• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Windows Updates Fix WINS Issues & Insecure DLL Loading Vulnerability

September 13, 2011 By Corey Nachreiner

Severity: Medium

12 July, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted WINS messages and enticing users to open malicious documents
  • Impact: Various. In the worst case, an attacker can gain control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing a couple of vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity (according to Microsoft’s summary).

  • MS11-070: WINS Elevation of Privilege Vulnerability

Windows Internet Name Service (WINS) is essentially Microsoft’s version of the NetBIOS Name Service (NBNS) — a service that allows you to give computers human friendly names (kind of like a DNS for your local network computers). According to Microsoft, the WINS service suffers from a elevation of privilege flaw due to its inability to properly handle specially crafted WINS messages on the loopback interface. By sending such WINS packets, an attacker can leverage this flaw to force your WINS server to execute code with SYSTEM privileges, thus gaining full control of the server. However, certain factors significantly mitigate the scope of this flaw:

  1. The attacker needs valid Windows credentials to exploit this flaw
  2. The attack only works locally (not over a network), since it involves the loopback interface.

  Microsoft rating: Important

  • MS11-071  Another Insecure DLL Loading Vulnerability

Over the past year, Microsoft has contended with various “insecure Dynamic Link Library (DLL) loading” vulnerabilities affecting many of their products. This class of flaw is also sometimes referred to as a binary planting flaw. We first described this issue in a September Wire post, which describes this Microsoft security advisory. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of malicious file from the same location as a specially crafted DLL file. If you do open the malicious file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. This new bulletin fixes yet another insecure DLL loading issue. This time, an attacker can trigger the latest issue by enticing you to open, .rtf, .txt, or .doc documents.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-070:

  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)

MS11-071:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (SP2)
  • For Windows Vista x64 (SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008 R2 x64
  • For Windows Server 2008 R2 Itanium

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Furthermore, the Firebox cannot protect you from local attacks. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS11-070
  • Microsoft Security Bulletin MS11-071

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at [email protected].
More alerts and articles: Log into the LiveSecurity Archive.

Share This:

Related

Filed Under: Security Bytes Tagged With: code execution, elevation of Privilege, insecure DLL Loading, Microsoft, Updates and patches, WINS

Comments

  1. top online trading sites says

    April 9, 2013 at 8:50 pm

    Howdy! Someone in my Facebook group shared this website with
    us so I came to look it over. I’m definitely loving the information. I’m bookmarking and will be tweeting this to my followers!

    Fantastic blog and fantastic design and style.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • Naming APTs

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use