• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Half a Dozen Windows Updates; One Critical

January 11, 2012 By Corey Nachreiner

Bulletins Affect Windows Media components, CSRSS, SSL/TLS, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including  enticing your users to download and open malicious media, documents, or other files.
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins describing seven vulnerabilities affecting Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-004: Two Windows Media Code Execution Flaws

Windows ships with media rendering components, such as Windows Media Player and DirectShow, to allow users to play various types of multimedia. Unfortunately, these two Windows Media components suffer from code execution vulnerabilities. Though the flaws differ technically, and affect separate components, they share a similar scope and impact. By enticing you to open a specially crafted media file, an attacker can exploit these flaws to execute code on your user’s computer, with that user’s privileges. Since typical Windows users tend to have local administrative privileges, attackers can often exploit these types of flaws to gain complete control of your machine.

Microsoft rating: Critical

  • MS12-001: Windows Kernel SafeSEH Bypass Vulnerability

Over the years. Microsoft has introduced various Data Execution Prevention (DEP) mechanisms into Windows, which are designed to make it more difficult for attackers to leverage memory corruptions vulnerabilities, such as buffer overflow attacks. Without going into too much technical depth, these DEP mechanisms generally make it more difficult for attackers to inject and execute shellcode from memory locations typically reserved for non-executable data. SafeSEH is just another DEP-related mechanisms that tries to prevent attackers from hijacking Windows’ Structured Exception Handler (SEH) during a buffer overflow attack. Unfortunately, an external researcher discovered a way to bypass Windows’ SafeSEH security mechanism. In itself, this security bypass flaw is not a direct vulnerability in Windows. In other words, an attacker can’t directly leverage it to gain control of your computer. However, if an attacker were to discover a new buffer overflow vulnerability in Windows, this SafeSEH flaw would make it easier for the attacker to bypass Windows’ DEP protections, and exploit the buffer overflow attack.

Microsoft rating: Important

  • MS12-002: Code Execution Vulnerability in Windows Object Packager

According to Microsoft, the Windows Object Packager is “a tool that can be used to create a package that can be inserted into a file.” As that definition is quite vague, we prefer the one found in PC Magazine’s glossary, which relates the Object Packager to Object Linking and Embedding (OLE); a Microsoft technology which allows you to embed one Microsoft document within another. In any case, the Windows Object Packager suffers from an unspecified implementation flaw, which attackers can leverage to trick users into accidentally running potentially malicious executable files. By enticing you to open a seemingly legitimate file containing a specially packaged object from the same share or network location as a malicious executable file, an attacker can force you to run that executable file even though you didn’t specifically interact with it. This Object Packager flaw only affects Windows XP and Server 2003.

Microsoft rating: Important

  • MS12-003: CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important.

  • MS12-005: Microsoft ClickOnce Code Execution Flaw

Microsoft ClickOnce is a deployment technology that makes it easy for developers to create self-updating windows applications that are easy to install. Unfortunately, it turns out ClickOnce applications are much to easy to install. Microsoft has not included ClickOnce files in the Windows Packager’s unsafe file type list. As a result, if you open a specially crafted Office documents containing a ClickOnce application, the application runs automatically. Attackers can leverage this flaw to trick your users into accidentally installing malware by simply opening innocuous looking documents.

Microsoft rating: Important.

  • MS12-006: SSL/TLS Protocol Vulnerability (BEAST Attack)

Last September, researchers at the Ekoparty Security Conference demonstrated the BEAST SSL/TLS attack. BEAST stands for Browser Exploit Against SSL/TLS and takes advantage of vulnerabilities in the  SSL/TLS protocol to intercept and decrypt HTTPS requests. This The Register article contains a fairly good high-level summary of the BEAST tool and this attack. Microsoft’s MS12-006 update mitigates this SSL/TLS protocol vulnerability.

Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

In the past, we’ve shared individual links for all the updates from Microsoft’s security bulletins in our own alert. However, Microsoft does an excellent job of providing and organizing these update links in their own bulletins. In the future, rather than providing these update links individually, we will refer you to the “Affected and Non-Affected Software” section of the individual Microsoft’s bulletins. Feel free to let us know if you don’t like this change in the comments section of this post.

The links below should take you directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

  • MS12-004
  • MS12-001
  • MS12-002
  • MS12-003
  • MS12-005
  • MS12-006

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. Furthermore, WatchGuard’s proxy policies can block some of the content necessary to exploit some of these flaws. That said, our appliances cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS12-001
  • Microsoft Security Bulletin MS12-002
  • Microsoft Security Bulletin MS12-003
  • Microsoft Security Bulletin MS12-004
  • Microsoft Security Bulletin MS12-005
  • Microsoft Security Bulletin MS12-006

This alert was researched and written by Corey Nachreiner, CISSP.

 

 

Share This:

Related

Filed Under: Security Bytes Tagged With: DEP, Microsoft, SafeSEH, Updates and patches

Comments

  1. Francis says

    February 14, 2012 at 10:49 pm

    The windows always have to be updated regularly if not then we cant run our windows smoothly

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use