Windows Security Updates Also Fix Flaws in .NET Framework and Office

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component. One bulletin also affects Office and Silverlight
• How an attacker exploits them: Multiple vectors of attack, including enticing your users into running specially crafted documents or into visiting web sites with malicious content
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing 15 vulnerabilities that primarily affect Windows and its optional .NET Framework component. However, one of the bulletins also affects Office and Silverlight. Each vulnerability affects different versions of these products to varying degrees. However, a remote attacker could exploit the worst of them to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates — especially the critical ones — as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS12-034: Various Vulnerabilities in Windows, Office, .NET Framework, and Silverlight

This unusual Microsoft bulletin fixes ten seemingly dissimilar vulnerabilities in four different Microsoft products; Windows, Office, the .NET Framework, and Silverlight. Microsoft combined them into one bulletin since the flaws affect related files found in all of these products.

The ten vulnerabilities differ quite widely, and include various code execution vulnerabilities, drive-by download type issues, local privilege elevation flaws, and even a Denial of Service (DoS) vulnerability. According to the bulletin, researchers or attackers have publicly disclosed three of these vulnerabilities before they were patched, and attackers have leveraged at least one in limited targeted attacks.

We suspect the font and image handling vulnerabilities pose the most risk to typical users. The components Windows uses to handle TrueType fonts and EMF images both suffer from multiple code execution flaws. If an attacker can lure one of your users into interacting with a specially crafted image or TrueType font, he can exploit these flaws to gain access to that user’s computer, with that user’s privileges. If your user has local administrator privileges, the attacker gains full control of the user’s computer. Attackers could embed these malicious fonts and images in web sites, documents, or emails, but some of these attack vectors require more user interaction than others to succeed. Since this bulletin fixes many serious vulnerabilities in many products — one of which attackers have already started exploiting in the wild — we recommend you download, test, deploy the updates as quickly as possible. Note, this update fixes flaws related to the advanced Duqu attack we’ve talked about in previous posts.

Microsoft rating: Critical

• MS12-035: Two .NET Framework Remote Code Execution Vulnerabilities

The .NET Framework is software framework used by developers to create new Windows and web applications. In computing, serialization is the process of converting a data structure or object to a state that allows for digital storage or transmission. Unfortunately, the .NET Framework suffers from two code execution vulnerabilities involving its serialization process. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit these flaws to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage these flaws to gain full control of their computers. This flaw can also affect custom .NET Framework-based programs, which you might develop and run in-house. If you use the .NET Framework in your network, you should apply this update as quickly as you can.

Microsoft rating: Critical

• MS12-032: TCP/IP Elevation of Privilege Flaw and Firewall Bypass

Two of Windows’ networking components suffer from security flaws. The Windows TCP/IP stack suffers from a local elevation of privilege flaw involving the way it binds IPv6 addresses to local network interfaces. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials.

Also, the Windows host-based Firewall suffers from a firewall bypass vulnerability. Apparently, the Windows firewall doesn’t properly apply outbound firewall policies to broadcast packets. Attackers with access to your Windows computers could exploit this issue to get past outbound firewall policies you may have applied to your Windows computer. While this flaw doesn’t allow external attackers to gain access to your system, it could make it easier for malware that infects your system to make its command and control (C&C) connection back to the attacker.

Microsoft rating: Important

• MS12-033: Partition Manager Elevation of Privilege Flaw

In computing, disk partitioning is the act of dividing your hard drive into more than one logical storage unit. Windows ships with the Partition Manager component to allow you to partition your hard drive. Unfortunately, the Partition Manager suffers from an elevation of privilege vulnerability having to do with how it interacts with another Windows component (specifically, the Plug and Play Configuration Manager). By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly lowers the severity of this issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

• MS12-034
• MS12-035
• MS12-032
• MS12-033

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run an executable file locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, WatchGuard’s firewalls and XTM security appliances can mitigate the risk of many of these flaws. For instance, though attackers may leverage the Windows Firewall flaw to bypass host-based firewall policies, that attack will not trick our gateway firewall. Furthermore, if you use our Gateway Antivirus our appliance may block the malware attackers try to deliver to your computer when leveraging these vulnerabilities.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS12-032
• Microsoft Security Bulletin MS12-033
• Microsoft Security Bulletin MS12-034
• Microsoft Security Bulletin MS12-035

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.