• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Four Windows Updates: Hijack Windows with Malicious Images

March 11, 2014 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like Silverlight)
  • How an attacker exploits them: Multiple vectors of attack, including luring users into viewing malicious images
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as Silverlight. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-013: DirectShow JPEG Handling Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from an unspecified memory corruption vulnerability having to do with how it handles specially crafted JPEG (JPG) images. By getting your users to view such a malicious image, perhaps via a web site or email, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, the attacker gains full control of the users’ machines.

Microsoft rating: Critical

  • MS14-015:  Multiple Kernel-Mode Driver Code Execution Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two security vulnerabilities. The worst is an elevation of privilege flaw having to do with it handles memory. In a nutshell, if a local attacker can run a specially crafted application, he could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. The second issue could allow attackers to gain access to information in restricted sections of your computer’s memory, but doesn’t pose as high a risk as the first.

Microsoft rating: Important

  • MS14-016:  SAMR Lockout Bypass Vulnerability

The Security Account Manager or SAM file is a database file on Windows computers that contains all the hashed user credentials. The Security Account Manager Remote (SAMR) protocol is a client-to-server communication protocol Windows uses to check credentials against a SAM database. SAMR suffers from a flaw that allows attackers to bypass its user lockout feature. Windows allows you to lockout a user who has entered the wrong password a certain number of times. This makes it harder for attackers to launch “brute-force” password cracking attacks, since it limits the amount of failed password attempts. However, by sending specially crafted SAMR messages, an attacker can bypass this lockout feature, and try unlimited passwords against your Windows system. While this doesn’t directly give the attacker access to your computer, it does allow attackers on your local network to try and brute-force your passwords.

Microsoft rating: Important

  • MS14-014:  Silverlight DEP/ASLR Bypass Flaw

Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications. Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems (OS) use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Data Execution Prevention (DEP) is another such feature that makes it hard for attackers to execute code from memory. Unfortunately, Silverlight does not implement Windows’ DEP and ASLR protection properly. This means that it’s relatively easy for attackers to exploit any memory corruption flaws in Silverlight. By itself, this bypass flaw is worthless. It doesn’t give an attacker access to your computer. However, assuming attackers find memory corruption flaws in Silverlight, this bypass flaw would make it easier for them to exploit those flaws to execute code. You should apply this update simply to improve the general security of Silverlight.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

  • MS14-013
  • MS14-015
  • MS14-016
  • MS14-014

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .jpg files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS14-013
  • Microsoft Security Bulletin MS14-014
  • Microsoft Security Bulletin MS14-015
  • Microsoft Security Bulletin MS14-016

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at [email protected].

Share This:

Related

Filed Under: Security Bytes Tagged With: DirectShow, kernel-mode driver, Microsoft, RCE, Remote code execution (RSE), silverlight, Updates and patches

Comments

  1. rental car makassar says

    February 3, 2015 at 8:54 pm

    excellent publish, very informative. I’m wondering why
    the other experts of this sector don’t understand this.
    You should proceed your writing. I’m confident,
    you’ve a huge readers’ base already!

    Reply
  2. ahli kunci surabaya says

    May 24, 2015 at 6:39 pm

    I am no longer positive the place you’re getting your information, but
    great topic. I must spend a while learning much more or working out more.

    Thank you for wonderful info I used to be on the
    lookout for this information for my mission.

    Reply
  3. Handphone android murah says

    May 24, 2015 at 8:11 pm

    Appreciation to my father who informed me on the
    topic of this weblog, this blog is genuinely remarkable.

    Reply
  4. Gratis Download Lagu Mp3 Terbaru says

    June 1, 2015 at 10:15 pm

    I pay a visit day-to-day a few web sites and blogs to read content, except this website offers feature
    based content.

    Reply
  5. paket pulau pari says

    June 25, 2015 at 7:47 pm

    I simply couldn’t go away your web site before suggesting that I
    actually enjoyed the usual information an individual provide for your guests?
    Is going to be back often to inspect new posts

    Reply
  6. tours To Do in darwin says

    June 27, 2015 at 7:18 pm

    I am curious to find out what blog system you’re using?
    I’m experiencing some small security problems
    with my latest site and I’d like to find something more
    secure. Do you have any suggestions?

    Reply
  7. Hotel di Kuta Bali says

    July 8, 2015 at 6:31 pm

    Right away I am going away to do my breakfast, afterward having my breakfast coming again to read other
    news.

    Reply
  8. medali lari says

    July 8, 2015 at 6:51 pm

    Hi there mates, how is the whole thing, and what you want to
    say about this article, in my view its genuinely
    amazing for me.

    Reply
  9. tv kabel jogja says

    November 1, 2015 at 8:22 pm

    Excellent article. I will be experiencing many of these
    issues as well..

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Weaponizing WinRAR
  • The Qakbot Takedown
  • iPhone’s Latest 0-Day
  • Meta’ One Good Deed

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Meta’ One Good Deed
  • iPhone’s Latest 0-Day
  • The Qakbot Takedown
  • Weaponizing WinRAR
  • U.S. Cyber Trust Mark
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use