• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Five Windows Bulletins, One Critical

October 11, 2011 By Corey Nachreiner

Bulletins Affect .NET Framework, Media Center,  Kernel-mode Drivers, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack including enticing your users to malicious web sites, or into opening booby-trapped files
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released five security bulletins describing eight vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-078: .NET Framework and Silverlight Code Execution Flaw

The .NET Framework is software framework used by developers to create new Windows and web applications. The .NET Framework and SilverLight do not properly restrict inheritance within classes. An attacker could exploit this to create web code that runs stuff with the same privilege as you, the user. Of course, the attacker must first entice you to a specially crafted site (or to a legitimate site that somehow links to his malicious site), to exploit this flaw. As usual, if you are a  local administrator, the attacker could exploit this to gain full control of your machine. This flaw can also affect Web sites that use .NET Framework or Silverlight elements.
Microsoft rating: Critical

  • MS11-075: Active Accessibility Insecure Library Loading Vulnerability

Windows ships with Active Accessibility components to provide customers, who may have impairments, with more ways to interact with their computers. Unfortunately, the Active Accessibility component suffers from the insecure Dynamic Link Library (DLL) loading class of vulnerability that we’ve describing in past alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. Microsoft doesn’t elaborate on what type of files an attacker might leverage this flaw with; only that it would be a legitimate file. For that reason, we can only assume that attackers could leverage any file type that Windows handles.
Microsoft rating: Important.

  • MS11-076: Media Center Insecure Library Loading Vulnerability

Some versions of Windows (Vista and 7) ship with Media Center, a program that helps you organize,  view, and listen to all your media through one convenient interface. Media Center suffers from an insecure library loading vulnerability almost identical to the one described above. Though the flaw lies in a different component, it has the exact same scope and impact as the Active Accessibility issue. If you download and open a booby-trapped file from the same location as a malicious DLL file, an attacker can leverage this flaw to execute code on your computer with your privileges. If you have local administrative privileges, the attacker gains complete control of your computer.
Microsoft rating: Important.

  • MS11-077: Kernel-mode Driver Code Execution Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from four security vulnerabilities, the worst being a code execution flaw involving the way it handles specially crafted font files (.fon). By enticing one of your users to open a specially crafted font file, an attacker could exploit this flaw to gain full control of that user’s computer (regardless of the user’s privilege).
Microsoft rating: Important.

  • MS11-080: Ancillary Function Driver Privilege Elevation Vulnerability

According to Microsoft, the Ancillary Function Driver (AFD) is a Windows component that support Windows sockets applications. AFD suffers from an elevation of privilege (EoP) vulnerability due to improper input validation. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, in order to run his evil program. This factor significantly reduces the risk of this flaw. This flaw only affects XP and Server 2003.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-078:

Due to the complicated, version-dependent nature of .NET Framework updates, we recommend you see the Affected & Non-Affected Software section of Microsoft’s Bulletin for patch details (or let Windows Automatic Updates handle the patch for you).

  • MS11-078 Affected & Non-Affected Software section

MS11-075:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP2)
  • For Windows Vista x64 (w/SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)
  • For Windows 7 (w/SP1)
  • For Windows 7 x64 (w/SP1)
  • For Windows Server 2008 R2 x64 (w/SP1)
  • For Windows Server 2008 R2 Itanium (w/SP1)

MS11-076:

  • For Windows Vista (w/SP2)
  • For Windows Vista x64 (w/SP2)
  • For Windows 7 (w/SP1)
  • For Windows 7 x64 (w/SP1)
  • Windows Media Center TV Pack for Vista
  • Windows Media Center TV Pack for Vista x64

MS11-077:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP2)
  • For Windows Vista x64 (w/SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)
  • For Windows 7 (w/SP1)
  • For Windows 7 x64 (w/SP1)
  • For Windows Server 2008 R2 x64 (w/SP1)
  • For Windows Server 2008 R2 Itanium (w/SP1)

MS11-080:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS11-075
  • Microsoft Security Bulletin MS11-076
  • Microsoft Security Bulletin MS11-077
  • Microsoft Security Bulletin MS11-078
  • Microsoft Security Bulletin MS11-080

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: Microsoft, Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use