• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Malformed Fonts and Filenames Mangle Windows

December 11, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including enticing users to view maliciously crafted fonts or to view directories with specially crafted files or folder names
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities that affect Windows. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS12-078: Two Windows Font Handling Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level, and plays a part in font handling. This kernel-mode driver suffers from two remote code execution vulnerabilities involving the way it handles TrueType (TTF) and OpenType (OTF) fonts. By enticing one of your users to view a specially crafted font, perhaps hosted at a malicious web site, an attacker could leverage either of these flaws to gain complete, kernel-level, control of your computer. These are extremely risky issues as you simply have to view something with an evil font to trigger them.

Microsoft rating: Critical

  • MS12-081: Windows Filename Parsing Flaw

Windows suffers from an unspecified vulnerability involving the way it parses specially malformed filenames or folders names. If an attacker can place a specially crafted file or folder onto your computer, or one of the shares you access, and she can lure you into viewing (not opening) that file or folder, she can exploit this flaw to execute code with your privileges. If you have local administrator privileges, the attacker would gain full control of Windows.

Microsoft rating: Critical

  • MS12-082 :  DirectPlay Buffer Overflow Vulnerability

DirectX is a multimedia development API, primarily used by programmers to make games for Windows and to handle multimedia. It includes DirectPlay, a DirectX networking protocol specifically used to create networked, multi-player games. DirectPlay suffers from a heap buffer overflow vulnerability involving its inability to properly handle specially formed office documents. By enticing you to open an office document with malicious embedded content, an attacker can exploit this flaw to execute code on your system, with your privileges. Like always, if you are a local administrator it’s game over. This attack requires some user interaction, which somewhat mitigates its severity.

Microsoft rating: Important

  • MS12-083 :  IP-HTTPS Certificate Bypass Vulnerability

DirectAccess is a Microsoft conceived, VPN-like feature that allows you to securely access your organization’s internal, private networks. It uses something called IP over HTTPS (IP-HTTPS)  to create these secure connections. IP-HTTPS doesn’t properly check the validity of certificates. Specifically, it doesn’t recognize revoked certificates. If an attacker has access to one of your revoked certificates, he can use it to bypass the security of DirectAccess.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

  • MS12-078
  • MS12-081
  • MS12-082
  • MS12-083

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures, which can detect and block many of these new Windows-related vulnerabilities:

  • EXPLOIT Microsoft Open Type Font Parsing Vulnerability (CVE-2012-2556)
  • EXPLOIT Microsoft Windows Filename Parsing Vulnerability (CVE-2012-4774)

Your appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways. We still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS12-078
  • Microsoft Security Bulletin MS12-081
  • Microsoft Security Bulletin MS12-082
  • Microsoft Security Bulletin MS12-083

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at [email protected].

Share This:

Related

Filed Under: Security Bytes Tagged With: IPS, Microsoft, RCE, Updates and patches

Comments

  1. Paul Tomaszewski says

    December 11, 2012 at 4:45 pm

    745

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use