• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Nine Windows Bulletins Correct 15 Security Vulnerabilities

February 8, 2011 By Corey Nachreiner

Malicious Thumbnails and Fonts Help Attackers Hack Windows

Severity: High

8 February, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites or file shares
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released nine security bulletins describing 15 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-006: Windows Shell Graphic Processor Buffer Overflow Vulnerability

The Windows Shell Graphic Processor is one of the Windows components that helps present and organize the Windows User Interface (UI) . It suffers from a buffer overflow vulnerability having to do with its inability to handle specially crafted thumbnail images. By luring one of your users into opening a file share, UNC path, or WebDAV location that contains a maliciously crafted thumbnail, an attacker could leverage this flaw to gain complete control of that user’s computer. This flaw does not affect Windows 7 or 2008 R2.
Microsoft rating: Critical

  • MS11-007: OpenType Font CFF Driver Code Execution Vulnerability

Windows ships with many fonts, including the OpenType Compact Font Format (CFF) font. Unfortunately, the driver that helps Windows display the OpenType CFF font doesn’t properly validate certain parameter values. Attackers can exploit this flaw in one of two ways, depending on whether they are targeting newer or older versions of Windows. Against older versions of Windows (XP and 2003) an attacker would need to run a specially crafted program on one of your Windows computers in order to gain complete control of that system, regardless of the attacker’s original user privileges. The attacker needs to have local access to one of your computers in order to run his malicious program. However, newer versions of Windows (Vista, 2008, 7) have an auto preview feature that will automatically preview fonts in a directory. By luring one of your users into opening a file share that contains a maliciously crafted OpenType font, an attacker could leverage this flaw to gain complete control of newer Windows computers.
Microsoft rating: Critical

  • MS11-005: Windows 2003 Active Directoy DoS Vulnerability

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. It suffers from a Denial of Service (DoS) vulnerability involving specially crafted requests to update the service principal name (SPN). By sending such malicious requests, an attacker could leverage this flaw to cause your domain controller to downgrade to NTLM authentication, or in some cases stop responding totally. However, the attacker would need valid user credentials, and local access to your network in order to leverage this vulnerability. It primarily poses an internal risk. Furthermore, the flaw only affects the 2003 Server versions of Windows.
Microsoft rating: Important

  • MS11-010: CSRSS Local Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It does not properly terminate user processes when a user logs off a system. By running a specially crafted program, an authenticated attacker could leverage this flaw run a malicious monitoring program that would continue to run even after the attacker logged off the system. This program could obtain the credentials of a privileged users, thus allowing the attacker to elevate his privileges. However, the attacker would first need to gain local access to a Windows computer using valid credentials (Guest access would work) in order to exploit this flaw. The flaw only affects Windows XP and Server 2003 computers.
Microsoft rating: Important.

  • MS11-011 & MS11-012: Multiple Kernel-related Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The Windows kernel and this kernel-mode driver suffer from multiple elevation of privilege vulnerabilities. Though these flaws differ technically, most of them share the same scope and impact. By running a specially crafted program, an attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

  • MS11-013: Kerberos Elevation of Privilege Vulnerabilities

Kerberos is one of the authentication protocols the server versions of Windows use. It suffers from an elevation of privilege vulnerability due to its support of weak hacking mechanisms like CRC32. By installing a specially crafted service, an attacker could leverage this flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws,. The Windows Kerberos component also suffers from a spoofing flaw which an attacker could leverage in a Man-in-the-Middle attack to impersonate another user.
Microsoft rating: Important.

  • MS11-014: LSASS Elevation of Privilege Vulnerability

The Local Security Authority Subsystem Service (LSASS) is a Windows component that handles security policy and authentication tasks for Windows. LSASS suffers from a elevation of privilege vulnerability caused by its inability to handle specially crafted authentication requests. By running a malicious application, an authenticated attacker could exploit this flaw to elevate his privileges, and gain complete control of your computer. Of course, the attacker would need valid credentials and access to your Active Directory server in order to exploit this vulnerability. It primarily poses an internal threat. Furthermore, the flaw only affects Windows XP and Server 2003.
Microsoft rating: Important.

  • MS11-009: Scripting Engines Information Disclosure Vulnerability

VBScript and JScript are both scripting languages created by Microsoft, and used by Windows and its applications. The scripting engine that processes those types of scripts suffers from a memory corruption vulnerability involving the way it decodes specially crafted script. This memory corruption flaw can result in randomly leaked information. By enticing one of your users to a malicious web page, an attacker could leverage this flaw to read data which was not intended to be disclosed. However, the random nature of that data somewhat mitigates the risk of this flaw. This flaw only affects Windows 7 and Server 2008 R2.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-006:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2) *
  • For Windows Server 2008 x64 (w/SP2) *
  • For Windows Server 2008 Itanium (w/SP2)
* Note: Server Core installations not affected.

MS11-007:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2) *
  • For Windows Server 2008 x64 (w/SP2) *
  • For Windows Server 2008 Itanium (w/SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008 R2 x64 *
  • For Windows Server 2008 R2 Itanium

* Note: Server Core installations not affected.

MS11-005:

  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)

MS11-010:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)

MS11-011:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008 R2 x64
  • For Windows Server 2008 R2 Itanium

MS11-012:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008 R2 x64
  • For Windows Server 2008 R2 Itanium

MS11-013:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008 R2 x64
  • For Windows Server 2008 R2 Itanium

MS11-014:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)

MS11-009:

  • For Windows 7
    • JScript 5.8
    • VBScript 5.8
  • For Windows 7 x64
    • JScript 5.8
    • VBScript 5.8
  • For Windows Server 2008 R2 x64
    • JScript 5.8
    • VBScript 5.8
  • For Windows Server 2008 R2 Itanium
    • JScript 5.8
    • VBScript 5.8

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS11-005
  • Microsoft Security Bulletin MS11-006
  • Microsoft Security Bulletin MS11-007
  • Microsoft Security Bulletin MS11-009
  • Microsoft Security Bulletin MS11-010
  • Microsoft Security Bulletin MS11-011
  • Microsoft Security Bulletin MS11-012
  • Microsoft Security Bulletin MS11-013
  • Microsoft Security Bulletin MS11-014

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at [email protected].
More alerts and articles: Log into the LiveSecurity Archive.

Share This:

Related

Filed Under: Security Bytes Tagged With: buffer overflow, elevation of Privilege, information disclosure, Microsoft, Updates and patches

Comments

  1. Neliscrush says

    December 16, 2013 at 7:24 am

    Смешать в миксере или шейкере слегка взбитый яичный белок, сок спелой облепихи, лимонный сок, добавить размятую в пюре мякоть предварительно прогретой на пару маракуйи, всыпать сахар и положить колотый лед, все перемешать и хорошо взбить. Взбивать смесь нужно в течение 2 минут до образования густой пены. Готовый напиток разлить по бокалам или пиалам. Перед подачей к столу разбавить минеральной водой.
    ежедневные рецепты
    Рыбный суп подавать в пиалах, с оставшимися кусочками рыбы. Можно также сделать фрикадельки, используя 100 г рыбного филе. Перед подачей к столу суп посыпать мелко нарубленной зеленью петрушки. Лапша с фасолью. 100 г баранины, 400 г воды, 50 г фасоли, 1 яйцо, 20 г растительного масла, 50 г пшеничной муки, 200 г репчатого лука, зелень укропа или петрушки, соль, черный молотый перец по вкусу.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use