Tag Archives: TCP/IP

Four Windows Bulletins: Critical TCP/IP Vulnerability Allows Remote Root

Bulletins Affect TCP/IP, Active Directory,  Windows Mail, and More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it (though most only affect more recent versions of Windows)
  • How an attacker exploits them: Multiple vectors of attack including sending specially crafted packets, or enticing users into opening booby-trapped files
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing four vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees, with most of this month’s bulletins affecting Windows Vista, 7, and Server 2008. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-083: TCP/IP Remote Code Execution Vulnerability

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from an integer overflow flaw involving its inability to properly parse a continuous flow of specially crafted UDP packets. By sending such packets, an attacker could leverage this flaw to gain complete control of your Windows computer. This flaw only affects Windows Vista, 7, and the Server 2008 versions of Windows. That said, this is a seriously vulnerability, and we recommend you patch it immediately.
Microsoft rating: Critical

  • MS11-085: Windows Mail and Meeting Space Insecure Library Loading Vulnerability

Windows Mail is the default email client that ships with Windows and Meeting Space is a built in document and desktop sharing application.  Unfortunately, both these components suffers from the insecure Dynamic Link Library (DLL) loading class of vulnerability that we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by files types associated with Mail and Meeting Space–specifically .EML and .WCINV files. 
Microsoft rating: Important.

  • MS11-086: Active Directory Elevation of Privilege Vulnerability

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. Among its many options, AD allows you to authentication using certificates. AD suffers from a certificate handling vulnerability when configured to use LDAP over SSL (LDAPS). In short, AD doesn’t properly recognize revoked SSL certificates, which means an attacker can use a revoked certificate to authenticate and possibly gain access to your systems. However, the attacker would first have to somehow gain access to the revoked certificate for a valid account on your domain to leverage this flaw, which significantly mitigates its severity. If an attacker has access to valid account certificates, revoked or not, you already have a serious problem on your hands.
Microsoft rating: Important.

  • MS11-084: Kernel-mode Driver Denial of  Service Vulnerability

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from a Denial of Service (DoS) vulnerability involving the way it handles specially crafted TrueType font files. By enticing one of your users to open a specially crafted font file, or to browse to a share hosting such a file, an attacker could exploit this flaw to cause your system to stop responding, until you restart it. This flaw only affects Windows 7 and Server 2008 R2.
Microsoft rating: Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-083:

MS11-085:

* Server Core installations not affected: If you chose the “Server Core” installation option, Windows does not install unnecessary client applications, such as Mail or Meeting Space.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Black Tuesday: Windows Bulletins Primarily Affect Recent Versions

As expected, today’s Patch Day has a Windows theme, since all of Microsoft’s security bulletins affect Windows or components that ship with it. More importantly, most of the updates primarily affect modern versions of Windows, such as Windows Vista, 7, or Server 2008; only one of the Important bulletins affect older versions of Windows.

A remote code execution flaw in the Windows TCP/IP stack is, by far, the worst flaw this batch of security updates fixes. By sending a stream of specially crafted UDP packets, an attacker could exploit this flaw to gain complete control of a Windows Vista, 7, or Server 2008 computer. UDP packets on any port would work. If you allow any UDP packets through your firewall, attackers could leverage this flaw to pop your computer. I highly recommend you apply Microsoft’s Windows updates as soon as you can, especially if you run a more recent version of Windows.

You can learn more about today’s updates in Microsoft’s November summary bulletin. As is normally the case with Microsoft updates, you should probably test the patches before deploying them in your production network — especially the ones that affect server software.

I’ll post the more detail, consolidated Windows alert here, shortly. Stay tuned. – Corey Nachreiner, CISSP

Six Windows Bulletins Fix Important and Moderate Flaws

Bulletins Affect TCP/IP Stack, Data Access Components, the Kernel, and More

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network packets, enticing your users to open malicious files, or running malicious applications locally
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Yesterday, Microsoft released six security bulletins describing seven vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS11-059: Data Access Components Code Execution Vulnerability

According to Microsoft, Windows Data Access Components (Windows DAC) help provide access to information across an enterprise. Unfortunately, Windows DAC allows unrestricted access to the loading of external libraries. By enticing one of your users to open a specially crafted Excel file residing in the same location as a malicious DLL file, an attacker could exploit this flaw to execute code on that user’s system, with that users privileges. If your users have local administrative privileges, the attacker gains complete control of their machine. This flaw only affects Windows 7 and later.
Microsoft rating: Important.

  • MS11-061: Remote Desktop Web Access XSS Vulnerability

Windows Remote Desktop (RD) allows you to gain network access to your Windows desktop from anywhere. The Web Access component provides this capability through a web browser. Unfortunately, the RD Web Access component suffers from a Cross-Site Scripting (XSS)  vulnerability. By enticing one of your users into clicking a specially crafted link, an attacker could run script on that users computer under the context of the RD Web Access component, potentially giving the attacker access to your remote desktop. This flaw only affects Windows Server 2008 R2 x64.
Microsoft rating: Important.

  • MS11-062: RAS NDISTAPI Driver Elevation of Privilege Vulnerability

Remote Access Service (RAS) is a component that allows you to access networks over phone lines, and the NDISTAPI driver is one of the RAS components that helps provide this functionality. The NDISTAPI driver doesn’t properly validate users input that it passes to the Windows kernel. By running a specially crafted application, an attacker can leverage this flaw to elevate his privilege, gaining complete control of your Windows machine. However, the attacker would first need to gain local access to your Windows computers using valid credentials, in order to run his special program. This factor significantly reduces the risk of this flaw. Finally, this flaw only affects XP and Server 2003.
Microsoft rating: Important.

  • MS11-063: CSRSS Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from a Elevation of Privilege (EoP) vulnerability. Like the NDISTAPI driver flaw above, by running a specially crafted program, an authenticated attacker could leverage these flaws to gain complete, SYSTEM-level  control of your Windows computers. However, like before, the attacker would first need to gain local access to your Windows computers using valid credentials, which somewhat reduces the risk of these flaws.
Microsoft rating: Important.

  • MS11-064: TCP/IP Stack DoS Vulnerabilities

The Windows TCP/IP stack provides IP-based network connectivity to your computer. It suffers from two Denial of Service (DoS) vulnerabilities. On of the flaws is a variant of the very old Ping of Death vulnerability. By sending a specially crafted ICMP message, an attacker can cause your system to stop responding or reboot. Most firewalls, including WatchGuard’s XTM appliances, prevent external exploit of this classic DoS flaw. The second flaw has to do with how the TCP/IP stack handles specially crafted URLs. By sending a specially crafted URL to one of your Windows Web servers, an attacker could exploit this flaw to cause the server to lock up or reboot. These flaws only affect Windows Vista and later.
Microsoft rating: Important.

  • MS11-068: Windows Kernel DoS Vulnerability

The kernel is the core component of any computer operating system. The Windows kernel suffers from a Denial of Service (DoS) vulnerability, involving a flaw in the way it parses metadata in files. By running a specially crafted program, an attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of these flaws. This flaw only affect Windows Vista and later.
Microsoft rating:Moderate.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-059:

MS11-061:

MS11-063:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


Follow

Get every new post delivered to your Inbox.

Join 7,374 other followers

%d bloggers like this: