Nine Windows Bulletins Correct 15 Security Vulnerabilities

Malicious Thumbnails and Fonts Help Attackers Hack Windows

Severity: High

8 February, 2011

Summary:

• These vulnerabilities affect: All current versions of Windows and components that ship with it
• How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files, or visiting malicious websites or file shares
• Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released nine security bulletins describing 15 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS11-006: Windows Shell Graphic Processor Buffer Overflow Vulnerability

The Windows Shell Graphic Processor is one of the Windows components that helps present and organize the Windows User Interface (UI) . It suffers from a buffer overflow vulnerability having to do with its inability to handle specially crafted thumbnail images. By luring one of your users into opening a file share, UNC path, or WebDAV location that contains a maliciously crafted thumbnail, an attacker could leverage this flaw to gain complete control of that user’s computer. This flaw does not affect Windows 7 or 2008 R2.
Microsoft rating: Critical

• MS11-007: OpenType Font CFF Driver Code Execution Vulnerability

Windows ships with many fonts, including the OpenType Compact Font Format (CFF) font. Unfortunately, the driver that helps Windows display the OpenType CFF font doesn’t properly validate certain parameter values. Attackers can exploit this flaw in one of two ways, depending on whether they are targeting newer or older versions of Windows. Against older versions of Windows (XP and 2003) an attacker would need to run a specially crafted program on one of your Windows computers in order to gain complete control of that system, regardless of the attacker’s original user privileges. The attacker needs to have local access to one of your computers in order to run his malicious program. However, newer versions of Windows (Vista, 2008, 7) have an auto preview feature that will automatically preview fonts in a directory. By luring one of your users into opening a file share that contains a maliciously crafted OpenType font, an attacker could leverage this flaw to gain complete control of newer Windows computers.
Microsoft rating: Critical

• MS11-005: Windows 2003 Active Directoy DoS Vulnerability

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. It suffers from a Denial of Service (DoS) vulnerability involving specially crafted requests to update the service principal name (SPN). By sending such malicious requests, an attacker could leverage this flaw to cause your domain controller to downgrade to NTLM authentication, or in some cases stop responding totally. However, the attacker would need valid user credentials, and local access to your network in order to leverage this vulnerability. It primarily poses an internal risk. Furthermore, the flaw only affects the 2003 Server versions of Windows.
Microsoft rating: Important

• MS11-010: CSRSS Local Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It does not properly terminate user processes when a user logs off a system. By running a specially crafted program, an authenticated attacker could leverage this flaw run a malicious monitoring program that would continue to run even after the attacker logged off the system. This program could obtain the credentials of a privileged users, thus allowing the attacker to elevate his privileges. However, the attacker would first need to gain local access to a Windows computer using valid credentials (Guest access would work) in order to exploit this flaw. The flaw only affects Windows XP and Server 2003 computers.
Microsoft rating: Important.

• MS11-011 & MS11-012: Multiple Kernel-related Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The Windows kernel and this kernel-mode driver suffer from multiple elevation of privilege vulnerabilities. Though these flaws differ technically, most of them share the same scope and impact. By running a specially crafted program, an attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

• MS11-013: Kerberos Elevation of Privilege Vulnerabilities

Kerberos is one of the authentication protocols the server versions of Windows use. It suffers from an elevation of privilege vulnerability due to its support of weak hacking mechanisms like CRC32. By installing a specially crafted service, an attacker could leverage this flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws,. The Windows Kerberos component also suffers from a spoofing flaw which an attacker could leverage in a Man-in-the-Middle attack to impersonate another user.
Microsoft rating: Important.

• MS11-014: LSASS Elevation of Privilege Vulnerability

The Local Security Authority Subsystem Service (LSASS) is a Windows component that handles security policy and authentication tasks for Windows. LSASS suffers from a elevation of privilege vulnerability caused by its inability to handle specially crafted authentication requests. By running a malicious application, an authenticated attacker could exploit this flaw to elevate his privileges, and gain complete control of your computer. Of course, the attacker would need valid credentials and access to your Active Directory server in order to exploit this vulnerability. It primarily poses an internal threat. Furthermore, the flaw only affects Windows XP and Server 2003.
Microsoft rating: Important.

• MS11-009: Scripting Engines Information Disclosure Vulnerability

VBScript and JScript are both scripting languages created by Microsoft, and used by Windows and its applications. The scripting engine that processes those types of scripts suffers from a memory corruption vulnerability involving the way it decodes specially crafted script. This memory corruption flaw can result in randomly leaked information. By enticing one of your users to a malicious web page, an attacker could leverage this flaw to read data which was not intended to be disclosed. However, the random nature of that data somewhat mitigates the risk of this flaw. This flaw only affects Windows 7 and Server 2008 R2.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-006:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2) *
• For Windows Server 2008 x64 (w/SP2) *
• For Windows Server 2008 Itanium (w/SP2)

MS11-007:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2) *
• For Windows Server 2008 x64 (w/SP2) *
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64 *
• For Windows Server 2008 R2 Itanium

* Note: Server Core installations not affected.

MS11-005:

• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)

MS11-010:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)

MS11-011:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

MS11-012:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

MS11-013:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows 7
• For Windows 7 x64
• For Windows Server 2008 R2 x64
• For Windows Server 2008 R2 Itanium

MS11-014:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)

MS11-009:

• For Windows 7
  • JScript 5.8
  • VBScript 5.8
• For Windows 7 x64
  • JScript 5.8
  • VBScript 5.8
• For Windows Server 2008 R2 x64
  • JScript 5.8
  • VBScript 5.8
• For Windows Server 2008 R2 Itanium
  • JScript 5.8
  • VBScript 5.8

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS11-005
• Microsoft Security Bulletin MS11-006
• Microsoft Security Bulletin MS11-007
• Microsoft Security Bulletin MS11-009
• Microsoft Security Bulletin MS11-010
• Microsoft Security Bulletin MS11-011
• Microsoft Security Bulletin MS11-012
• Microsoft Security Bulletin MS11-013
• Microsoft Security Bulletin MS11-014

This alert was researched and written by Corey Nachreiner, CISSP.

What did you think of this alert? Let us know at [email protected].
More alerts and articles: Log into the LiveSecurity Archive.

Share This: