Site icon Secplicity – Security Simplified

Only One Critical Flaw in a Dozen Windows Bulletins

The Editor

Bulletins Affect Task Scheduler, Movie Maker, the Kernel, and More

Summary:

Exposure:

Today, Microsoft released a dozen security bulletins describing 19 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

The OpenType Font (OTF) driver is a component that ships with Windows to handle documents, emails, and web pages that contain OpenType fonts. Unfortunately, the OTF driver suffers from three code execution vulnerabilities having to do with how it handles specially crafted OpenType fonts. By luring one of your users into visiting a web page, or opening content that contains maliciously crafted OpenType fonts, an attacker could leverage this flaw to gain complete control of that user’s computer. An attacker could also leverage this vulnerability against Windows Vista, 7, and Server 2008 computers simply by enticing victims to a file share containing an OpenType Font. The preview feature of these newer versions of Windows will automatically trigger these flaws.
Microsoft rating: Critical

The Task Scheduler is a service that allows you to automate tasks in Windows. It suffers from an elevation of privilege vulnerability, which essentially allows any local user on a Windows computer to create scheduled tasks that run with full system privileges. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the risk of this vulnerability.
Microsoft rating: Important

Movie Maker is an application that ships with Windows to allow you to create and edit movies or videos. Movie Maker suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, sometimes referred to as a binary planting flaw. We first described this flaw in a September Wire post, which describes this Microsoft security advisory. If an attacker can entice one of your users into opening a malicious Movie Maker (.mswmm) file from the same location as a specially crafted DLL, she could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This particular flaw only affects the version of Movie Maker that ships with Vista.
Microsoft rating: Important

Media Encoder is a Windows component that can save or convert video and audio content to the Windows Media Format. Like Movie Maker, it suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, which we first described in a September Wire post. If an attacker can entice one of your users to open a malicious media profile (.prx) file located in the same place as a specially crafted DLL, he could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw does not affect Windows 7 or Server 2008 R2.
Microsoft rating: Important

BranchCache is a WAN optimization feature that only ships with Windows 7 and Server 2008 R2. BranchCache suffers from the same type of insecure Dynamic Link Library (DLL) loading vulnerability as we’ve described in the bullets above. By enticing one of your users into opening a malicious .eml, .rss, or .wpost file located in the same place as a specially crafted DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw only affects Windows 7 or Server 2008 R2.
Microsoft rating: Important

The Windows Address Book (WAB) is exactly what it sounds like; an application that ships with Windows to store contact information for people you know. Like the three components listed above, WAB also suffers from the insecure Dynamic Link Library (DLL) loading vulnerability. By enticing one of your users into opening a specially crafted .wab file located in the same place as a malicious DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer.
Microsoft rating: Important

The Internet Connection Signup Wizard is a Windows component that helps you setup or troubleshoot your Internet connection. Like the bulletins listed previously, this wizard suffers from an insecure Dynamic Link Library (DLL) loading vulnerability (this is the last of the insecure DLL loading flaws in Windows this month). By enticing one of your users into opening a specially crafted  .ins or .isp file located in the same place as a malicious DLL, an attacker can exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer. This flaw only affects windows XP and Server 2003.
Microsoft rating: Important

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from six elevation of privilege vulnerabilities. Though these flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

Windows ships with the Routing and Remote Access (RRAS) services, which essentially allow a Windows computer to function like a network router. The NDProxy is one of the RRAS components that helps provide this functionality. Unfortunately, the NDProxy component suffers from a buffer overflow vulnerability. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw. This flaw only affects Windows XP and Server 2003.
Microsoft rating: Important

Consent UI is part of Windows’ User Access Control (UAC) services. Specifically, it’s the component that asks you for consent whenever you perform administrative tasks. Consent UI suffers from an elevation of privilege vulnerability. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw. This flaw only affects the more recent versions of Windows (Vista and later).
Microsoft rating: Important

Netlogon Remote Protocol is the RPC service Windows uses to allow network users to log in to domains. It suffers from a Denial of Service (DoS) vulnerability involving the way it handles logins containing specially crafted user data. By sending maliciously crafted RPC requests, an attacker could leverage this flaw to cause your domain controller to reboot. However, the attacker would need valid user credentials, and local access to your network in order to leverage this vulnerability. It primarily poses an internal risk. Furthermore, the flaw only affects the Server versions of Windows.
Microsoft rating: Important

Hyper-V is the hypervisor technology used to provide a virtualization platform in Windows Server 2008 and Server 2008 R2. It suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted packets sent over the virtual network.  By running a specially crafted program, a local attacker could leverage this flaw to cause your virtual server to become non-responsive. You would have to reboot the machine to regain functionality. Since an attacker needs local access to your machine, this flaw poses a low risk.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-091:

MS10-092:

MS10-093:

MS10-094:

MS10-095:

MS10-096:

* Note: Server Core installations not affected.

MS10-097:

MS10-098:

MS10-099:

MS10-100:

Note: Other versions of Windows  and Server Core installations are not affected.

MS10-101:

MS10-102:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Exit mobile version