Windows Updates Fix a Wide Range of Security Vulnerabilities

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Windows and some of the components that ship with it (such as DirectShow and the .NET Framework)
• How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets, luring users to view malicious media or email, and so on
• Impact: In the worst case, an attacker can gain complete control of your Windows computer.
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eight security bulletins that describe around 39 vulnerabilities affecting Windows or components related to it, such as the .NET Framework and DirectShow. Each of these vulnerabilities affects different versions of Windows to varying degrees.

A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS13-011: DirectShow Media Decompression Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams and files. It suffers from an unspecified vulnerability having to do with how it handles specially crafted media. By getting your users to interact with malicious media, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. Attackers might lure users to their booby-trapped media by linking it as a direct download, embedding it in a document, or by hosting it as a malicious media stream.

Microsoft rating: Critical

• MS13-020: Windows XP OLE Automation Vulnerability

Object Linking and Embedding (OLE) Automation is a Microsoft protocol which allows one application to share data with, or control, another application. It suffers from an unspecified remote code execution flaw having to do with how it parses maliciously crafted  RTF files. If an attacker can convince you to open or preview a specially crafted RTF file in Windows, he could exploit this flaw to execute code on your machine, with your privileges.  If you have administrative rights, the attacker would gain complete control of your computer. This flaw only affects Windows XP.

Microsoft rating: Critical

• MS13-014: NFS Server DoS Vulnerability

Network File System (NFS) is an industry-wide protocol for sharing files and directories over a network. Windows Server software ships with NFS support to share files in mixed, Unix and Windows environments.

Windows’ NFS service suffers from something called a null dereference vulnerability, which attackers can leverage to cause a Denial of Service (DoS) condition on Windows servers. By attempting to rename a file or folder on a read-only share, an attacker could exploit this flaw to cause the server to stop responding or crash. However, a few factors mitigate the severity of this issue. Specifically, the flaw only affects servers with the NFS role enabled; the attacker needs access to an NFS share and legitimate credentials; and finally, most administrators don’t allow NFS access through their firewall.

Microsoft rating: Important

• MS13-015: .NET Framework EoP Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework suffers from a technically complex elevation of privilege (EoP) vulnerability, where it unnecessarily elevates the permissions of a callback function when a .NET application creates a particular object. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer with full system privileges. This flaw also can affect non-web .NET applications, which an attacker runs directly on a system. The good news is most versions of IE will either block or warn you about the particular web content (XBAP) attackers use to leverage this flaw, which significantly mitigates its risk.

Microsoft rating: Important

• MS13-016: Multiple Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers 30 race condition vulnerabilities. The vulnerabilities differ technically  but share the same scope and impact. By running a specially crafted program, a local attacker can leverage any of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of these issues.

Microsoft rating: Important

• MS13-017 : Kernel Elevation of Privilege Vulnerability

As mentioned above, the kernel is the core component of any computer operating system. The Windows kernel suffers from three vulnerabilities (two race conditions), which attackers can leverage to  elevate their privilege. By running a specially crafted program, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials.

Microsoft rating: Important

• MS13-018: Windows TCP/IP Stack  DoS Vulnerability

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from a DoS vulnerability involving the way it parses specially crafted packets.  In short, an attacker can lock or crash a Windows computer simply by sending it a sequence of specially crafted packets. Though Microsoft only rates this update as Important, attackers could repeatedly exploit it against your public Windows server, essentially knocking them offline. This could have serious implications for essential production servers. We recommend you test and apply this update immediately.

Microsoft rating: Important

• MS13-019: CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a local privilege elevation issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows, DirectShow (quartz.dll), and .NET Framework patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

• MS13-011
• MS13-014
• MS13-015
• MS13-016
• MS13-017
• MS13-018
• MS13-019
• MS13-020

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed new signatures that can detect and block the DirectShow Media Decompression and OLE Automation vulnerabilities. Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS13-011
• Microsoft Security Bulletin MS13-014
• Microsoft Security Bulletin MS13-015
• Microsoft Security Bulletin MS13-016
• Microsoft Security Bulletin MS13-017
• Microsoft Security Bulletin MS13-018
• Microsoft Security Bulletin MS13-019
• Microsoft Security Bulletin MS13-020

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at [email protected].

Share This: