Severity: High
Summary:
- These vulnerabilities affect: All current versions of Windows
- How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into opening malicious files
- Impact: In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you
Exposure:
Today, Microsoft released five security bulletins describing a like number of vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.
The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS13-090: ActivX Control Code Execution Vulnerability
ActiveX controls are essentially small programs, often shared between applications, that work behind the scenes performing minor tasks on Windows-based computers. They are kind of like Microsoft-only Java applets. Many Microsoft products, including Windows, ship with many different ActiveX controls for performing various tasks.
Unfortunately, a particular Windows ActiveX control (InformationCardSigninHelper) that Internet Explorer (IE) uses suffers from a remote code execution vulnerability. If an attacker can entice one of your users into visiting a maliciously crafted web page, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.
Researchers first discovered attackers exploiting this flaw in the wild. They’re currently exploiting it in advanced, targeted attacks. For that reason, we recommend you apply this patch as quickly as you can.
Microsoft rating: Critical
- MS13-089: GDI Integer Overflow Vulnerability
The Graphics Device Interface (GDI) is one of the Windows components that helps applications output graphics to your display or printer. GDI suffers from an integer overflow vulnerability involving its inability to properly handle specially malformed Windows Write (.wri) files. By luring one of your users into opening a Write file in WordPad, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer.
Microsoft rating: Critical
- MS13-092: Hyper-V Elevation of Privilege Vulnerability
Hyper-V is Microsoft’s virtualization platform, which ships with the latest versions of Windows Server. It suffers from an elevation of privilege vulnerability having to do with how it handles specially crafted hypercalls. If an attacker has administrative privileges on a guest virtual machine (VM) running on your Windows Hyper-V server, she can exploit this flaw to either crash the Hyper-V host and all your VMs, or to execute arbitrary code on one of the other guest VMs running on the same physical server. This flaw only affects Windows 8 x64 Edition and Windows Server 2012.
Microsoft rating: Important
- MS13-093: AFD Information Disclosure Flaw
The Ancillary Function Driver (AFD) is a Windows component that helps manage Winsock TCP/IP communications. It suffers from a vulnerability involving the data it copies from kernel memory to user memory. In a nutshell, if a local attacker can log into one of your Windows computers and run a custom program, he could leverage this flaw to gain access to information in kernel space that he shouldn’t have access to. However, the attacker would need valid credentials on the target system, and could not leverage the flaw to elevate his privileges. This flaw only poses a minor risk.
Microsoft rating: Important
- MS13-095: Digital Signature Handling DoS Flaw
Windows ships with various components that allow it to handle the digital certificates and signatures used to establish secure communications. Unfortunately, Windows does not properly handle malformed X.509 certificates. By sending a specially crafted X.509 certificate to a Windows web server, an attacker could can a denial of service (DoS) condition, preventing the web server from responding future requests.
Microsoft rating: Important
Solution Path:
Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:
For All WatchGuard Users:
Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .wri files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS13-090
- Microsoft Security Bulletin MS13-089
- Microsoft Security Bulletin MS13-092
- Microsoft Security Bulletin MS13-093
- Microsoft Security Bulletin MS13-095
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.