• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Windows Patches Fix Kernel-Mode Drivers, .NET, Silverlight, and More

October 8, 2013 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows, including related components like the .NET Framework and Silverlight
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites, or into running specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing 12 vulnerabilities that affect Windows, or related components like the .NET Framework and Silverlight. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-081: Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from seven serious code execution and elevation of privilege flaws, including one that attackers can execute remotely. Most of these flaws are local only; meaning an attacker would have to be able to log into your system, and run a specially crafted program to exploit them. However, one of these vulnerabilities has to do with how the kernel-mode driver handles OpenType fonts. If a remote attacker can trick one of your users into viewing anything that contains a specially crafted font, including a web page, she can exploit this flaw to gain full SYSTEM level privileges on that user’s computer (regardless of the user’s privileges). You should patch this one quickly.

Microsoft rating: Critical

  • MS13-082: Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework component suffers from three new security vulnerabilities.  The flaws differ in scope and impact, and include a remote code execution flaw and two denial of service (DoS) flaws. The remote code execution flaw has the worst impact and involves the way .NET parses OpenType fonts. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer with that user’s privileged. As always, if your users have local administrator privileges, the attacker would gain complete control of their computer.

Microsoft rating: Critical

  • MS13-083: Common Control Library Remote Code Execution Vulnerability

Windows ships with a library of functions called the Common Control Library (Comctl32.dll), which—among other things—helps it create the interactive windows it’s know for. This Common Control Library suffers from an unspecified memory corruption vulnerability having to do with a very specific function in the library (DSA_InsertItem). However, you’re only exposed to this flaw if you use this function in one of your web applications without using secure coding practices (validating and sanitizing user inputs). This means only web application servers are exposed to the flaw, and even then, your exposure heavily depends on your web application code. That said, if you do manage a vulnerable web application, a remote attacker could exploit this flaw to gain complete control of the system running it.

Microsoft rating: Critical

  • MS13-087:  Silverlight Information Disclosure Vulnerability

Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications (essentially, the replacement for the .NET framework). It suffers from a largely unspecified information disclosure vulnerability having to do with how it handles objects in memory. If an attacker can lure one of your Silverlight users to a malicious web site (or a legitimate site booby-trapped with malicious code), he can exploit this flaw to gain unauthorized access to some information on your user’s computer. Unfortunately, Microsoft’s bulletin doesn’t really say exactly what information the attacker gains access to. Based on the limited description of the flaw, we assume the attacker gains access to whatever information is currently stored in your computer’s memory.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

  • MS13-081
  • MS13-082
  • MS13-083
  • MS13-087

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • EXPLOIT Microsoft OpenType Font Parsing Vulnerability (CVE-2013-3128)
  • WEB-CLIENT Microsoft .NET Framework Entity Expansion Vulnerability (CVE-2013-3860)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS13-081
  • Microsoft Security Bulletin MS13-082
  • Microsoft Security Bulletin MS13-083
  • Microsoft Security Bulletin MS13-087

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at [email protected].

Share This:

Related

Filed Under: Security Bytes Tagged With: elevation of Privilege, Kernel-mode drivers, Microsoft, OLE, Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use