• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Quintuple of Windows Updates Patch Zero Day Flaw and More

December 10, 2013 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into viewing malicious images
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing a like number of vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-096: GDI+ Memory Corruption Vulnerability

The Graphics Device Interface (GDI+) is one of the Windows components that helps applications output graphics, to your display or printer. GDI+ suffers from a memory corruption vulnerability involving its inability to properly handle specially malformed TIFF images (.tif). By enticing one of your users into view a malicious image, perhaps embedded in an email or web site, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. This the zero day vulnerability we warned you about early November. Attackers are already exploiting it in the wild, so we recommend you patch immediately.

Microsoft rating: Critical

  • MS13-098:  Windows Authenticode Signature Validation Vulnerability

Windows contains Authenticode technology, which is a digital certificate-based code signing implementation designed to allow you and the operating system to verify the integrity and reputation of software. It works on the premise that if you download software signed by a vendor, say WatchGuard, and that software passes Windows’ Authenticode validation, then you can trust the software really comes from WatchGuard and hasn’t been modified in any way.

However, this bulletin describes a flaw in the way the Windows Authenticode Signature Validation function (WinVerifyTrust) checks Portable Executable (PE) files. In short, an attacker can create a specially crafted PE file that passes Windows’ Authenticode validation even after an attacker has maliciously modified the executable. If an attacker can get one of your users to download and run such an executable file, he could exploit this flaw to gain access to that user’s computer, with that user’s privileges. If the user had local administrator privileges, that attacker gains full control of the computer. The good news is, most users are very suspicious of unsolicited executable files they receive via email or the web. Hopefully, your users already know not to handle these sorts of unsolicited files. However, this flaw specifically bypasses a mechanisms Microsoft uses to help users validate the reputation of files. So smart attackers could leverage it to help convince users to run executables they otherwise wouldn’t have. We recommend you patch this vulnerability as quickly as possible.

Microsoft rating: Critical

  • MS13-099: Scripting Runtime Object Library Code Exectution Vulnerability

Windows ships with a component called the Microsoft Scripting Runtime Object Library to help the operating system handle running VBA or scripts. This component suffers from a type of memory corruption vulnerability called a use-after-free flaw. By luring one of your users to a website containing some evil script, and attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, then the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS13-101:  Multiple Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from five vulnerabilities, including two memory corruption vulnerabilities that local attackers can leverage to elevate their privileges. If an hacker can login to your system with valid credentials, and can run a specially crafted program, she can exploit these memory corruption flaws to gain full SYSTEM level privileges on your computer (regardless of the attacker’s original privileges).

Microsoft rating: Important

  • MS13-102:  LRPC Buffer Overflow Vulnerability

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. Windows uses something called Local RPC (LRPC) to send messages and tasks to a server running on the same computer as the client. There is a buffer overflow vulnerability in Windows’ implementation of LRPC. By running a malicious server on a victim computer, and having the server send a specially crafted LRPC message, an attacker could exploit this vulnerability to gain complete control of your Windows machines. That said, the attacker need to have valid credentials to log into your Windows computer in order to run his malicious server locally.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

  • MS13-096
  • MS13-098
  • MS13-099
  • MS13-101
  • MS13-102

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .tif files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS13-096
  • Microsoft Security Bulletin MS13-098
  • Microsoft Security Bulletin MS13-099
  • Microsoft Security Bulletin MS13-101
  • Microsoft Security Bulletin MS13-102

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at [email protected].

Share This:

Related

Filed Under: Security Bytes Tagged With: elevation of Privilege, Kernel-mode drivers, Microsoft, OLE, Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use