Three Critical Windows and .NET Bulletins

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Windows and the .NET Framework
• How an attacker exploits them: Multiple vectors of attack, including enticing users to view malicious fonts or to open specially crafted Briefcase folders
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing ten vulnerabilities that affect Windows and components that often ship with it, such as the .NET Framework. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS12-072: Two Windows Briefcase Memory Corruption Flaws

Briefcase is a Windows feature that allows you to keep files on two computers in sync, by placing them in a special “briefcase” folder. Unfortunately, Briefcase suffers from two memory corruptions flaws; an integer overflow and underflow vulnerability. By enticing one of your users to a maliciously crafted Briefcase folder, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s level of privilege. Since most Windows users have local administrative rights, this typically means the attacker gains complete control of the victim computer.

Microsoft rating: Critical

• MS12-074: Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create new Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers since it is essential to many applications.

The .NET Framework component suffers from five new security vulnerabilities.  The flaws differ greatly in scope and impact, and include an information disclosure issue, some elevation of privilege flaws, and a few remote code execution vulnerabilities. If an attacker has access to your local network, and can perform an ARP poisoning attack, he can exploit one of the worst vulnerabilities (in WPAD) to execute code on your Windows computers, with the local user’s privileges. If the user has local administrator privileges, the attacker gains full control of the computer. In short, if you install the .NET Framework on your Windows computers, you should update it as soon as possible.

Microsoft rating: Critical

• MS12-075 :  Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two elevation of privilege flaws and a remote code execution flaw. By enticing one of your users to view a specially crafted font, perhaps hosted at a malicious web site, an attacker could leverage the worst of these flaws to gain complete, kernel-level, control of your computer.

Microsoft rating: Critical

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

• MS12-072
• MS12-074
• MS12-075

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures, which can detect and block many of these new Windows-related vulnerabilities:

• EXPLOIT Microsoft Web Proxy Auto-Discovery Vulnerability (CVE-2012-4776)
• EXPLOIT .NET Framework Insecure Library Loading -1 (CVE-2012-2519)
• EXPLOIT .NET Framework Insecure Library Loading -2 (CVE-2012-2519)
• EXPLOIT Windows Font Parsing Vulnerability (CVE-2012-2897)
• EXPLOIT Microsoft Windows Briefcase Integer Underflow Vulnerability (CVE-2012-1527)
• EXPLOIT Microsoft Windows Briefcase Integer Overflow Vulnerability (CVE-2012-1528)

Your appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS12-072
• Microsoft Security Bulletin MS12-074
• Microsoft Security Bulletin MS12-075

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.