• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Six Windows Updates Fix Nine Security Vulnerabilities

February 14, 2012 By Corey Nachreiner

Bulletins Affect .NET Framework, Kernel-Mode Drivers, Indeo Codec, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it. Also affects the .NET Framework and Silverlight
  • How an attacker exploits them: Multiple vectors of attack, including  luring your users to a malicious web site or enticing them to open malicious media or files.
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins describing nine vulnerabilities affecting Windows and components that ship with it. One of the bulletins also describes flaws in the .NET Framework and Silverlight, two optional yet popular Windows development frameworks.

Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-008: Two Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from two vulnerabilities. The worst is a serious code execution flaw, stemming from the kernel-mode driver’s lack of input validation when handling inputs passed from the Windows GDI. By enticing one of your users to either visit a malicious web site, open a specially crafted email, or run an evil program, an attacker could exploit this flaw to gain complete control of your Windows computer. This is a very serious flaw, which you should patch as quickly as possible.

Microsoft rating: Critical

  • MS12-013: Msvcrt.dll Buffer Overflow Vulnerability

Msvcrt.dll is a Dynamic Link Library (DLL) that many of Windows’ system level components call on to perform routine tasks. It suffers from an unspecified buffer overflow vulnerability. By enticing you to open a specially crafted media file (either via email or the web), an attacker can exploit this flaw to execute code on your computer with your privileges. If you are a local administrator, the attacker gains full control of your PC.

Microsoft rating: Critical

  • MS12-016: Two .NET Framework Code Execution Flaws

The .NET Framework is software framework used by developers to create new Windows and web applications. The .NET Framework and SilverLight suffers from two code execution vulnerabilities. Though the two issues differ technically, they share the same scope and impact. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this to gain full control of their computers. This flaw can also affect Web servers and sites that use .NET Framework or Silverlight elements, as well as any custom .NET-based programs, which you might develop and run in house. In short, if you’ve installed the .NET framework on your servers or clients, you should update them.

Microsoft rating: Critical

  • MS12-009: Two Ancillary Function Driver EoP Vulnerabilities

The Ancillary Function Driver (AFD) is a Windows component that helps manage Winsock TCP/IP communications. It suffers from two local elevation of privilege (EoP) issues. By running a specially crafted application, an attacker can leverage either flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important.

  • MS12-012: Color Control Panel Insecure Library Loading Vulnerability 

Windows 7 ships with various “Desktop Experience” features, including the Color Control Panel. Windows Server 2008 and Server 2008 R2 do not install these Desktop Experience features by default, but  they do offer them as options. Unfortunately, the Server 2008 version of the Color Control Panel suffers from a Dynamic Link Library (DLL) loading class of vulnerability that we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by files types associated with the Color Control Panel–specifically .ICM and .ICC files.  This flaw only affects  Windows Server 2008 and Server 2008 R2 users who have installed the optional Color Control Panel feature.

Microsoft rating: Important.

  • MS12-014: Windows XP Indeo Codec Insecure Library Loading Vulnerability 

The Indeo codec is a legacy video codec that Windows uses to play specifically compressed and formatted videos. The Indeo codec that ships with Windows XP suffers from an insecure library loading vulnerability exactly like the one described above. The only difference is that an attacker would have to entice you to download an .AVI file from the same location as a malicious DLL. This flaw only affects Windows XP.

Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below should take you directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

  • MS12-008
  • MS12-013
  • MS12-016
  • MS12-009
  • MS12-012
  • MS12-014

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. Furthermore, WatchGuard’s proxy policies can block some of the content necessary to exploit some of these flaws. That said, our appliances cannot protect you from local attacks. You should install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS12-008
  • Microsoft Security Bulletin MS12-009
  • Microsoft Security Bulletin MS12-012
  • Microsoft Security Bulletin MS12-013
  • Microsoft Security Bulletin MS12-014
  • Microsoft Security Bulletin MS12-016

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Share This:

Related

Filed Under: Security Bytes Tagged With: Microsoft, Remote code execution (RSE), Updates and patches

Comments

  1. Jenita says

    February 14, 2012 at 8:36 pm

    Patches need to fix those issues.

    Reply
  2. Casandra says

    February 14, 2012 at 10:01 pm

    Patches can destroy vulnerabilities

    Reply
  3. Francis says

    February 14, 2012 at 10:21 pm

    A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance. Though meant to fix problems, poorly designed patches can sometimes introduce new problems (see software regressions).

    Reply
    • Corey Nachreiner says

      February 15, 2012 at 9:30 am

      I agree that poorly tested patches can, and have caused more problems. That is one of the reasons we always recommend you test patches before deploying them — especially when deploying to buisness critical production servers.

      That said, Microsoft has been doing pretty good with update QA lately (though there are a few outliers).

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity’s Toll on Mental Health
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Cybersecurity’s Toll on Mental Health
  • Successfully Prosecuting a Russian Hacker
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use