Flaws in Kernel and Kernel-mode Drivers
Severity: High
Summary:
- These vulnerabilities affect: Windows XP, 7, Server 2003, and Server 2008
- How an attacker exploits them: By running a malicious program locally or by tricking a user into running something they shouldn’t
- Impact: In the worst case, a local attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released two security bulletins describing the same number of vulnerabilities affecting many versions of Windows. Specifically, the flaws affect Windows XP, 7, Server 2003, and Server 2008. Microsoft has assigned both these vulnerabilities their medium severity rating of Important. However, attackers have already been found exploiting one of them in the wild, so we recommend you at least patch that one (MS14-002) as quickly as possible.
Quick note: Before diving into the bulletin details, we’d like to share a quick note for Windows XP users. Over the past few months, Microsoft has diligently been informing its customers that Windows XP will reach the “end-of-support” phase of its lifecycle on April 8th, 2014… which is in three short months. Among other things, this means that Windows XP will no longer receive security updates, even if attackers find new flaws in the popular OS. Microsoft has a great blog post discussing the risks of running unsupported software. XP was one of the better versions of Windows, and one we suspect some will be sad to see go (and in some cases it’s embedded in products that are hard to upgrade). That said, if you still use XP in your organization, you may want to consider a transition plan before time runs out. Now back to our regular programming…
The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS14-002: Kernel Elevation of Privilege Vulnerability
The kernel is the core component of any computer operating system. The NDProxy.sys kernel component that ships with Windows XP and Server 2003 suffers from an input validation vulnerability, which attackers can leverage to elevate their privilege. By running a specially crafted program, or by tricking a user into running something malicious, a local attacker could exploit this flaw to gain complete control of your PC. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue. However, researchers have already found attackers exploiting this vulnerability in the wild, to elevate their privileges as part other attacks. For this reason, we highly recommend you patch Windows XP and Server 2003 systems as quickly as possible.
Microsoft rating: Important
- MS14-003: Kernel-Mode Drivers Thread-owned Object Handling Vulnerability
As mentioned earlier, the kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from a unspecified vulnerability involving how it handles “thread-owned objects”. By enticing one of your users to run an evil program, or by gaining local access and running it himself, an attacker could exploit this flaw to gain complete control of your Windows computer. Since this flaw requires local access or user interaction, it poses only a medium risk. The flaw also only affects Windows 7 and Server 2008. Nonetheless, we recommend you patch as quickly as you can.
Microsoft rating: Important
Solution Path:
Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible, especially the MS14-002 patch. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:
For All WatchGuard Users:
Both of these flaws require local access to exploit. While our XTM appliance’s gateway antivirus (GAV) service may sometimes find malware that may try and leverage these flaws, our network protection does not protect you from local exploits. Therefore, Microsoft’s updates are your best solution.
Status:
Microsoft has released patches correcting these issues.
References:
— This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)