Four Windows Bulletins: Critical TCP/IP Vulnerability Allows Remote Root

Corey Nachreiner

12 years ago

Bulletins Affect TCP/IP, Active Directory, Windows Mail, and More

Severity: High

Summary:

These vulnerabilities affect: All current versions of Windows and components that ship with it (though most only affect more recent versions of Windows)
How an attacker exploits them: Multiple vectors of attack including sending specially crafted packets, or enticing users into opening booby-trapped files
Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing four vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees, with most of this month’s bulletins affecting Windows Vista, 7, and Server 2008. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities, in order from highest to lowest severity.

MS11-083: TCP/IP Remote Code Execution Vulnerability

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from an integer overflow flaw involving its inability to properly parse a continuous flow of specially crafted UDP packets. By sending such packets, an attacker could leverage this flaw to gain complete control of your Windows computer. This flaw only affects Windows Vista, 7, and the Server 2008 versions of Windows. That said, this is a seriously vulnerability, and we recommend you patch it immediately.
Microsoft rating: Critical

MS11-085: Windows Mail and Meeting Space Insecure Library Loading Vulnerability

Windows Mail is the default email client that ships with Windows and Meeting Space is a built in document and desktop sharing application. Unfortunately, both these components suffers from the insecure Dynamic Link Library (DLL) loading class of vulnerability that we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by files types associated with Mail and Meeting Space–specifically .EML and .WCINV files.
Microsoft rating: Important.

MS11-086: Active Directory Elevation of Privilege Vulnerability

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. Among its many options, AD allows you to authentication using certificates. AD suffers from a certificate handling vulnerability when configured to use LDAP over SSL (LDAPS). In short, AD doesn’t properly recognize revoked SSL certificates, which means an attacker can use a revoked certificate to authenticate and possibly gain access to your systems. However, the attacker would first have to somehow gain access to the revoked certificate for a valid account on your domain to leverage this flaw, which significantly mitigates its severity. If an attacker has access to valid account certificates, revoked or not, you already have a serious problem on your hands.
Microsoft rating: Important.

MS11-084: Kernel-mode Driver Denial of Service Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted TrueType font files. By enticing one of your users to open a specially crafted font file, or to browse to a share hosting such a file, an attacker could exploit this flaw to cause your system to stop responding, until you restart it. This flaw only affects Windows 7 and Server 2008 R2.
Microsoft rating: Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-083:

MS11-085:

* Server Core installations not affected: If you chose the “Server Core” installation option, Windows does not install unnecessary client applications, such as Mail or Meeting Space.

MS11-086:

Active Directory updates:

For Windows Server 2003 x64 (w/SP2)

For Windows Server 2003 Itanium (w/SP2)
For Windows Vista (w/SP2)
For Windows Vista x64 (w/SP2)
For Windows Server 2008 (w/SP2)
For Windows Server 2008 x64 (w/SP2)
For Windows 7 (w/SP1)
For Windows 7 x64 (w/SP1)
For Windows Server 2008 R2 x64 (w/SP1)
For Windows Server 2008 R2 Itanium (w/SP1)

MS11-084:

* Server Core installations not affected

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.