Malformed Fonts and Filenames Mangle Windows

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Windows
• How an attacker exploits them: Multiple vectors of attack, including enticing users to view maliciously crafted fonts or to view directories with specially crafted files or folder names
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities that affect Windows. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS12-078: Two Windows Font Handling Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level, and plays a part in font handling. This kernel-mode driver suffers from two remote code execution vulnerabilities involving the way it handles TrueType (TTF) and OpenType (OTF) fonts. By enticing one of your users to view a specially crafted font, perhaps hosted at a malicious web site, an attacker could leverage either of these flaws to gain complete, kernel-level, control of your computer. These are extremely risky issues as you simply have to view something with an evil font to trigger them.

Microsoft rating: Critical

• MS12-081: Windows Filename Parsing Flaw

Windows suffers from an unspecified vulnerability involving the way it parses specially malformed filenames or folders names. If an attacker can place a specially crafted file or folder onto your computer, or one of the shares you access, and she can lure you into viewing (not opening) that file or folder, she can exploit this flaw to execute code with your privileges. If you have local administrator privileges, the attacker would gain full control of Windows.

Microsoft rating: Critical

• MS12-082 :  DirectPlay Buffer Overflow Vulnerability

DirectX is a multimedia development API, primarily used by programmers to make games for Windows and to handle multimedia. It includes DirectPlay, a DirectX networking protocol specifically used to create networked, multi-player games. DirectPlay suffers from a heap buffer overflow vulnerability involving its inability to properly handle specially formed office documents. By enticing you to open an office document with malicious embedded content, an attacker can exploit this flaw to execute code on your system, with your privileges. Like always, if you are a local administrator it’s game over. This attack requires some user interaction, which somewhat mitigates its severity.

Microsoft rating: Important

• MS12-083 :  IP-HTTPS Certificate Bypass Vulnerability

DirectAccess is a Microsoft conceived, VPN-like feature that allows you to securely access your organization’s internal, private networks. It uses something called IP over HTTPS (IP-HTTPS)  to create these secure connections. IP-HTTPS doesn’t properly check the validity of certificates. Specifically, it doesn’t recognize revoked certificates. If an attacker has access to one of your revoked certificates, he can use it to bypass the security of DirectAccess.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

• MS12-078
• MS12-081
• MS12-082
• MS12-083

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures, which can detect and block many of these new Windows-related vulnerabilities:

• EXPLOIT Microsoft Open Type Font Parsing Vulnerability (CVE-2012-2556)
• EXPLOIT Microsoft Windows Filename Parsing Vulnerability (CVE-2012-4774)

Your appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways. We still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS12-078
• Microsoft Security Bulletin MS12-081
• Microsoft Security Bulletin MS12-082
• Microsoft Security Bulletin MS12-083

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.