• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Windows Updates Fix .NET Framework and Authenticode Flaws

April 10, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into running specially crafted executable files or visiting web sites with malicious content
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing vulnerabilities that affect Windows and its optional .NET Framework component. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-024: Windows Authenticode Signature Verification Vulnerability

Windows contains Authenticode technology, which is a digital certificate-based code signing implementation designed to allow you and the operating system to verify the integrity and reputation of software. It works on the premise that if you download software signed by a vendor, say WatchGuard, and that software passes Windows’ Authenticode validation, then you can trust the software really comes from WatchGuard and hasn’t been modified in any way.

However, this bulletin describes a flaw in the way the Windows Authenticode Signature Validation function (WinVerifyTrust) checks Portable Executable (PE) files. In short, an attacker can create a specially crafted PE file that passes Windows’ Authenticode validation even after an attacker has maliciously modified the executable. If an attacker can get one of your users to download and run such an executable file, he could exploit this flaw to gain access to that user’s computer, with that user’s privileges. If the user had local administrator privileges, that attacker gains full control of the computer. The good news is, most users are very suspicious of unsolicited executable files they receive via email or the web. Hopefully, your users already know not to handle these sorts of unsolicited files. However, this flaw specifically bypasses a mechanisms Microsoft uses to help users validate the reputation of files. So smart attackers could leverage it to help convince users to run executables they otherwise wouldn’t have. We recommend you patch this vulnerability as quickly as possible.

Microsoft rating: Critical

  • MS12-025: .NET Framework Remote Code Execution Vulnerability

The .NET Framework is software framework used by developers to create new Windows and web applications. The .NET Framework suffers from a code execution vulnerability, due to its inability to properly validate certain parameters passed to a particular function. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this to gain full control of their computers. This flaw can also affect web servers and sites that use .NET Framework elements, as well as any custom .NET-based programs, which you might develop and run in house. In short, if you’ve installed the .NET framework on your servers or clients, you should update them.

Microsoft rating: Critical

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links for the various updates:

  • MS12-024
  • MS12-025

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run an executable file locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, many of WatchGuard’s proxy policies block executable files by default. This often prevents your users from accessing potentially malicious executable files found on the Internet. Using our proxy policies with these default settings will help mitigate the risk of your users gaining access to malicious executables that leverage these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS11-024
  • Microsoft Security Bulletin MS11-025

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at [email protected].
More alerts and articles: Log into the LiveSecurity Archive.

Share This:

Related

Filed Under: Security Bytes Tagged With: Direct Show, Microsoft, RDP, Updates and patches, windows media player

Comments

  1. Comodo says

    April 18, 2012 at 10:36 pm

    It can gain complete control.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use