- These vulnerabilities affect: All current versions of Windows, including related components like the .NET Framework and Silverlight
- How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites, or into running specially crafted programs
- Impact: In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you
Today, Microsoft released four security bulletins describing 12 vulnerabilities that affect Windows, or related components like the .NET Framework and Silverlight. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.
The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS13-081: Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities
The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from seven serious code execution and elevation of privilege flaws, including one that attackers can execute remotely. Most of these flaws are local only; meaning an attacker would have to be able to log into your system, and run a specially crafted program to exploit them. However, one of these vulnerabilities has to do with how the kernel-mode driver handles OpenType fonts. If a remote attacker can trick one of your users into viewing anything that contains a specially crafted font, including a web page, she can exploit this flaw to gain full SYSTEM level privileges on that user’s computer (regardless of the user’s privileges). You should patch this one quickly.
Microsoft rating: Critical
- MS13-082: Multiple .NET Framework Vulnerabilities
The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.
The .NET Framework component suffers from three new security vulnerabilities. The flaws differ in scope and impact, and include a remote code execution flaw and two denial of service (DoS) flaws. The remote code execution flaw has the worst impact and involves the way .NET parses OpenType fonts. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer with that user’s privileged. As always, if your users have local administrator privileges, the attacker would gain complete control of their computer.
Microsoft rating: Critical
- MS13-083: Common Control Library Remote Code Execution Vulnerability
Windows ships with a library of functions called the Common Control Library (Comctl32.dll), which—among other things—helps it create the interactive windows it’s know for. This Common Control Library suffers from an unspecified memory corruption vulnerability having to do with a very specific function in the library (DSA_InsertItem). However, you’re only exposed to this flaw if you use this function in one of your web applications without using secure coding practices (validating and sanitizing user inputs). This means only web application servers are exposed to the flaw, and even then, your exposure heavily depends on your web application code. That said, if you do manage a vulnerable web application, a remote attacker could exploit this flaw to gain complete control of the system running it.
Microsoft rating: Critical
- MS13-087: Silverlight Information Disclosure Vulnerability
Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications (essentially, the replacement for the .NET framework). It suffers from a largely unspecified information disclosure vulnerability having to do with how it handles objects in memory. If an attacker can lure one of your Silverlight users to a malicious web site (or a legitimate site booby-trapped with malicious code), he can exploit this flaw to gain unauthorized access to some information on your user’s computer. Unfortunately, Microsoft’s bulletin doesn’t really say exactly what information the attacker gains access to. Based on the limited description of the flaw, we assume the attacker gains access to whatever information is currently stored in your computer’s memory.
Microsoft rating: Important
Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:
For All WatchGuard Users:
WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:
- EXPLOIT Microsoft OpenType Font Parsing Vulnerability (CVE-2013-3128)
- WEB-CLIENT Microsoft .NET Framework Entity Expansion Vulnerability (CVE-2013-3860)
Your XTM appliance should get this new IPS update shortly.
However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.
Microsoft has released patches correcting these issues.
- Microsoft Security Bulletin MS13-081
- Microsoft Security Bulletin MS13-082
- Microsoft Security Bulletin MS13-083
- Microsoft Security Bulletin MS13-087
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at [email protected].
Leave a Reply