Seven Windows Updates Fix Three Critical Flaws, Including Duqu 0day

Corey Nachreiner

12 years ago

Bulletins Affect Kernel-Mode Drivers, Windows Media Player, Active Directory, and More

Severity: High

Summary:

These vulnerabilities affect: All current versions of Windows and components that ship with it
How an attacker exploits them: Multiple vectors of attack including enticing your users to malicious web sites, or into opening booby-trapped files
Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released seven security bulletins describing the same number of vulnerabilities affecting Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

MS11-087: Kernel-Mode Drivers TrueType Font Parsing Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from an input validation vulnerability involving its inability to properly parse TrueType fonts. By enticing one of your users to either visit a malicious web site, open a specially crafted document, or run a evil program, an attacker could exploit this flaw to gain complete control of your Windows computer. Attackers are currently exploiting this vulnerability in the wild with the Duqu malware. Duqu typically arrives as a spear-phishing email with a malicious Office document attachment. The attachment leverages this TrueType handling vulnerability to install the malicious Duqu worm onto your computer. We highly recommend you apply this patch as quickly as you can.

Microsoft rating: Critical

MS11-090: Time Remote Code Execution Flaw (and ActiveX kill bits)

This bulletin fixes a remote code execution in Windows’ Microsoft Time component. Microsoft does not describe this Time component flaw in concise detail. They only say that it has to do with an improper use of the Time component’s “binary behavior,” which could corrupt your system state in a way that may allow attackers to execute code, and gain complete control of your computer. To do so, the attacker would first have to entice you to a specially crafted web site, or to a legitimate site that he booby-trapped with malicious code. Finally, though the flaw affects a Windows component, it also involves the way Internet Explorer (IE) interacts with that component. Luckily, only IE 6 and below are susceptible to this flaw. If you are running a more recent version of IE, you should be safe. That said, we still recommend you update the underlying, flawed Windows Time component.

Microsoft rating: Critical

MS11-092: Windows Media Player DVR-MS Memory Corruption Vulnerability

Some versions of Windows (XP, Vista, and 7) ship with Media Player and Media Center, both programs that help you organize and play your multimedia content (audio, video, etc.). Media Player suffers from a memory corruption vulnerability, involving its inability to properly handle specially crafted Microsoft Digital Video Recording (.dvr-ms) media files. By enticing one of your users to open a specially crafted .dvr-ms file, an attacker can exploit this vulnerability to execute malicious code with that user’s privileges. If your users have local administrative privileges, the attacker could gain complete control of their computers.

Microsoft rating: Critical

MS11-093: OLE Remote Code Execution Flaw

Object Linking and Embedding (OLE) is a protocol that allows Windows to handle special compound documents, which contain embedded links to content from other document types, in other formats. OLE suffers from an unspecified object handling vulnerability, involving its inability to properly handle specially crafted OLE objects within documents. By tricking one of your users into opening a specially crafted document, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains complete control of their machines. All Microsoft Office documents, as well as many third-party files, can contain OLE objects, which attackers can use to exploit this flaw.

Microsoft rating: Important.

MS11-095: Active Directory Buffer Overflow Vulnerability

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. AD suffers from a buffer overflow vulnerability involving its inability to handle specially crafted queries. By running a specially crafted program, a local attacker can exploit this flaw to execute code on your AD server, gaining complete control of it. However, the attacker would need valid domain user credentials to leverage this flaw, which significantly mitigates its severity. This vulnerability primarily poses an internal threat.

Microsoft rating: Important.

MS11-097: CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. By running a specially crafted application, an attacker can leverage this flaw to elevate his privilege (EoP), gaining complete, SYSTEM-level control of your Windows machine. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important.

MS11-098: Kernel Elevation of Privilege Vulnerability

The kernel is the core component of any computer operating system. The Windows kernel suffers from an Elevation of Privilege (EoP) vulnerability. Like the CSRSS flaw above, by running a specially crafted program, an authenticated attacker could leverage these flaws to gain complete control of your Windows computers. However, like before, the attacker would first need to gain local access to your Windows computers using valid credentials, which somewhat reduces the risk of these flaws. This flaw does not affect the 64-bit or Itanium editions of Windows.

Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-087:

MS11-090:

* Server Core Installations NOT affected.

MS11-092:

MS11-093:

MS11-095:

Active Directory updates:

For Windows Server 2003 x64 (w/SP2)

MS11-097:

MS11-098:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. Furthermore, WatchGuard’s proxy policies can block some of the content necessary to exploit some of these flaws. That said, our appliances cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.