Tag Archives: elevation of Privilege

Lenovo Security Fail – Daily Security Byte EP.78

A few months ago, some of Lenovo’s preinstalled adware got them into security hot water. Looks like their pre-installed software has struck again. Watch today’s video to learn about the latest Lenovo vulnerabilities and what you can do about them.

 

(Episode Runtime: 1:54)

Direct YouTube Link: https://www.youtube.com/watch?v=2jU2b42iVY4

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Windows 8.x and Server 2012 Suffer From Local EoP Vulnerability

Severity: Medium

Summary:

  • These vulnerabilities affect: Windows 8.x, Server 2012, and RT
  • How an attacker exploits it: By running a specially crafted application
  • Impact: A local low privileged attacker can gain SYSTEM privileges on your Windows computers
  • What to do: Deploy the appropriate update at your convenience, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft described an Elevation of Privilege (EoP) vulnerability that affects the latest versions of Windows—specifically, Windows 8.x, Server 2012, and RT.

The flaw lies in the Windows Task Scheduler, a service that allows you to automate the execution of tasks at certain times. Microsoft doesn’t describe the vulnerability in much detail, only saying the Task Scheduler does not properly check the integrity of tasks. By running a specially crafted application, an underprivileged local attacker could take advantage of this to execute programs with full SYSTEM privileges. Of course, the local attacker would have to log into a vulnerable system using valid credentials, which significantly lower the impact of this flaw.

Solution Path:

You should download, test, and deploy the appropriate Windows update immediately, or let Windows Automatic Update do it for you. You can find links to the updates in the “Affected and Non-Affected Software” section of Microsoft’s Windows security bulletin.

For All WatchGuard Users:

This is a local vulnerability. We recommend you install Microsoft’s updated to completely protect yourself from this flaw.

Status:

Microsoft has released patches to fix this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Quintuple of Windows Updates Patch Zero Day Flaw and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into viewing malicious images
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing a like number of vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-096GDI+ Memory Corruption Vulnerability

The Graphics Device Interface (GDI+) is one of the Windows components that helps applications output graphics, to your display or printer. GDI+ suffers from a memory corruption vulnerability involving its inability to properly handle specially malformed TIFF images (.tif). By enticing one of your users into view a malicious image, perhaps embedded in an email or web site, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. This the zero day vulnerability we warned you about early November. Attackers are already exploiting it in the wild, so we recommend you patch immediately.

Microsoft rating: Critical

  • MS13-098:  Windows Authenticode Signature Validation Vulnerability

Windows contains Authenticode technology, which is a digital certificate-based code signing implementation designed to allow you and the operating system to verify the integrity and reputation of software. It works on the premise that if you download software signed by a vendor, say WatchGuard, and that software passes Windows’ Authenticode validation, then you can trust the software really comes from WatchGuard and hasn’t been modified in any way.

However, this bulletin describes a flaw in the way the Windows Authenticode Signature Validation function (WinVerifyTrust) checks Portable Executable (PE) files. In short, an attacker can create a specially crafted PE file that passes Windows’ Authenticode validation even after an attacker has maliciously modified the executable. If an attacker can get one of your users to download and run such an executable file, he could exploit this flaw to gain access to that user’s computer, with that user’s privileges. If the user had local administrator privileges, that attacker gains full control of the computer. The good news is, most users are very suspicious of unsolicited executable files they receive via email or the web. Hopefully, your users already know not to handle these sorts of unsolicited files. However, this flaw specifically bypasses a mechanisms Microsoft uses to help users validate the reputation of files. So smart attackers could leverage it to help convince users to run executables they otherwise wouldn’t have. We recommend you patch this vulnerability as quickly as possible.

Microsoft rating: Critical

  • MS13-099: Scripting Runtime Object Library Code Exectution Vulnerability

Windows ships with a component called the Microsoft Scripting Runtime Object Library to help the operating system handle running VBA or scripts. This component suffers from a type of memory corruption vulnerability called a use-after-free flaw. By luring one of your users to a website containing some evil script, and attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, then the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS13-101:  Multiple Kernel-Mode Driver Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from five vulnerabilities, including two memory corruption vulnerabilities that local attackers can leverage to elevate their privileges. If an hacker can login to your system with valid credentials, and can run a specially crafted program, she can exploit these memory corruption flaws to gain full SYSTEM level privileges on your computer (regardless of the attacker’s original privileges).

Microsoft rating: Important

  • MS13-102:  LRPC Buffer Overflow Vulnerability

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. Windows uses something called Local RPC (LRPC) to send messages and tasks to a server running on the same computer as the client. There is a buffer overflow vulnerability in Windows’ implementation of LRPC. By running a malicious server on a victim computer, and having the server send a specially crafted LRPC message, an attacker could exploit this vulnerability to gain complete control of your Windows machines. That said, the attacker need to have valid credentials to log into your Windows computer in order to run his malicious server locally.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .tif files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

One of Windows’ Five Updates Fixes a Zero Day Flaw

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into opening malicious files
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing a like number of vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-090ActivX Control Code Execution Vulnerability

ActiveX controls are essentially small programs, often shared between applications, that work behind the scenes performing minor tasks on Windows-based computers. They are kind of like Microsoft-only Java applets. Many Microsoft products, including Windows, ship with many different ActiveX controls for performing various tasks.

Unfortunately, a particular Windows ActiveX control (InformationCardSigninHelper) that Internet Explorer (IE) uses suffers from a remote code execution vulnerability. If an attacker can entice one of your users into visiting a maliciously crafted web page, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Researchers first discovered attackers exploiting this flaw in the wild. They’re currently exploiting it in advanced, targeted attacks. For that reason, we recommend you apply this patch as quickly as you can.

Microsoft rating: Critical

  • MS13-089:  GDI Integer Overflow Vulnerability

The Graphics Device Interface (GDI) is one of the Windows components that helps applications output graphics to your display or printer. GDI suffers from an integer overflow vulnerability involving its inability to properly handle specially malformed Windows Write (.wri) files. By luring one of your users into opening a Write file in WordPad, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS13-092: Hyper-V Elevation of Privilege Vulnerability

Hyper-V is Microsoft’s virtualization platform, which ships with the latest versions of Windows Server. It suffers from an elevation of privilege vulnerability having to do with how it handles specially crafted hypercalls. If an attacker has administrative privileges on a guest virtual machine (VM) running on your Windows Hyper-V server, she can exploit this flaw to either crash the Hyper-V host and all your VMs, or to execute arbitrary code on one of the other guest VMs running on the same physical server. This flaw only affects Windows 8 x64 Edition and Windows Server 2012.

Microsoft rating: Important

  • MS13-093:  AFD Information Disclosure Flaw

The Ancillary Function Driver (AFD) is a Windows component that helps manage Winsock TCP/IP communications. It suffers from a vulnerability involving the data it copies from kernel memory to user memory. In a nutshell, if a local attacker can log into one of your Windows computers and run a custom program, he could leverage this flaw to gain access to information in kernel space that he shouldn’t have access to. However, the attacker would need valid credentials on the target system, and could not leverage the flaw to elevate his privileges. This flaw only poses a minor risk.

Microsoft rating: Important

  • MS13-095:  Digital Signature Handling DoS Flaw

Windows ships with various components that allow it to handle the digital certificates and signatures used to establish secure communications. Unfortunately, Windows does not properly handle malformed X.509 certificates. By sending a specially crafted X.509 certificate to a Windows web server, an attacker could can a denial of service (DoS) condition, preventing the web server from responding future requests.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .wri files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Windows Patches Fix Kernel-Mode Drivers, .NET, Silverlight, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows, including related components like the .NET Framework and Silverlight
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites, or into running specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing 12 vulnerabilities that affect Windows, or related components like the .NET Framework and Silverlight. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-081Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from seven serious code execution and elevation of privilege flaws, including one that attackers can execute remotely. Most of these flaws are local only; meaning an attacker would have to be able to log into your system, and run a specially crafted program to exploit them. However, one of these vulnerabilities has to do with how the kernel-mode driver handles OpenType fonts. If a remote attacker can trick one of your users into viewing anything that contains a specially crafted font, including a web page, she can exploit this flaw to gain full SYSTEM level privileges on that user’s computer (regardless of the user’s privileges). You should patch this one quickly.

Microsoft rating: Critical

  • MS13-082: Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework component suffers from three new security vulnerabilities.  The flaws differ in scope and impact, and include a remote code execution flaw and two denial of service (DoS) flaws. The remote code execution flaw has the worst impact and involves the way .NET parses OpenType fonts. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit this flaw to execute code on that user’s computer with that user’s privileged. As always, if your users have local administrator privileges, the attacker would gain complete control of their computer.

Microsoft rating: Critical

  • MS13-083Common Control Library Remote Code Execution Vulnerability

Windows ships with a library of functions called the Common Control Library (Comctl32.dll), which—among other things—helps it create the interactive windows it’s know for. This Common Control Library suffers from an unspecified memory corruption vulnerability having to do with a very specific function in the library (DSA_InsertItem). However, you’re only exposed to this flaw if you use this function in one of your web applications without using secure coding practices (validating and sanitizing user inputs). This means only web application servers are exposed to the flaw, and even then, your exposure heavily depends on your web application code. That said, if you do manage a vulnerable web application, a remote attacker could exploit this flaw to gain complete control of the system running it.

Microsoft rating: Critical

  • MS13-087:  Silverlight Information Disclosure Vulnerability

Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications (essentially, the replacement for the .NET framework). It suffers from a largely unspecified information disclosure vulnerability having to do with how it handles objects in memory. If an attacker can lure one of your Silverlight users to a malicious web site (or a legitimate site booby-trapped with malicious code), he can exploit this flaw to gain unauthorized access to some information on your user’s computer. Unfortunately, Microsoft’s bulletin doesn’t really say exactly what information the attacker gains access to. Based on the limited description of the flaw, we assume the attacker gains access to whatever information is currently stored in your computer’s memory.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • EXPLOIT Microsoft OpenType Font Parsing Vulnerability (CVE-2013-3128)
  • WEB-CLIENT Microsoft .NET Framework Entity Expansion Vulnerability (CVE-2013-3860)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Minor Local Privilege Escalation Flaw in WSM Server Software

Severity: Low

Summary:

  • This vulnerability affects: WatchGuard System Manager (WSM) Server Software.
  • How an attacker exploits it: By placing a specially crafted DLL into a specific WatchGuard path
  • Impact: When you install WSM into a non-hardened, non-default directory, local users can execute code on your Windows computer with SYSTEM privileges (see mitigating factors below)
  • What to do: If you install WSM in a non-default location, or use XP, change the directory permissions of the WatchGuard folder

Exposure:

This week, Julien Ahrens of RCE Security disclosed a local elevation of privilege vulnerability that affects the Server Software portion of WatchGuard System Manager (WSM) 11.7.4 and below. Ahrens responsibly informed us of the flaw a month before his disclosure, and had our blessing to post his findings.

Specifically, the flaw is an insecure library loading vulnerability involving two services installed as part of our Server Software package; our Log Collector and WebBlocker services. These services run with SYSTEM privileges, and load certain libraries and DLLs found in WSM’s default install directory (typically %program files%/WatchGuard/wsm11). By placing a specially crafted version of a DLL file our services look for into one of WSM’s directories, a local, authenticated attacker could exploit this flaw to execute arbitrary code with SYSTEM privileges.

However, there are many mitigating factors that significantly lessen the severity of this vulnerability.

First, in order to exploit this flaw the attacking user must have the permissions necessary to access WatchGuard’s WSM directories. By default, our installer sets restrictive permissions to these folders, but the permissions differ depending on your version of Windows:

  • If you install WSM in the default location on Windows Vista, 7, 8, Server 2008 and 2012 computers, only users with administrative privileges can access the WSM directories, making this issue moot.
  • However, if you install WSM on Windows XP, Server 2000 and 2003 computers, we also allow the Windows Power User group to access the WatchGuard folders. That said, the Power User is already a fairly privileged user. Though still a vulnerability, a Power User => SYSTEM elevation of privilege is less severe.
  • Finally, there is one case of most concern. If you install WSM on Windows Vista, 7, 8, Server 2008 and 2012 computers in a non-default location, we do not change the permissions of the folder you choose. So if you install into a folder a guest could access, this becomes a guest => SYSTEM elevation of privilege.

In other words, if you install in default locations on Windows Vista and above, you are not vulnerable to this flaw. If you use older versions of Windows, this is only a slight elevation of privilege flaw. Only when you purposely decide to install the product into a non-hardened directory does this become a more significant issue.

Also, don’t forget the normal mitigating factors associated with local vulnerabilities. In order to exploit this issue, an attacker would already need local access to the Windows computer you use for management, and he’d need credentials to log into the machine. Normal security best practices suggest that you are already protecting the machine you use to manage your security appliance, and restricting access to it in many ways. If an attacker already has local access to your management computer, you already have a big problem.

Finally, remember that this flaw only allows the attacker to elevate his privilege on your Windows computer. It does not give him access to your WatchGuard management console, nor your XTM security appliance, both of which require separate authentication.

In short, though we take all vulnerabilities in our product seriously, and do plan on fixing this one, we think it poses a very low risk in the real world. Furthermore, the simple workaround below will totally alleviate the issue.

We’d like to thank Julien Ahrens and RCE Security for bringing this matter to our attention, and following a responsible disclosure path. If you’d like to learn more detail about this flaw, including Ahrens’ technical discussion, see this Full Disclosure post or his blog post.

Solution Path:

Though we have not patched this flaw yet, a simple workaround can protect you from this issue. If you are concerned with this issue, simply hardening the directory permissions of your WatchGuard WSM folders will protect you. Here’s how:

  • If you’re using a modern version of Windows, like Vista and above, and you’ve installed WSM in the default location, you’re already safe
  • If you’re using an older version of Windows, like XP, change the folder permissions of the %program files%/WatchGuard folder to reflect the users and groups you trust. To do so, right-click on the folder and choose Properties=>Security tab and remove the write permissions for any users or groups you don’t want to have access, such as the Power User group. We recommend you limit write access to administrator users.
  • Finally, if you are using a modern version of Windows, like Vista and above, and you’ve installed WSM in the non-default location, you should also change the folder permissions of the %install dir%/WatchGuard folder to reflect the users and groups you trust, using the same directions mentioned above.

We plan on releasing a fix for the flaw in the version of WSM that immediately follows the one coming out shortly (the next release is currently in QA “code lock” status, so is not a candidate for the fix).

FAQ:

Are any of WatchGuard’s other products affected?

No. This only affects the Server Software that ships with WSM 11.7.4 and below.

What exactly is the vulnerability?

This is a local elevation of privilege vulnerability. If an attacker can gain physical (or remote desktop) access to your WatchGuard management computer, she may be able to exploit this flaw to execute code on the computer with SYSTEM privileges. However, whether or not the attacker can leverage the flaw depends on how you installed WSM, and what version of Windows you use. If you install using our defaults, you’re either not vulnerable to the issue, or the elevation is only from Power User to SYSTEM.

Does this give attackers access to my XTM security appliance?

No. This flaw only potentially allows a local user to elevate their Windows privileges. It does not give attackers any access to your management console or security appliance. That requires separate credentials.

How serious is the vulnerability?

In our opinion, this is a minor vulnerability, especially if you install WSM using our defaults. We believe most of our customers follow security best practices, and significantly restrict access to their WatchGuard management station.

Other than the workaround, when will you release an update to fix this?

We plan on fixing this issue in the release immediately following the next one. We are due to ship our latest version of WSM shortly, and it’s currently in a code lock status for QA, so we haven’t been able to work the fix into that release. Regardless, the simple workaround above—hardening your WatchGuard folder—will completely alleviate the issue.

How was this vulnerability discovered?

This flaw was discovered by Julien Ahrens of RCE Security, and confidentially reported to WatchGuard through a very responsible disclosure process. We thank Mr. Ahrens for working with us to keep our customers secure.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild, nor do we believe them likely to be in the future. In fact, we believe this flaw poses a very limited risk in the real world, due to its many mitigating factors.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Corey Nachreiner, CISSP.
Director of Security Strategy and Research
WatchGuard Technologies, Inc.
http://www.watchguard.com
corey.nachreiner@watchguard.com

One Critical and Four Important Windows Updates

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including luring users to open malicious files or to run specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing 11 vulnerabilities in Windows. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-070OLE Code Execution Vulnerability

Object Linking and Embedding (OLE)  is a protocol that allows Windows to handle special compound documents, which contain embedded links to content from other document types, in other formats. OLE suffers from an unspecified object handling vulnerability, involving its inability to properly handle specially crafted OLE objects within documents. By tricking one of your users into opening a specially crafted document, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains complete control of their machines. All Microsoft Office documents, as well as many third-party files, can contain OLE objects, which attackers can use to exploit this flaw. This flaw only affects Windows XP and Server 2003.

Microsoft rating: Critical

  • MS13-071:  Windows Theme Code Execution Vulnerability

Windows Themes are preconfigured sets of customized settings that provide a specific look, feel, and sound to your Windows desktop. Unfortunately, Windows doesn’t properly handle maliciously crafted theme files. By enticing you to load a specially crafted theme or screensaver file, an attacker can exploit this flaw to execute code on your computer with your privileges. If you’re a administrator, the attacker gains complete control of your computer. This flaw does not affect Windows 7 or 8 systems, nor Server 2012.

Microsoft rating: Important

  • MS13-076: Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The kernel-mode driver suffers from several serious code execution flaws. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS13-077:  Service Control Manager Elevation of Privilege Vulnerabilities

The Service Control Manager (SCM) is a component Windows uses to start and stop various operating system services. It suffers from a specific memory corruption vulnerability called a double free condition, which local attacker could leverage to elevate their privileges. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly reduces the severity of this flaw. Also, the flaw only affects Windows 7 and Server 2008.

Microsoft rating: Important

Active Directory (AD) provides central authentication and authorization services for Windows computers and typically ships with server versions of Windows. AD suffers from a denial of service (DoS) vulnerability having to do with its inability to properly handle specially crafted LDAP queries. By sending a malicious LDAP query to an AD server, an attacker can exploit this flaw to force the server’s LDAP service to stop responding, putting it into a Denial of Service (DoS) state. However, administrators typically limit LDAP access to their local network, so this vulnerability primarily poses an internal threat. Note: this flaw also affects the AD Lightweight Directory Services (AD LDS), so it affects standard versions of Windows, not just the Server ones.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (like blocking access to your AD server, or preventing users from downloading theme or screensaver files), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Six Windows Bulletins Fix a Wide Variety of Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Windows (including Windows RT)
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web content or running specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released six security bulletins describing nine vulnerabilities in Windows. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-060Uniscribe Code Execution Vulnerability

The Unicode Script Processor (USP10.DLL), also called Uniscribe, is a group of Windows components that handle displaying complex Unicode scripts, such as Arabic, Japanese, and Thai. It suffers from an unspecified memory corruption vulnerability involving its inability to handle specially malformed fonts. By luring one of your users into viewing a malicious font, perhaps hosted on a web site, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. This flaw only affects Windows XP and Server 2003.

Microsoft rating: Critical

  • MS13-063 :  Multiple Kernel Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. It suffers from four vulnerabilities. Three of the flaws are unspecified memory corruptions vulnerabilities, which allow a local attacker to elevate his privileges. If a local attacker can run a specially crafted application, he could leverage any of these three flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. The fourth flaw is a Address Space Layout Randomization (ASLR) bypass vulnerability. ASLR is a memory obfuscation technique that some operating systems use to make it harder for attackers to exploit memory corruption flaws. This update also fixes a flaw that allows attackers to bypass this security feature.

Microsoft rating: Important

  • MS13-062RPC Elevation of Privilege Flaw

Remote Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and then receive the results of that task. The Windows RPC component suffers from an elevation of  privilege vulnerability involving its inability to properly handle asynchronous RPC requests. By sending a specially crafted RPC request to a shared host, an attacker could exploit this vulnerability to execute code with another user’s privileges. That said, most administrators do not allow RPC traffic through their firewall. Therefore, this flaw primarily poses an internal threat.

Microsoft rating: Important

  • MS13-064:  Windows Server 2012 NAT Ping of Death

Network Address Translation (NAT) is a technology that allows you to let many devices access the Internet through a single publicly routable Internet (IP) address, and Windows Servers ship with a driver to provide this capability. The NAT driver that ships with Windows 2012 suffers from a Denial of Service (DoS) vulnerability involving its inability to handle specifically malformed ICMP messages (the protocol used for pinging other computers on a network). If you’ve enabled NAT on a Windows server, a remote unauthenticated attacker could leverage this flaw to crash that server simply by sending it a specially crafted packet.

Microsoft rating: Important

As mentioned above, the Internet Control Messaging Protocol (ICMP) is a standard used most commonly by the ping utility to send control and error messages over a network. ICMPv6 is the updated version of this protocol designed for IPv6. The Windows TCP/IP stack suffers from a vulnerability in the way it handles malformed ICMPv6 messages. The flaw is identical in scope and impact to the one described above. If a bad guy can send an IPv6 ICMP message to you Windows computer, he can crash it.

Microsoft rating: Important

  • MS13-066:  AD FS Information Disclosure Vulnerability

The Active Directory Federated Services (AD FS) is a service that allows you to share identity information between trusted business partners. In other words, it can extend Windows’ Active Directory authentication outside your organization. Microsoft doesn’t describe this flaw in much detail, only saying that it could reveal information about the service account AD FS uses. If the attacker had this information, he could use it to lockout the account, which would cause all the services that leverage AD FS from logging in.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (like blocking ping or IPv6), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Windows Updates Fix Critical .NET and Kernel-mode Driver Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Windows (including 8 and RT), the .NET Framework, and Silverlight 5 (for PC and Mac). Some of these flaws also affect Office and Lync.
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web content or running specially crafted programs
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released five security bulletins that describe 18 vulnerabilities in Windows, the .NET Framework, Silverlight, and to some extent, Office and Lync. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-053 :  Various Kernel-Mode Driver Code Execution Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from eight local code execution flaws. The flaws differ technically, but most have to do with the kernel-mode driver improperly handling certain objects, which can result in memory corruptions. Smart attackers can leverage memory corruption flaws to execute code. In a nutshell, if a local attacker can run a specially crafted application, he could leverage most of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. That said, a Google researcher disclosed the details about one of these vulnerabilities to the public awhile ago. There have been reports of attackers already leveraging it in targeted attacks. Therefore, we highly recommend you apply this update immediately.

Microsoft rating: Critical

  • MS13-052.NET Framework and Silverlight Code Execution Flaws

The .NET Framework and Silverlight are both software frameworks used by developers to create rich media web applications. The newer Silverlight framework is also known for being a cross-platform and cross-browser. These frameworks suffer from seven security vulnerabilities. The flaws differ quite a bit technically, but all share the same impact—attackers could exploit them to gain full (SYSTEM-level) control of your computer. The attacker would only have to lure one of your Silverlight or .NET users to a malicious web site (or a legitimate site booby-trapped with malicious code) in order to trigger the flaws. Since two of these vulnerabilities were pre-disclosed publicly, before Microsoft released this patch, we recommend you install the .NET Framework and Silverlight updates as soon as possible.

Microsoft rating: Critical

  • MS13-054 :  GDI+ TrueType Font Handling Vulnerability

The Graphics Device Interface (GDI+) is one of the Windows components that handles images, specifically 2D vector graphics. GDI+ suffers from an unspecified remote code execution vulnerability involving its inability to properly handle specially malformed TrueType (TTF) fonts. By luring one of your users into viewing a malicious font, perhaps hosted on a web site, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. GDI+ ships with Windows; but also with Office, Visual Studio, and Lync. You need to patch all the affected products.

Microsoft rating: Critical

  • MS13-056DirectShow Memory Overwrite Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from a memory overwrite vulnerability having to do with how it handles specially crafted graphics interchange format (GIF) images. By getting your users to view such a malicious image, perhaps via a web site or email, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, the attacker gains full control of the users’ machines.

Microsoft rating: Critical

  • MS13-057 :  Windows WMV Remote Code Execution Vulnerability

Windows ships with various components, such as the Media Format Runtime, to help it process and play media files. The Windows Media Format Runtime suffers from an unspecified code execution vulnerability involving the way it handles Windows Media Video (WMV) media files. By enticing one of your users to download and play a specially crafted WMV file, or by luring them to a website containing such media, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.

Microsoft rating: Critical

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws, attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Three Windows Updates Fix Less Risky Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows or components often packaged with it (like the print spooler)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or running malicious programs locally
  • Impact:  Varies, ranging from a remote Denial of Service (DoS) attack to local attackers gaining complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins describing vulnerabilities affecting Windows or components related to it. They only rate these bulletins as Important or Moderate, due to limited impact or mitigating factors. Each of these vulnerabilities affects different versions of Windows to varying degrees. In the worst case, a local attacker could exploit one of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates at your earliest convenience.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-048: Windows Kernel Information Disclosure Flaw

The kernel is the core component of any computer operating system. The Windows kernel suffers from an information disclosure vulnerability, which attackers can leverage to gain unauthorized access to the contents in kernel memory. Though this flaw would not allow an attacker to gain elevated privileges on an affected system, the attacker could gain access to privileged information, which might help further their attack.  In order to exploit the flaw, a local attacker would have to run a specially crafted program. However, the attacker would first need to gain local access to your Windows computer using valid credentials. This factor significantly reduces the severity of the issue

Microsoft rating: Important

The TCP/IP driver is one of the kernel-mode drivers that help Windows handle TCP/IP networking traffic. It suffers from an unspecified Denial of Service (DOS) vulnerability having to do with its inability to handle certain TCP packets. By sending specially crafted packets to a vulnerable Windows computer, an attacker could cause the computer to stop responding. Though attackers couldn’t exploit this flaw to gain control of your computers, they can leverage it to cause downtime. Firewalls, like WatchGuard’s XTM appliances, can typically mitigate this type of attack by preventing external attackers access to your internal Windows computers.

Microsoft rating: Moderate

  • MS13-050Print Spooler Elevation of Privilege Flaw

The print spooler is a Windows service that manages printing. It suffers from an unspecified elevation of privilege vulnerability having to do with its inability to properly free memory when you delete a printer connection. If an attacker can gain enough local access to your computer to delete a printer connection, she can exploit this flaw to elevate her privileges and execute code with full system privileges. Of course, they’d need credentials on the targeted system, and local access to it in order to carry out this attack. These requirements significantly mitigate the risk of this flaw.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. However, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

%d bloggers like this: