Site icon Secplicity – Security Simplified

Six Windows Bulletins Fix a Wide Variety of Flaws

Corey Nachreiner

Severity: High

Summary:

Exposure:

Today, Microsoft released six security bulletins describing nine vulnerabilities in Windows. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

The Unicode Script Processor (USP10.DLL), also called Uniscribe, is a group of Windows components that handle displaying complex Unicode scripts, such as Arabic, Japanese, and Thai. It suffers from an unspecified memory corruption vulnerability involving its inability to handle specially malformed fonts. By luring one of your users into viewing a malicious font, perhaps hosted on a web site, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. This flaw only affects Windows XP and Server 2003.

Microsoft rating: Critical

The kernel is the core component of any computer operating system. It suffers from four vulnerabilities. Three of the flaws are unspecified memory corruptions vulnerabilities, which allow a local attacker to elevate his privileges. If a local attacker can run a specially crafted application, he could leverage any of these three flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. The fourth flaw is a Address Space Layout Randomization (ASLR) bypass vulnerability. ASLR is a memory obfuscation technique that some operating systems use to make it harder for attackers to exploit memory corruption flaws. This update also fixes a flaw that allows attackers to bypass this security feature.

Microsoft rating: Important

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. The Windows RPC component suffers from an elevation of  privilege vulnerability involving its inability to properly handle asynchronous RPC requests. By sending a specially crafted RPC request to a shared host, an attacker could exploit this vulnerability to execute code with another user’s privileges. That said, most administrators do not allow RPC traffic through their firewall. Therefore, this flaw primarily poses an internal threat.

Microsoft rating: Important

Network Address Translation (NAT) is a technology that allows you to let many devices access the Internet through a single publicly routable Internet (IP) address, and Windows Servers ship with a driver to provide this capability. The NAT driver that ships with Windows 2012 suffers from a Denial of Service (DoS) vulnerability involving its inability to handle specifically malformed ICMP messages (the protocol used for pinging other computers on a network). If you’ve enabled NAT on a Windows server, a remote unauthenticated attacker could leverage this flaw to crash that server simply by sending it a specially crafted packet.

Microsoft rating: Important

As mentioned above, the Internet Control Messaging Protocol (ICMP) is a standard used most commonly by the ping utility to send control and error messages over a network. ICMPv6 is the updated version of this protocol designed for IPv6. The Windows TCP/IP stack suffers from a vulnerability in the way it handles malformed ICMPv6 messages. The flaw is identical in scope and impact to the one described above. If a bad guy can send an IPv6 ICMP message to you Windows computer, he can crash it.

Microsoft rating: Important

The Active Directory Federated Services (AD FS) is a service that allows you to share identity information between trusted business partners. In other words, it can extend Windows’ Active Directory authentication outside your organization. Microsoft doesn’t describe this flaw in much detail, only saying that it could reveal information about the service account AD FS uses. If the attacker had this information, he could use it to lockout the account, which would cause all the services that leverage AD FS from logging in.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (like blocking ping or IPv6), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Exit mobile version