Six Windows Bulletins Fix Important and Moderate Flaws

Bulletins Affect TCP/IP Stack, Data Access Components, the Kernel, and More

Severity: Medium

Summary:

• These vulnerabilities affect: All current versions of Windows and components that ship with it
• How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, enticing your users to open malicious files, or running malicious applications locally
• Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Yesterday, Microsoft released six security bulletins describing seven vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS11-059: Data Access Components Code Execution Vulnerability

According to Microsoft, Windows Data Access Components (Windows DAC) help provide access to information across an enterprise. Unfortunately, Windows DAC allows unrestricted access to the loading of external libraries. By enticing one of your users to open a specially crafted Excel file residing in the same location as a malicious DLL file, an attacker could exploit this flaw to execute code on that user’s system, with that users privileges. If your users have local administrative privileges, the attacker gains complete control of their machine. This flaw only affects Windows 7 and later.
Microsoft rating: Important.

• MS11-061: Remote Desktop Web Access XSS Vulnerability

Windows Remote Desktop (RD) allows you to gain network access to your Windows desktop from anywhere. The Web Access component provides this capability through a web browser. Unfortunately, the RD Web Access component suffers from a Cross-Site Scripting (XSS)  vulnerability. By enticing one of your users into clicking a specially crafted link, an attacker could run script on that users computer under the context of the RD Web Access component, potentially giving the attacker access to your remote desktop. This flaw only affects Windows Server 2008 R2 x64.
Microsoft rating: Important.

• MS11-062: RAS NDISTAPI Driver Elevation of Privilege Vulnerability

Remote Access Service (RAS) is a component that allows you to access networks over phone lines, and the NDISTAPI driver is one of the RAS components that helps provide this functionality. The NDISTAPI driver doesn’t properly validate users input that it passes to the Windows kernel. By running a specially crafted application, an attacker can leverage this flaw to elevate his privilege, gaining complete control of your Windows machine. However, the attacker would first need to gain local access to your Windows computers using valid credentials, in order to run his special program. This factor significantly reduces the risk of this flaw. Finally, this flaw only affects XP and Server 2003.
Microsoft rating: Important.

• MS11-063: CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a Elevation of Privilege (EoP) vulnerability. Like the NDISTAPI driver flaw above, by running a specially crafted program, an authenticated attacker could leverage these flaws to gain complete, SYSTEM-level  control of your Windows computers. However, like before, the attacker would first need to gain local access to your Windows computers using valid credentials, which somewhat reduces the risk of these flaws.
Microsoft rating: Important.

• MS11-064: TCP/IP Stack DoS Vulnerabilities

The Windows TCP/IP stack provides IP-based network connectivity to your computer. It suffers from two Denial of Service (DoS) vulnerabilities. On of the flaws is a variant of the very old Ping of Death vulnerability. By sending a specially crafted ICMP message, an attacker can cause your system to stop responding or reboot. Most firewalls, including WatchGuard’s XTM appliances, prevent external exploit of this classic DoS flaw. The second flaw has to do with how the TCP/IP stack handles specially crafted URLs. By sending a specially crafted URL to one of your Windows Web servers, an attacker could exploit this flaw to cause the server to lock up or reboot. These flaws only affect Windows Vista and later.
Microsoft rating: Important.

• MS11-068: Windows Kernel DoS Vulnerability

The kernel is the core component of any computer operating system. The Windows kernel suffers from a Denial of Service (DoS) vulnerability, involving a flaw in the way it parses metadata in files. By running a specially crafted program, an attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws. This flaw only affect Windows Vista and later.
Microsoft rating:Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-059:

• For Windows 7 (w/SP1)
• For Windows 7 x64 (w/SP1)
• For Windows Server 2008 R2 x64 (w/SP1)
• For Windows Server 2008 R2 Itanium (w/SP1)

MS11-061:

• For Windows Server 2008 R2 x64

MS11-062:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)

MS11-063:

• For Windows XP (w/SP3)
• For Windows XP x64 (w/SP2)
• For Windows Server 2003 (w/SP2)
• For Windows Server 2003 x64 (w/SP2)
• For Windows Server 2003 Itanium (w/SP2)
• For Windows Vista (w/SP2)
• For Windows Vista x64 (w/SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7 (w/SP1)
• For Windows 7 x64 (w/SP1)
• For Windows Server 2008 R2 x64 (w/SP1)
• For Windows Server 2008 R2 Itanium (w/SP1)

MS11-064:

• For Windows Vista (w/SP2)
• For Windows Vista x64 (w/SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7 (w/SP1)
• For Windows 7 x64 (w/SP1)
• For Windows Server 2008 R2 x64 (w/SP1)
• For Windows Server 2008 R2 Itanium (w/SP1)

MS11-068:

• For Windows Vista (w/SP2)
• For Windows Vista x64 (w/SP2)
• For Windows Server 2008 (w/SP2)
• For Windows Server 2008 x64 (w/SP2)
• For Windows Server 2008 Itanium (w/SP2)
• For Windows 7 (w/SP1)
• For Windows 7 x64 (w/SP1)
• For Windows Server 2008 R2 x64 (w/SP1)
• For Windows Server 2008 R2 Itanium (w/SP1)

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS11-059
• Microsoft Security Bulletin MS11-061
• Microsoft Security Bulletin MS11-062
• Microsoft Security Bulletin MS11-063
• Microsoft Security Bulletin MS11-064
• Microsoft Security Bulletin MS11-068
  

This alert was researched and written by Corey Nachreiner, CISSP.