Eleven Windows Bulletins Patch Many Critical Vulnerabilities

Critical SMB, OLE, and .NET Flaws Corrected

Severity: High

14 June, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (as well as some optional components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or enticing your users to view malicious images
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released eleven security bulletins describing a dozen vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity (according to Microsoft’s summary).

  • MS11-038: OLE Automation Code Execution Vulnerability

According to Microsoft, Object Linking and Embedding (OLE) Automation is a Windows protocol that allows an application to share data with or to control another application. Unfortunately, OLE Automation suffers from a vulnerability involving the way it parses specially crafted Windows MetaFile (WMF) images. By tricking a user into viewing a specially crafted image, perhaps hosted on a web site, an attacker could exploit this flaw to execute code with that user’s privileges. If your users have local administrative privileges, the attacker gains complete control of their machines.
Microsoft rating: Critical

The .NET Framework is software framework used by developers to create new Windows and web applications. The .NET Framework (and SilverLight) suffers from two complex vulnerabilities having to do with how it validates parameters passed to network function, or how its JIT compiler validates values within objects. The scope and impact of these complex vulnerabilities differs depending on the attack vector. There are three potential vectors of attack: An attacker can host a malicious .NET web site; attack your .NET web site, or leverage one of your custom .NET applications to potentially elevate his privilege. We believe the malicious .NET web site poses the most risk. If an attacker can entice you to a specially crafted site (or to a legitimate site that somehow links to his malicious site), he can exploit this flaw to execute code on your computer, with your privileges. If you are a  local administrator, the attacker has full control of your machine. If you’ve installed .NET Framework, you should patch, even if you do not run custom .NET applications or web sites.
Microsoft rating: Critical

  • MS11-041  Kernel-Mode Drivers Code Execution Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from a code execution flaw involving the way it handles OpenType fonts on 64-bit systems. By enticing one of your users to view a specially crafted font, an attacker could exploit this flaw to gain full control of that user’s computer (regardless of the user’s privilege). However, the malicious font would have to reside on the local computer, or a network share in order for this attack to succeed. Again, the flaw only affects 64-bit versions of Windows.
Microsoft rating: Critical

  • MS11-042 DFS Memory Corruption Vulnerability

Microsoft’s Distributed File System (DFS) is a collection of client and server services that allows you to create what appears to be a single file share, but actually consists of shares on multiple hosts. The Windows DFS service suffers from two security vulnerabilities. The worst is a memory corruption flaw that has to do with how the DFS client handles specially crafted DFS responses. By hosting a malicious server on your network, which sends specially crafted DFS responses to requesting clients, an attacker could exploit this memory corruption flaw to gain complete control of a Windows computer (or in some cases, just crash your computer). That said, most adminstrators do not allow DFS traffic past their firewall. So these vulnerabilites primarily pose an internal risk.
Microsoft rating: Critical

  • MS11-043: SMB Client Code Execution Vulnerability

Microsoft Server Message Block (SMB) is the protocol Windows uses for file and print sharing. According to Microsoft, the Windows SMB client suffers from a security vulnerability which attackers could leverage to execute malicious code. By enticing one of your users to connect to a malicious SMB server, or by sending a specially crafted SMB message in response to a legitimate local request, an attacker can exploit this flaw to gain complete control of a vulnerable Windows computer. However, firewalls like WatchGuard’s XTM appliances typically block SMB traffic from the Internet, making these vulnerabilities primarily an internal risk. That said, many types of malware leverage SMB vulnerabilities to self-propagate within networks, once they infect their first victim.
Microsoft rating: Critical

  • MS11-037: MHTML Information Disclosure Vulnerability

In our February advanced notification post, we mentioned a zero day MHTML vulnerability that was similar to a Cross-site Scripting (XSS) vulnerability.The flaw involves the Windows MHTML or MIME HTML component, which is used to handle special web pages that include both HTML and MIME (typically pictures, audio, or video) content contained in one file. If an attacker can entice you to visit a specially crafted web-page, or click a malicious link, he could exploit this flaw in much the same way he might exploit a Cross-Site Scripting (XSS) vulnerability; to steal your cookies, redirect your browser to malicious sites, or essentially take any action you could on a web site. Last April, Microsoft supposedly fixed this flaw. However, their fix must not have been complete since this update fixes a new variant of essentially the same issue.
Microsoft rating: Important.

  • MS11-046 AFD Elevation of Privilege Vulnerability

The Ancillary Funtion Driver (AFD.sys) is driver that handles Winsock TCP/IP communications. This kernel-mode driver suffers from an elevation of privilege (EoP) vulnerability. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.
Microsoft rating: Important

  • MS11-047: Windows 2008 Hyper-V DoS Vulnerability

Hyper-V is the hypervisor technology that Windows 2008 uses for virtualization. Hyper-V suffers from a Denial of Service (DoS) vulnerability having to do with how it handles specially crafted communications between a guest OS and the host OS. By running a specially crafted program within a guest OS, an attacker can exploit this flaw to cause a 2008 server to stop responding until you reboot it. However, the attacker needs administrative access on the guest OS in order to exloit this flaw. The flaw only affects 2008 servers.
Microsoft rating: Important

  • MS11-048: SMB Server DoS Vulnerability

The Windows SMB Server suffers from a Denial of Service (DoS) vulnerability having to do with how it handles specially crafted SMB requests. By sending a specially crafted SMB packet, an attacker can exploit this flaw to cause a Windows computer to stop responding until you rebooted it. Like the SMB client vulnerabilit mentioned before, this vulnerability primarily poses an internal risk since firewalls block SMB.
Microsoft rating: Important

  • MS11-051 AD Certificate Services Web Enrollment EoP Vulnerability

The Active Directory (AD) Certificates Services Web Enrollment site suffers from a Cross-site Scripting (XSS) vulnerability. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to steal your cookies, redirect your browser to malicious sites, or essentially take any action you could on the AD Web Enrollment site. This flaw only affects the non-Itanium, server versions of Windows.
Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-038:

* Note: Server Core installations not affected.

MS11-039MS11-044:

Due to the complicated, version-dependent nature of .NET Framework updates, we recommend you see the Affected & Non-Affected Software section of Microsoft’s Bulletins for patch details (or let Windows Automatic Updates handle the patch for you).

MS11-041:

MS11-042:

MS11-043:

MS11-037:

* Note: Server Core installations not affected.

MS11-046:

MS11-047:

MS11-048:

MS11-051:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall could help mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent all attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,681 other followers

%d bloggers like this: