• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Five July Windows Bulletins: MSXML Fix Included

July 10, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows, as well as optional components like MSXML and MDAC.
  • How an attacker exploits them: Multiple vectors of attack, including  enticing your users to web sites with malicious content or getting them to run malicious executables
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released five security bulletins describing six vulnerabilities affecting Windows and optional components that sometimes ship with it (XML Core Services and Microsoft Data Access Components). Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-043: MSXML Code Execution Vulnerability

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It ships with various versions of Windows, and other Microsoft products. If you have a Windows computer, you very likely have MSXML.

MSXML suffers from a memory corruption vulnerability, which attackers found before Microsoft. By luring your users to a web site with malicious code, an attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. If you give your users local administrator privilege, the attacker gains full control of their computer.

As we mentioned in June, attackers have exploited this previously unpatched vulnerability in the wild for over a month. You should install Microsoft’s MSXML patch immediately!

Microsoft rating: Critical

  • MS12-045: MDAC Code Execution Vulnerability
The Microsoft Data Access Components (MDAC) are a collection of Windows components that allow other programs to easily access and manipulate databases. Unfortunately, MDAC suffers from a heap overflow vulnerability involving its mishandling of specially crafted XML code. By luring one of your users to a malicious web page, or to a legitimate page that has been hijacked, an attacker can leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, attackers could leverage these flaws to gain complete control of their PCs. 

Microsoft rating: Critical

  • MS12-047 :  Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two local elevation of privilege flaws. Though the flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage either of these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computer, which significantly lessens the severity of this vulnerability

Microsoft rating: Important

  • MS12-048 :  Windows Shell Command Injection Vulnerability

The Windows Shell is the primary GUI component for Windows. It suffers from a vulnerability having to do with the way it handles specially crafted file or directory names. If an attacker can entice you to interact with a maliciously crafted file or directory, she could exploit this flaw to gain full control of your computer. Attackers could deliver such files via email, web sites, or by placing them in local folders or shared files systems within your network.

Microsoft rating: Important

  • MS12-049 :  TLS Protocol Information Disclosure Flaw

The Transport Layer Security (TLS) protocol is an encryption standard for privately encoding network communications, including Web and email traffic. According to Microsoft’s bulletin, the TLS protocol suffers from an industry-wide design flaw when using TLs with the cipher-block chaining (CBC) mode of operation. If an attacker can monitor your encrypted TLS communications, they could leverage this complex vulnerability to decrypt your TLS traffic, and gain access to your confidential communications. Since web sites often use TLS to secure their communications, attackers could leverage this flaw to decrypt secure web traffic. That said, attackers would first need find a way to intercept your web communications in order to set up this sort of Man-in-the-Middle (MitM) attack.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

  • MS12-043
  • MS12-045
  • MS12-047
  • MS12-048
  • MS12-049

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can often help protect you from these vulnerabilities. For instance, our GAV service will block much of the malware attackers try to deliver when exploiting these sorts of software vulnerabilities.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS12-043
  • Microsoft Security Bulletin MS12-045
  • Microsoft Security Bulletin MS12-047
  • Microsoft Security Bulletin MS12-048
  • Microsoft Security Bulletin MS12-049

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at [email protected].

Share This:

Related

Filed Under: Security Bytes Tagged With: Kernel-mode drivers, MDAC, Microsoft, TLS, Updates and patches, XML Core Services

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • How Not to Update Software

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use