a malicious .eml, .rss, or .wpost file located in the same place as a specially crafted DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw only affects Windows 7 or Server 2008 R2.
Microsoft rating: Important
- MS10-096: Windows Address Book Code Execution Vulnerability
The Windows Address Book (WAB) is exactly what it sounds like; an application that ships with Windows to store contact information for people you know. Like the three components listed above, WAB also suffers from the insecure Dynamic Link Library (DLL) loading vulnerability. By enticing one of your users into opening a specially crafted .wab file located in the same place as a malicious DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer.
Microsoft rating: Important
- MS10-097: Internet Connection Signup Wizard Code Execution Vulnerability
The Internet Connection Signup Wizard is a Windows component that helps you setup or troubleshoot your Internet connection. Like the bulletins listed previously, this wizard suffers from an insecure Dynamic Link Library (DLL) loading vulnerability (this is the last of the insecure DLL loading flaws in Windows this month). By enticing one of your users into opening a specially crafted .ins or .isp file located in the same place as a malicious DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw only affects windows XP and Server 2003.
Microsoft rating: Important
- MS10-098 Windows Kernel-Mode Drivers Elevation of Privilege Vulnerabilities
The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from six elevation of privilege vulnerabilities. Though these flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important
- MS10-099: Kernel NDProxy Buffer Overflow Vulnerability
Windows ships with the Routing and Remote Access (RRAS) services, which essentially allow a Windows computer to function like a network router. The NDProxy is one of the RRAS components that helps provide this functionality. Unfortunately, the NDProxy component suffers from a buffer overflow vulnerability. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw. This flaw only affects Windows XP and Server 2003.
Microsoft rating: Important
- MS10-100: Consent UI Elevation of Privilege Vulnerability
Consent UI is part of Windows’ User Access Control (UAC) services. Specifically, it’s the component that asks you for consent whenever you perform administrative tasks. Consent UI suffers from an elevation of privilege vulnerability. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw. This flaw only affects the more recent versions of Windows (Vista and later).
Microsoft rating: Important
- MS10-101: Windows Netlogon RPC DoS Vulnerability
Netlogon Remote Protocol is the RPC service Windows uses to allow network users to log in to domains. It suffers from a Denial of Service (DoS) vulnerability involving the way it handles logins containing specially crafted user data. By sending maliciously crafted RPC requests, an attacker could leverage this flaw to cause your domain controller to reboot. However, the attacker would need valid user credentials, and local access to your network in order to leverage this vulnerability. It primarily poses an internal risk. Furthermore, the flaw only affects the Server versions of Windows.
Microsoft rating: Important
- MS10-102: Hyper-V DoS Vulnerability
Hyper-V is the hypervisor technology used to provide a virtualization platform in Windows Server 2008 and Server 2008 R2. It suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted packets sent over the virtual network. By running a specially crafted program, a local attacker could leverage this flaw to cause your virtual server to become non-responsive. You would have to reboot the machine to regain functionality. Since an attacker needs local access to your machine, this flaw poses a low risk.
Microsoft rating: Important
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64
- For Windows Server 2008 R2 Itanium
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64
- For Windows Server 2008 R2 Itanium
- Movie Maker 2.6 for Windows Vista (w/SP1 or SP2)
- Movie Maker 2.6 for Windows Vista x64 (w/SP1 or SP2)
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2) *
- For Windows Server 2008 x64 (w/SP2) *
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64 *
- For Windows Server 2008 R2 Itanium
* Note: Server Core installations not affected.
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64
- For Windows Server 2008 R2 Itanium
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (w/SP1 or SP2)
- For Windows Vista x64 (w/SP1 or SP2)
- For Windows Server 2008 (w/SP2) *
- For Windows Server 2008 x64 (w/SP2) *
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64 *
- For Windows Server 2008 R2 Itanium
Note: Other versions of Windows and Server Core installations are not affected.
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 R2 x64
For All WatchGuard Users:
Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS10-091
- Microsoft Security Bulletin MS10-092
- Microsoft Security Bulletin MS10-093
- Microsoft Security Bulletin MS10-094
- Microsoft Security Bulletin MS10-095
- Microsoft Security Bulletin MS10-096
- Microsoft Security Bulletin MS10-097
- Microsoft Security Bulletin MS10-098
- Microsoft Security Bulletin MS10-099
- Microsoft Security Bulletin MS10-100
- Microsoft Security Bulletin MS10-101
- Microsoft Security Bulletin MS10-102
This alert was researched and written by Corey Nachreiner, CISSP.
Leave a Reply