Severity: High
Summary:
- These vulnerabilities affect: All current versions of Windows (and related components like XML Core Services)
- How an attacker exploits them: Multiple vectors of attack, including enticing you to malicious web sites, or into interacting with malicious documents or images.
- Impact: In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you
Exposure:
Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as XML Core Services. An attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.
The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS14-038: Journal Documents
Windows Journal is a basic note taking program that ships with Windows systems (though the server versions of Windows do not install it by default). It suffers from a vulnerability involving how it handles specially crafted Journal files (.JNT). If an attacker can trick you into opening a malicious Journal file, perhaps embedded in an email or web site, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control of your computer.
Microsoft rating: Critical
- MS14-039: On-Screen Keyboard Privilege Elevation Vulnerability
Windows ships with an accessibility option called the On-Screen Keyboard (OSK), which displays a virtual keyboard on your display you can use for character entry. It suffers from a local elevation of privilege (EoP) vulnerability. Basically, low privileged processes can run the OSK and use it to run other programs with the logged in users privileges. However, to exploit this flaw an attacker would first have to exploit another vulnerability in a low integrity process, which lessens the severity of this issue.
Microsoft rating: Important
- MS14-040: AFD Privilege Elevation Vulnerability
The Ancillary Function Driver (AFD) is a Windows component that helps manage Winsock TCP/IP communications. It suffers from a local elevation of privilege (EoP) issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.
Microsoft rating: Important
- MS14-041: DirectShow Privilege Elevation Vulnerability
DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from a local elevation of privilege (EoP) vulnerability. If an attacker can exploit another vulnerability to gain access to a low integrity process, she could then exploit this flaw this flaw to elevate her privileges to that of the currently logged in user.
Microsoft rating: Important
Microsoft’s Patch Day Video Summary:
Microsoft has recently started producing short videos to summarize each month’s Patch Day, which I’ve linked here for your convenience.
(Runtime: 2:24)
Direct YouTube Link: https://www.youtube.com/watch?v=3j-5-xIMgks
Solution Path:
Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:
For All WatchGuard Users:
WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws; especially the Critical Windows Journal vulnerability. If you choose, you can leverage our proxies to prevent your users from receiving Journal files (.JNT) via email, web sites, or FTP sites. However, attackers can exploit some of the other flaws locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS14-038
- Microsoft Security Bulletin MS14-039
- Microsoft Security Bulletin MS14-040
- Microsoft Security Bulletin MS14-041
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.