Four Windows Bulletins Fix RDP, .NET Framework, and Kernel Flaws

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component.
• How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets or enticing your users to web sites with malicious content
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing nine vulnerabilities affecting Windows and components that ship with it, including its optional .NET Framework component. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates -especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS12-036: RDP Remote Code Execution Vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Windows Terminal Servers also use the RDP protocol to allow many remote users to share one machine.

Unfortunately, the RDP component that ships with all versions of Windows suffers from a serious security vulnerability having to do with how  it handles specially crafted sequences of packets (similar to a flaw described in March). By sending a sequence of such packets to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer.

Luckily, the RDP service is not enabled by default on Windows systems. You are only vulnerable to this issue if you have specifically enabled RDP connections. That said, many companies manage Windows Terminal Servers, which do enable RDP services. Windows’ Remote Assistance and Remote Web Workplace features also expose RDP. If you manage such any workstations of servers using RDP, we highly recommend you apply the RDP patch immediately.

Microsoft rating: Critical

• MS12-038: .NET Framework Remote Code Execution Vulnerability

The .NET Framework is a software framework used by developers to create new Windows and web applications. The .NET Framework component suffers from a code execution flaw, which has to do with how it handles specially crafted XAML Browser Applications (XBAP). If an attacker can entice a user who’s installed the .NET Framework to a web site containing malicious XBAP, she can exploit this flaw to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage this flaw to gain full control of their computers. This flaw may also affect custom .NET Framework-based programs, which you might develop and run in-house.

Microsoft rating: Critical

• MS12-041 and MS12-042 : Kernel & Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level.

Microsoft released two bulletins today, describing seven local elevation of privilege flaws that affect either the kernel or the kernel-mode driver component. Though these seven flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage any of these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computer using valid credentials – even if only with “Guest” user access. The requirement for local access significantly lessens the severity of these flaws.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

• MS12-036
• MS12-038
• MS12-041
• MS12-042

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, WatchGuard’s firewalls and XTM security appliances can mitigate the risk of many of these flaws. For instance, our appliances mitigate the risk of the Windows RDP vulnerability by blocking external access to the RDP ports (TCP port 3389 and 4125). As long as you haven’t specifically allowed RDP, our default setting will prevent Internet-based attackers from exploiting the RDP vulnerability described above.

Furthermore, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can also help protect you. For instance, our GAV service will block much of the malware attackers try do deliver when exploiting these sorts of software vulnerabilities.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS12-036
• Microsoft Security Bulletin MS12-038
• Microsoft Security Bulletin MS12-041
• Microsoft Security Bulletin MS12-042

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.