Severity: Medium
12 July, 2011
Summary:
- These vulnerabilities affect: All current versions of Windows and components that ship with it
- How an attacker exploits them: Multiple vectors of attack, including sending specially crafted WINS messages and enticing users to open malicious documents
- Impact: Various. In the worst case, an attacker can gain control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released two security bulletins describing a couple of vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity (according to Microsoft’s summary).
- MS11-070: WINS Elevation of Privilege Vulnerability
Windows Internet Name Service (WINS) is essentially Microsoft’s version of the NetBIOS Name Service (NBNS) — a service that allows you to give computers human friendly names (kind of like a DNS for your local network computers). According to Microsoft, the WINS service suffers from a elevation of privilege flaw due to its inability to properly handle specially crafted WINS messages on the loopback interface. By sending such WINS packets, an attacker can leverage this flaw to force your WINS server to execute code with SYSTEM privileges, thus gaining full control of the server. However, certain factors significantly mitigate the scope of this flaw:
- The attacker needs valid Windows credentials to exploit this flaw
- The attack only works locally (not over a network), since it involves the loopback interface.
Microsoft rating: Important
- MS11-071 Another Insecure DLL Loading Vulnerability
Over the past year, Microsoft has contended with various “insecure Dynamic Link Library (DLL) loading” vulnerabilities affecting many of their products. This class of flaw is also sometimes referred to as a binary planting flaw. We first described this issue in a September Wire post, which describes this Microsoft security advisory. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of malicious file from the same location as a specially crafted DLL file. If you do open the malicious file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. This new bulletin fixes yet another insecure DLL loading issue. This time, an attacker can trigger the latest issue by enticing you to open, .rtf, .txt, or .doc documents.
Microsoft rating: Important
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 Itanium (w/SP2)
- For Windows XP (w/SP3)
- For Windows XP x64 (w/SP2)
- For Windows Server 2003 (w/SP2)
- For Windows Server 2003 x64 (w/SP2)
- For Windows Server 2003 Itanium (w/SP2)
- For Windows Vista (SP2)
- For Windows Vista x64 (SP2)
- For Windows Server 2008 (w/SP2)
- For Windows Server 2008 x64 (w/SP2)
- For Windows Server 2008 Itanium (w/SP2)
- For Windows 7
- For Windows 7 x64
- For Windows Server 2008 R2 x64
- For Windows Server 2008 R2 Itanium
For All WatchGuard Users:
Attackers can exploit these flaws using diverse exploitation methods. Furthermore, the Firebox cannot protect you from local attacks. Therefore, installing Microsoft’s updates is your most secure course of action.
Status:
Microsoft has released patches correcting these issues.
References:
This alert was researched and written by Corey Nachreiner, CISSP.
What did you think of this alert? Let us know at [email protected].
More alerts and articles: Log into the LiveSecurity Archive.
Howdy! Someone in my Facebook group shared this website with
us so I came to look it over. I’m definitely loving the information. I’m bookmarking and will be tweeting this to my followers!
Fantastic blog and fantastic design and style.