Severity: High
Summary:
- These vulnerabilities affect: All current versions of Windows and the components that ship with it
- How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic, enticing users to visit malicious web content, or running malicious applications
- Impact: In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released four security bulletins describing seven vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.
The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS12-053: RDP Code Execution Vulnerability in XP
The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop.
Unfortunately, the RDP component that ships with Windows XP suffers from a serious security vulnerability having to do with how it handles specially crafted sequences of packets (similar to a flaw described in March). By sending such a packet sequence to a computer running the RDP service, an attacker could exploit this flaw to gain complete control of that computer.
The good news is RDP isn’t enabled by default on Windows systems, and this flaw only affects Windows XP. You’re only vulnerable to this flaw if you specifically enabled RDP on XP systems. However, keep in mind that XP’s Remote Assistance and Remote Web Workplace features also expose RDP.
Microsoft rating: Critical
- MS12-054: Multiple Windows Network Component Vulnerabilities
Windows ships with various networking components, including the Print Spooler service to help manage print jobs and the Remote Administration Protocol (RAP) used for printer and file share maintenance.
According to this bulletin, these two network components suffer from four vulnerabilities. Three of the vulnerabilities have to do with how these network components handle specially crafted network requests. To summarize, by sending specially crafted RAP requests or print spooler responses, a remote attacker can leverage three of these flaws to execute code your Windows computers with full SYSTEM-level privileges.
RAP and Print Spooler communications tend to use SMB, which travels over TCP port 445, or via NetBIOS (udp/tcp 137, 138, 139). By default, most firewalls block external access to these ports, which mitigates the risk of this sort of attack from the Internet. Nonetheless, this update fixes very serious flaws, which malware could leverage to help itself spread within your network. We recommend you apply the updates as quickly as possible.
Microsoft rating: Critical
- MS12-055 : Kernel-Mode Driver Elevation of Privilege Flaw
The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from a new local elevation of privilege flaw having to do with how it improperly handles objects in memory. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your Windows computer or trick you into running it yourself, which significantly lessens the severity of this vulnerability
Microsoft rating: Important
- MS12-056 : JavaScript Integer Overflow Vulnerability
VBScript and JScript are both scripting languages created by Microsoft, which ship with Windows. JScript suffers from an integer overflow vulnerability having to do with how it handles maliciously crafted JavaScript. By enticing you to a specially crafted web page, or into opening any content that can leverage JavaScript, an attacker can leverage this flaw to execute code on your computer with your privileges. If you have admin rights, then it’s game over for your PC.
Microsoft rating: Important
Solution Path:
Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:
For All WatchGuard Users:
Attackers can exploit these flaws in many ways, including by convincing users to run executable files locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.
That said, our XTM security appliances can mitigate the risk of many of these flaws. By default, we block many of the network ports (SMB and NetBIOS) required for external attackers to exploit these flaws. Furthermore, our XTM appliance’s security services, including Gateway Antivirus (GAV) and Intrusion Prevention Service, can often protect you from these vulnerabilities, or the malware they try to deliver.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS12-053
- Microsoft Security Bulletin MS12-054
- Microsoft Security Bulletin MS12-055
- Microsoft Security Bulletin MS12-056
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.