• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Windows Updates for Media Center, .NET, and LRPC

August 12, 2014 By Corey Nachreiner

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, such as enticing you into opening maliciously crafted Office file.
  • Impact: In the worst case, an remote attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing seven vulnerabilities in Windows and related components, such as the .NET Framework. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-043:  Windows Media Center Code Execution Flaw

Windows Media Center is the media player and Digital Video Recording (DVR) application that ships with the popular operating system. MCplayer.dll, a component Media Center uses for audio and video playback, suffers from a “use after free” vulnerability. By tricking you into running a specially crafted Office file, a remote attacker could leverage this flaw to execute code on your computer, with your privileges. If you’re a local adminstrator, the attacker could gain complete control of your machine. Note, this flaw mostly affects the latest versions of Windows.

Microsoft rating: Critical

  • MS14-045:  Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three local code execution flaws. The flaws differ technically, but most have to do with the kernel-mode driver improperly handling certain objects, which can result in memory corruptions. Smart attackers can leverage memory corruption flaws to execute code. In a nutshell, if a local attacker can run a specially crafted application, he could leverage most of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability.

Microsoft rating: Important

  • MS14-046:  .NET Framework ASLR Bypass Flaw

The .NET Framework is software framework used by developers to create new Windows and web applications. Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. In short, the .NET framework doesn’t use ASLR protection. This means attackers can leverage .NET to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

  • MS14-047:  LRPC ASLR Bypass Flaw

Local Remote Procedure Call (LRPC) is a protocol Microsoft Windows uses to allow processes to communicate with each other and execute tasks, whether on the same computer or another computer over the network. It suffers from a ASLR bypass vulnerability that has the same scope and impact as the .NET one described above.

Microsoft rating: Important

  • MS14-049:  Windows Installer Service Elevation of Privilege Flaw

As its name suggests, the Windows Installer services is a component that helps you install and configure stuff in Windows. It suffers from a privilege escalation vulnerability involving the way it improperly handles the repair of a previous application. If a local attacker can log into one of your Windows systems and run a specially crafted application, he could exploit this flaw to gain complete control of the system (even if he started out with only Guest privileges). Of course, the attacker would need valid login credentials, which significantly lowers the severity of this issue.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

  • MS14-043
  • MS14-045
  • MS14-046
  • MS14-047
  • MS14-049

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking Office files), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS14-043
  • Microsoft Security Bulletin MS14-045
  • Microsoft Security Bulletin MS14-046
  • Microsoft Security Bulletin MS14-047
  • Microsoft Security Bulletin MS14-049

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at [email protected].

Share This:

Related

Filed Under: Security Bytes Tagged With: LRPC, Microsoft, Security Bulletins, Software vulnerabilities, Updates and patches, Windows Installer, Windows Media Center

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use