• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Windows File Handling Remote Code Execution Flaw

April 9, 2014 By Corey Nachreiner

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: By tricking your users into running a .bat or .cmd file from a network location
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

As part of Patch Day, Microsoft released a Windows security bulletin describing a code execution vulnerability involving the way it handles .bat and .cmd files, otherwise known as Windows batch files. Windows batch files allow you to write multiple, scripted commands which will run together (as a batch) when you run the file. Window’s suffers from a vulnerability in they way they process these files, which attackers could exploit to execute arbitrary code. If an attacker can trick one of your users into running a .bat or .cmd file from a network location, they could exploit this issue to execute any code with that user’s privileged. In most Windows environments, users have local administrator privileges, so this attack could give hackers full control of your machine.

That said, this flaw takes significant user interaction to succeed, and most savvy Windows users know batch files could be dangerous, and don’t run them randomly. Nonetheless, we recommend you patch Windows as soon as you can.

Also note, this will be the last security update for Windows XP. If you haven’t figured out your Windows XP migration path yet, you really should start thinking about it. That said, security companies like WatchGuard will continue to develop IPS and anti-malware signatures to detect and block threats against Windows XP systems. If you absolutely cannot upgrade XP, be sure to at least implement IPS, AV, and UTM systems to protect your vulnerable computers.

Solution Path:

Microsoft has released updates that correct this vulnerability. You should download, test, and deploy the appropriate update throughout your network as soon as you can. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate some of the risk of this flaw (such as allowing you to block .bat and cmd files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit it over the local network too. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS14-019

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at [email protected].

Share This:

Related

Filed Under: Security Bytes Tagged With: Microsoft, RCE, Remote code execution (RSE), Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use