Severity: High
Summary:
- These vulnerabilities affect: All current versions of Windows
- How an attacker exploits them: Multiple vectors of attack, including luring users to open malicious files or to run specially crafted programs
- Impact: In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you
Exposure:
Today, Microsoft released five security bulletins describing 11 vulnerabilities in Windows. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.
The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS13-070: OLE Code Execution Vulnerability
Object Linking and Embedding (OLE) is a protocol that allows Windows to handle special compound documents, which contain embedded links to content from other document types, in other formats. OLE suffers from an unspecified object handling vulnerability, involving its inability to properly handle specially crafted OLE objects within documents. By tricking one of your users into opening a specially crafted document, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains complete control of their machines. All Microsoft Office documents, as well as many third-party files, can contain OLE objects, which attackers can use to exploit this flaw. This flaw only affects Windows XP and Server 2003.
Microsoft rating: Critical
- MS13-071: Windows Theme Code Execution Vulnerability
Windows Themes are preconfigured sets of customized settings that provide a specific look, feel, and sound to your Windows desktop. Unfortunately, Windows doesn’t properly handle maliciously crafted theme files. By enticing you to load a specially crafted theme or screensaver file, an attacker can exploit this flaw to execute code on your computer with your privileges. If you’re a administrator, the attacker gains complete control of your computer. This flaw does not affect Windows 7 or 8 systems, nor Server 2012.
Microsoft rating: Important
- MS13-076: Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities
The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from several serious code execution flaws. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.
Microsoft rating: Important
- MS13-077: Service Control Manager Elevation of Privilege Vulnerabilities
The Service Control Manager (SCM) is a component Windows uses to start and stop various operating system services. It suffers from a specific memory corruption vulnerability called a double free condition, which local attacker could leverage to elevate their privileges. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the severity of this flaw. Also, the flaw only affects Windows 7 and Server 2008.
Microsoft rating: Important
- MS13-079: Active Directory DoS Flaw
Active Directory (AD) provides central authentication and authorization services for Windows computers and typically ships with server versions of Windows. AD suffers from a denial of service (DoS) vulnerability having to do with its inability to properly handle specially crafted LDAP queries. By sending a malicious LDAP query to an AD server, an attacker can exploit this flaw to force the server’s LDAP service to stop responding, putting it into a Denial of Service (DoS) state. However, administrators typically limit LDAP access to their local network, so this vulnerability primarily poses an internal threat. Note: this flaw also affects the AD Lightweight Directory Services (AD LDS), so it affects standard versions of Windows, not just the Server ones.
Microsoft rating: Important
Solution Path:
Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:
For All WatchGuard Users:
Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (like blocking access to your AD server, or preventing users from downloading theme or screensaver files), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS13-070
- Microsoft Security Bulletin MS13-071
- Microsoft Security Bulletin MS13-076
- Microsoft Security Bulletin MS13-077
- Microsoft Security Bulletin MS13-079
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.