Windows Updates Fix Media Player & RDP Vulnerabilities

Severity: High

8 March, 2011

Summary:

• These vulnerabilities affect: All current versions of Windows and components that ship with it
• How an attacker exploits them: By enticing your users into opening specially crafted files (whether media files or RDP configuration files)
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing three vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS11-015: Two Windows Media-related Code Execution Vulnerabilities

Windows ships with various components that help it play back media. A few of those media-related components — specifically, DirectShow, Windows Media Player, and Windows Media Center — suffer from two security vulnerabilities that attackers could exploit to execute code on your Windows computers. By luring one of your users into opening a specially crafted Windows Media Player file (such as .wtv, .drv-ms, or .mpg files), an attacker could leverage either of these two flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker could leverage this issue to gain complete control of their machine. One of the flaws requires that the specially crafted Media Player file reside in the same network directory as a malicious DLL file, making it a little harder to exploit. Nonetheless, these flaws pose a serious risk to Windows computers. You should patch them as soon as you can.
Microsoft rating: Critical

• MS11-017: Remote Desktop Insecure Library Loading Vulnerability

Remote Desktop Protocol (RDP) is a Microsoft networking protocol that allows you to view and control the desktop of one Windows computer from another networked computer. Windows ships with the Remote Desktop Client to support this functionality. According to Microsoft, the Remote Desktop Client suffers from a security vulnerability involving the way it loads Dynamically Linked Libraries (DLL). By enticing one of your users into opening a malicious Remote Desktop configuration file (.rdp) that is located in the same network directory as a specially crafted DLL, an attacker could leverage this vulnerability to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker could leverage this issue to gain complete control of their machine.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-015:

• For Windows XP Media Center Edition (w/SP3)
• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Vista (w/SP1 or SP2)
• For Windows Vista x64 (w/SP1 or SP2)
• For Windows 7 (w/SP1)
• For Windows 7 x64 (w/SP1)
• For Windows Server 2008 R2 x64 (w/SP1) *

MS11-017:

• Remote Desktop Client 5.2
  • For Windows XP (w/SP3)
• Remote Desktop Client 6.x
  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
    • Normal RDP Client
    • Multilingual User Interface (MUI)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2) *
  • For Windows Server 2008 x64 (w/SP2) *
  • For Windows Server 2008 Itanium (w/SP2)
• Remote Desktop Client 7.0
  • For Windows XP (w/SP3)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008 R2  x64 *
  • For Windows Server 2008 R2 Itanium

* Note: Server Core installations not affected.

For All WatchGuard Users:

If the practice fits your business environment, you can use the HTTP, SMTP, and/or POP3 proxies to block the Windows Media Player and RDP-related files (.rdp, .wtv, .drv-ms, .mpg, etc.) used to trigger these vulnerabilities. However, many of these files have legitimate purposes, and blocking them may prevent your users from accessing certain media over the Internet. Instead, we recommend you install the updates listed above.

Nonetheless. If you would like to use our proxies to block these files types, follow the links below for instructions:

Firebox X Edge running 10.x

• How do I block files with the FTP proxy?
• How do I block files with the HTTP proxy?
• How do I block files with the POP3 proxy?
• How do I block files with the SMTP proxy

Firebox X Core and X Peak running Fireware 10.x

• How do I block files with the FTP proxy?
• How do I block files with the HTTP proxy?
• How do I block files with the POP3 proxy?
• How do I block files with the SMTP proxy?

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS11-015
• Microsoft Security Bulletin MS11-017

This alert was researched and written by Corey Nachreiner, CISSP.

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.