Thirteen Windows Bulletins Patch 18 Security Holes

Critical SMB, DNS, and ActiveX Flaws Corrected

Severity: High

12 April, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or enticing your users to view malicious images
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released thirteen security bulletins describing 18 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-019: SMB Client Remote Code Execution Vulnerability

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB client suffers from two security vulnerabilities which attackers could leverage to execute malicious code. By enticing one of your users to connect to a malicious SMB server, or by sending a specially crafted SMB message, an attacker can exploit of either the flaws to gain complete control of a vulnerable Windows computer. However, firewalls like WatchGuard’s XTM appliances typically block SMB traffic from the Internet, making these vulnerabilities primarily an internal risk. That said, many types of malware leverage SMB vulnerabilities to self-propagate within networks, once they infect their first victim.
Microsoft rating: Critical

  • MS11-020: SMB Server Remote Code Execution Vulnerability

The Windows SMB Server also suffers from a code execution vulnerability. By sending a specially crafted SMB packet, an attacker can exploit this flaw to gain complete control of a vulnerable Windows computer. Again, this vulnerability primarily poses an internal risk since firewalls block SMB.
Microsoft rating: Critical

  • MS11-027: Cumulative ActiveX Kill Bit Update

Microsoft and external researchers have identified several Microsoft and third party ActiveX controls that suffer various security vulnerabilities. By enticing one of your users to a malicious website, an attacker could exploit any of these ActiveX controls to execute code on your user’s computer, with that user’s privileges. Like most Windows vulnerabilities, if your user has administrative privileges, the attacker would gain complete control of the user’s PC. This update sets the Kill Bit for all the vulnerable ActiveX controls, thereby disabling them in Windows. For more details about which ActiveX controls are disabled, see the Vulnerability Information section of Microsoft’s bulletin.
Microsoft rating: Critical.

  • MS11-028: .NET Framework Stack Corruption Vulnerability

The .NET Framework is software framework used by developers to create new Windows and web applications. Unfortunately, the x86 JIT compiler within the .NET Framework suffers from a complex vulnerability having to do with it incorrectly compiling certain types of function calls. The scope and impact of this vulnerability differs greatly depending on the Web or Windows .NET application you’ve designed. In the worst case, an attacker could exploit this flaw to gain complete control of a Windows computer. However, you are only vulnerable if you are hosting a custom web application creating in a certain way, allow others to upload custom .NET web applications, or created a special .NET Windows application. If you do create .NET application, see the Vulnerability Information section of Microsoft’s alert for more details about this issue. In any case, if you’ve installed .NET Framework, you should install this update even if you don’t create your own .NET applications.
Microsoft rating: Critical.

  • MS11-029: GDI+ Integer Overflow Vulnerability

The Graphics Device Interface (GDI+) is one of the Windows components that handles images, specifically 2D vector graphics. GDI+ suffers from an integer overflow vulnerability involving its inability to properly handle specially malformed EMF images. By luring one of your users into viewing a malicious image, perhaps hosted on a web site, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer.
Microsoft rating: Critical

  • MS11-030: Windows DNS Client Code Execution Vulnerability

The Windows DNS client suffers from an unspecified vulnerability having to do with its inability to handle specially crafted Link-local Multicast Name Resolution (LLMNR) DNS queries. There are two way an attacker could exploit this flaw, which depend on what version of Windows he targets. Against Windows XP and Server 2003 computers, an attacker needs to log in to your computer locally with valid credentials, and then run a special program which would exploit this flaw to elevate his privileges. Since this scenario requires the attacker have local access to your computers and valid credentials, it poses less risk. However, the flaws poses much greater risk to Windows Vista, 7, and Server 2008 computers. Against these versions of Windows, an attacker only has to send a specially crafted LLMNR broadcast message to leverage this flaw to execute code with the NetworkService accounts privileges, which would give him significant control of your computer.
Microsoft rating: Critical.

VBScript and JScript are both scripting languages created by Microsoft, and used by Windows and its applications. According to two Microsoft Bulletins, these scripting engines suffer from two code execution vulnerabilities. The lesser risk flaw is a recap of MS10-022, which we described in a previous alert. This is a code execution issue that only crops up when you press F1 in a very particular situation. However, the second vulnerability is an integer overflow flaw an attacker can easily trigger with a specially crafted script. By enticing you to a specially crafted web page, an attacker could leverage this flaw execute code on your computer with your privileges. If you have admin rights, then it’s game over for your PC.
Microsoft rating: Critical and Important.

  • MS11-032: OpenType Font CFF Driver Code Execution Vulnerability

Windows ships with many fonts, including the OpenType Compact Font Format (CFF) font. Unfortunately, the driver that helps Windows display the OpenType CFF font doesn’t properly validate certain parameter values. Attackers can exploit this flaw in one of two ways, depending on whether they are targeting newer or older versions of Windows. Against older versions of Windows (XP and 2003) an attacker would need to run a specially crafted program on one of your Windows computers in order to gain complete control of that system, regardless of the attacker’s original user privileges. The attacker needs to have local access to one of your computers in order to run his malicious program. However, newer versions of Windows (Vista, 2008, 7) have an auto preview feature that will automatically preview fonts in a directory. By luring one of your users into opening a file share that contains a maliciously crafted OpenType font, an attacker could leverage this flaw to gain complete control of newer Windows computers. As an aside, this flaw is almost identical in nature to MS11-007.
Microsoft rating: Critical

  • MS11-024: Fax Cover Page Editor Memory Corruption Vulnerability

The Windows Fax Cover Page Editor (fxscover.exe) is just what it sounds — a program that helps you create a cover page for faxes. It suffers from an unspecified memory corruption vulnerability due to its inability to handle specially crafted fax cover pages (.cov). By enticing one of your users to open a specially crafted .cov, an attacker could exploit this flaw to execute code on that user’s computer, with their privileges. As usual, if your users have administrative privileges, the attacker inherits them.
Microsoft rating: Important.

  • MS11-026: MHTML Information Disclosure Vulnerability

In our February advanced notification post, we mentioned a zero day MHTML vulnerability that was similar to a Cross-site Scripting (XSS) vulnerability.The flaw involves the Windows MHTML or MIME HTML component, which is used to handle special web pages that include both HTML and MIME (typically pictures, audio, or video) content contained in one file. If an attacker can entice you to visit a specially crafted web-page, or click a malicious link, he could exploit this flaw in much the same way he might exploit a Cross-Site Scripting (XSS) vulnerability; to steal your cookies, redirect your browser to malicious sites, or essentially take any action you could on a web site. This update finally fixes that February zero day flaw.
Microsoft rating: Important.

  • MS11-033 : WordPad Code Execution Vulnerability

WordPad is the free text editor that comes with Windows. It suffers from an unspecified vulnerability involving its text converters inability to parse specific fields in a specially crafted Word document. By enticing one of your users to open such a document, an attacker could exploit this flaw to execute code on that users computer. If the user is a local administrator, the attacker gains full control. This flaw only affects Windows XP and Server 2003.
Microsoft rating: Important

  • MS11-034 Windows Kernel-Mode Drivers Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from two elevation of privilege vulnerabilities. Though these flaws differ technically, they share the same scope and impact. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-019:

MS11-020:

MS11-027:

* Note: Server Core installations not affected.

MS11-028:

Due to the complicated, version-dependent nature of .NET Framework updates, we recommend you see the Affected & Non-Affected Software section of Microsoft’s Bulletin for patch details.

MS11-029:

* Note: Server Core installations not affected.

MS11-030:

MS11-031 & MS11–022

Due to the complicated, version-dependent nature of VBScript and JScript updates, we recommend you see the Affected & Non-Affected Software sections of Microsoft’s Bulletins for patch details:

MS11-032:

MS11-024:

This Fax Cover Editor update requires multiple patches. Please see the Affected & Non-Affected Software section of Microsoft’s Bulletin for more details.

MS11-026:

MS11-033:

MS11-034:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

Trackbacks/Pingbacks

  1. Thirteen Windows Bulletins Patch 18 Security Holes | microreksa - April 12, 2011

    […] Thirteen Windows Bulletins Patch 18 Security Holes […]

  2. Eleven Windows Bulletins Patch Many Critical Vulnerabilities | WatchGuard Security Center - June 14, 2011

    […] redirect your browser to malicious sites, or essentially take any action you could on a web site. Last April, Microsoft supposedly fixed this flaw. However, their fix must not have been complete since this […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: