Windows Updates Fix WINS Issues & Insecure DLL Loading Vulnerability

Corey Nachreiner

13 years ago

Severity: Medium

12 July, 2011

Summary:

These vulnerabilities affect: All current versions of Windows and components that ship with it
How an attacker exploits them: Multiple vectors of attack, including sending specially crafted WINS messages and enticing users to open malicious documents
Impact: Various. In the worst case, an attacker can gain control of your Windows computer
What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing a couple of vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity (according to Microsoft’s summary).

MS11-070: WINS Elevation of Privilege Vulnerability

Windows Internet Name Service (WINS) is essentially Microsoft’s version of the NetBIOS Name Service (NBNS) — a service that allows you to give computers human friendly names (kind of like a DNS for your local network computers). According to Microsoft, the WINS service suffers from a elevation of privilege flaw due to its inability to properly handle specially crafted WINS messages on the loopback interface. By sending such WINS packets, an attacker can leverage this flaw to force your WINS server to execute code with SYSTEM privileges, thus gaining full control of the server. However, certain factors significantly mitigate the scope of this flaw:

The attacker needs valid Windows credentials to exploit this flaw

The attack only works locally (not over a network), since it involves the loopback interface.

Microsoft rating: Important

MS11-071 Another Insecure DLL Loading Vulnerability

Over the past year, Microsoft has contended with various “insecure Dynamic Link Library (DLL) loading” vulnerabilities affecting many of their products. This class of flaw is also sometimes referred to as a binary planting flaw. We first described this issue in a September Wire post, which describes this Microsoft security advisory. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of malicious file from the same location as a specially crafted DLL file. If you do open the malicious file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. This new bulletin fixes yet another insecure DLL loading issue. This time, an attacker can trigger the latest issue by enticing you to open, .rtf, .txt, or .doc documents.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-070:

MS11-071:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Furthermore, the Firebox cannot protect you from local attacks. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

Microsoft Security Bulletin MS11-070
Microsoft Security Bulletin MS11-071

This alert was researched and written by Corey Nachreiner, CISSP.

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.