Watchguard Live Security: Six of Eleven Windows Vulnerabilities Rated Critical

Six of Eleven Windows Vulnerabilities Rated Critical
BULLETINS AFFECT SMB2, WINDOWS MEDIA PLAYER, IIS FTP, AND MORE
SEVERITY: HIGH
13 October, 2009
SUMMARY:

• These vulnerabilities affect: All current versions of Windows and components that ship with it – also the .NET Framework and Silverlight
• How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets or enticing your users to view malicious media
• Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches immediately, or use Windows’ automatic update features to download these patches automatically

EXPOSURE:
Today, Microsoft released eleven security bulletins describing 27 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. Some of the flaws also affect other Microsoft products, such as Silverlight, SQL Server, Office, and Microsoft’s Developer Tools. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity. Six of Eleven Windows Vulnerabilities Rated Critical
BULLETINS AFFECT SMB2, WINDOWS MEDIA PLAYER, IIS FTP, AND MORE
SEVERITY: HIGH
13 October, 2009
SUMMARY:

• These vulnerabilities affect: All current versions of Windows and components that ship with it – also the .NET Framework and Silverlight
• How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets or enticing your users to view malicious media
• Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches immediately, or use Windows’ automatic update features to download these patches automatically

EXPOSURE:
Today, Microsoft released eleven security bulletins describing 27 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. Some of the flaws also affect other Microsoft products, such as Silverlight, SQL Server, Office, and Microsoft’s Developer Tools. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS09-050: SMBv2 Code Execution Vulnerabilities

The SMB2 service is a newer version of Microsoft’s Server Message Block (SMB) protocol service that Windows uses to share files, printers, and other resources. SMBv2 only ships with Windows Vista, Windows 7, and Server 2008. Last Month, a researcher discovered a zero day vulnerability in the SMBv2 service. Other researchers confirmed this flaw, and verified that attackers could exploit it to execute code on Windows machines. By sending specially crafted SMBv2 requests, an attacker could exploit this flaw to gain complete control of your Windows users’ computers. That said, most administrators do not allow SMB traffic through their firewall. So this flaw primarily poses an internal threat. Microsoft’s bulletin finally fixes this SMBv2 flaw and two others like it. You can read our earlier Wire posts about this zero day SMBv2 flaw here and here. Finally, while SMBv2 does ship with Windows 7, this vulnerability only affects the Release Candidate (RC) version of Windows 7; not the Release To Manufacturing (RTM) build that is sold to the public. Windows 7 RTM users are not vulnerable to these SMBv2 flaws.

Microsoft rating: Critical.

• MS09-051: Two Windows Media Runtime Code Execution Vulnerabilities

Windows Media Runtime is a component that provides information and tools Windows and other applications need to play or view media content. This component suffers from two vulnerabilities: a memory corruption vulnerability involving how it handles certain compressed audio files, and a code execution vulnerability that has to do with how it handles ASF media files that make use of Window’s Media Speech codec. Both vulnerabilities share the same scope and impact. By enticing one of you users to view or play a specially crafted media file, an attacker could leverage either of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If you users have local administrator privileges, the attacker gains complete control of their computers.

Microsoft rating: Critical.

• MS09-052: Windows Media Player Buffer Overflow Vulnerability

Windows Media Player is the digital media player program that ships with Windows, and plays various audio and video files. It suffers from a buffer overflow vulnerability that has to do with how it processes ASF files. If an attacker can convince one of your users to play a specially crafted ASF file, he can leverage this flaw to execute code on your user’s computer, with that user’s privileges. As with most Windows vulnerabilities, if your user has local administrator privileges the attacker gains complete control of their machines.

Microsoft rating: Critical

• MS09-062: Multiple GDI+ Code Execution Vulnerabilities

Windows’ Graphic Device Interface (GDI+) is the core operating system component used to render graphical objects to output devices like your monitor or printer. GDI+ contains eight buffer overflow or memory corruption vulnerabilities that attackers could exploit to execute malicious code. The flaws all differ technically, but share the same scope and impact. If an attacker can entice one of you users to view a malicious image, open a malicious document, or visit a malicious web page, he could exploit one of these vulnerabilities to gain control of that user’s computer. Microsoft’s bulletin makes it difficult to know whether or not the attacker immediately gains complete control of the user’s system, or only the victim user’s level of control. In some parts of their bulletin they say, “complete control.” Yet, in other parts they mention the attacker’s level of privilege depends on the victim user. That said, since most Windows users have local administrative privileges anyway, we suspect most attacks leveraging these vulnerabilities would give attackers complete control of your Windows computers. Note: Besides affecting Windows, these flaws also affect:

• NET Framework
• Internet Explorer
• Microsoft Office and other Office software
• SQL Server
• Developer Tools
• and Forefront Client Security.

Be sure to patch all the affected Microsoft products.

Microsoft rating: Critical.

• MS09-055: Cumulative ActiveX Killbit Update

Microsoft’s Active Template Library (ATL) is a collection of programmatic templates that help developers create ActiveX controls. Windows ships with many different components that have ActiveX controls created with the ATL library. Unfortunately, Microsoft has found another vulnerability in one of the ActiveX controls created with the ATL library. If an attacker can entice one of your users to a malicious web page, he could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. As is the case with most Windows flaws, if your user has local administrative privileges, the attacker gains complete control of his machine. This bulletin sets the killbit for this vulnerable ActiveX control, and all past vulnerable ActiveX controls. This new ActiveX vulnerability is very similar to the ones we described in a past, out-of-cycle Microsoft LiveSecurity Alert. While some of these ATL vulnerabilities only affect Windows components, others could also affect third party ActiveX controls created with the vulnerable Microsoft ATLs.

Microsoft rating: Critical.

• MS09-061: Three .NET Framework Code Execution Flaws.

The .NET Framework is software framework developers can use to create new Windows applications. Unfortunately, the .NET Framework suffers from three complicated remote code execution vulnerabilities that allow attackers to gain inappropriate privileges on your Windows systems. Though the flaws differ technically, they share the same scope and impact. If an attacker can get you to run a maliciously crafted .NET application, he can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrative access, the attacker gains full control of their PCs. The .NET application can run both locally, and over the web, so simply visiting a malicious website could trigger this vulnerability.

Microsoft rating: Critical

• MS09-053: IIS FTP Service Remote Code Execution and DoS Vulnerability.

Microsoft’s Internet Information Services (IIS) is one of the most popular web server services used on the Internet. IIS also provides an FTP service as well. All server versions of Windows come with IIS, though some of its services may not start by default. In a previous LiveSecurity alert, we described a zero day IIS FTP service vulnerability that attackers could leverage to either crash your IIS server, or gain complete control of it. The attacker only had to connect to your FTP server, and send it a specially crafted command to leverage this flaw. Today’s IIS FTP bulletin fixes that previously unpatched flaw.

Microsoft rating: Important.

• MS09-058: Three Windows Kernel Elevation of Privilege Vulnerabilities

The Windows kernel suffers from three elevation of privilege (EoP) vulnerabilities. All three of the EoP flaws differ technically, but share a similar scope. By running a specially crafted program on one of your Windows computers, an attacker can gain complete control of that system, regardless of his original user privileges. However, the attacker needs to have local access to one of your computers in order to run his malicious program. So these vulnerabilities primarily pose an internal risk.

Microsoft rating: Important.

• MS09-057: Indexing Service Memory Corruption Vulnerability

The Windows Indexing services catalogs content within your files and directories to speed up the searching process. An ActiveX control that ships with the Indexing services suffers from an unspecified memory corruption vulnerability involving the way it handles specially crafted web content. By luring one of your users to a web page with malicious code, an attacker can exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. As is the case with most Windows flaws, if your user has local administrative privileges, the attacker gains complete control of his machine.

Microsoft rating: Important

• MS09-059: LSASS Denial of Service (DoS) Vulnerability
  • The Local Security Authority Subsystem Service (LSASS) is a Windows component that handles authentication and enforces security policies. LSASS suffers from an integer underflow flaw that results in a Denial of Service (DoS) vulnerability. By sending maliciously crafted packets during the authentication process, an attacker could exploit this flaw to cause your Windows computer to reboot. However, most administrators don’t allow authentication traffic to pass beyond their local network. This flaw only poses a marginal internal risk.
    
    Microsoft rating: Important.
    • MS09-056: CryptoAPI Spoofing Vulnerabilities
      • CryptoAPI is the component that provides basic cryptographic services to Windows, such as encryption, authentication, and digital certificate handling. CryptoAPI suffers from two vulnerabilities which could allow an attacker to create a digital certificate that impersonates another user or system. For instance, the attacker could leverage this flaw to create a certificate that appeared to belong to http://www.paypal.com, when in reality it belongs to the attacker. By either enticing you to his malicious website, or leveraging some other DNS vulnerability that forwards you to his website, an attacker could leverage this certificate spoofing vulnerability to convince you that his malicious site really belongs to some trusted entity.
        
        Microsoft rating: Important.
        
        SOLUTION PATH:
        
        Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
        
        MS09-050:
        • Windows Vista
        • Windows Vista x64
        • Windows Server 2008
        • Windows Server 2008 x64
        • Windows Server 2008 Itanium
        MS09-051:
        • Microsoft Windows 2000
        • DirectShow WMA Voice Codec
        • Windows Media Audio Voice Decoder
        • Audio Compression Manager
        • Windows XP
        • DirectShow WMA Voice Codec
        • Windows Media Audio Voice Decoder for SP2
        • Windows Media Audio Voice Decoder for SP3
        • Audio Compression Manager
        • Windows XP Professional x64
        • DirectShow WMA Voice Codec
        • Windows Media Audio Voice Decoder
        • Windows Media Audio Voice Decoder in Windows Media Format SDK 9.5 x64 Edition
        • Windows Media Audio Voice Decoder in Windows Media Format SDK 11
        • Audio Compression Manager
        • Windows Server 2003
        • DirectShow WMA Voice Codec
        • Windows Media Audio Voice Decoder
        • Audio Compression Manager
        • Windows Server 2003 x64
        • DirectShow WMA Voice Codec
        • Windows Media Audio Voice Decoder
        • Windows Media Audio Voice Decoder in Windows Media Format SDK 9.5 x64 Edition
        • Audio Compression Manager
        • Windows Vista
        • Windows Media Audio Voice Decoder
        • Windows Vista x64
        • Windows Media Audio Voice Decoder
        • Windows Server 2008
        • Windows Media Audio Voice Decoder
        • Windows Server 2008 x64
        • Windows Media Audio Voice Decoder
        MS09-052:
        • Windows Server 2000
        • Microsoft Windows Media Player 6.4
        • Windows XP
        • Microsoft Windows Media Player 6.4
        • Windows XP x64
        • Microsoft Windows Media Player 6.4
        • Windows Server 2003
        • Microsoft Windows Media Player 6.4
        • Windows Server 2003 x64
        • Microsoft Windows Media Player 6.4
        Note: These vulnerabilities do not affect any other versions of Windows.
        
        MS09-062:
        • Windows XP
        • Windows XP x64
        • Windows Server 2003
        • Windows Server 2003 x64
        • Windows Server 2003 Itanium
        • Windows Vista
        • Windows Vista x64
        • Windows Server 2008*
        • Windows Server 2008 x64*
        • Windows Server 2008 Itanium
        
        As mentioned in the Exposure section above, these GDI+ vulnerabilities affect many other Microsoft products, including Office and SQL Server. We highly recommend you visit the “Affected and Non-Affected Software” section of Microsoft’s GDI+ bulletin to find and download any other relevant patches for your organization.
        
        MS09-055:
        • Windows 2000
        • Windows XP
        • Windows XP x64
        • Windows Server 2003
        • Windows Server 2003 x64
        • Windows Server 2003 Itanium
        • Windows Vista
        • Windows Vista x64
        • Windows Server 2008
        • Windows Server 2008 x64
        • Windows Server 2008 Itanium
        • Windows 7
        • Windows 7 x64
        • Windows Server 2008 R2 x64
        • Windows Server 2008 R2 Itanium
        MS09-061:
        We recommend you see the “Affected Software” section of this Microsoft bulletin to find all the potential .NET framework patches. With all the different versions of .NET Framework, combined with the different Windows and Framework Service Pack variants, there are actually many confusing possibilities for which patches to apply. If it fits your organization’s policy, we highly recommend you use Windows’ automatic update feature to download the right patch.
        
        MS09-053:
        • Windows 2000
        • IIS 5.0 (FTP Service 5.0)
        • Windows XP
        • IIS 5.1 (FTP Service 5.1)
        • Windows XP x64
        • IIS 5.1 (FTP Service 5.1)
        • Windows Server 2003
        • IIS 6.0 (FTP Service 6.0)
        • Windows Server 2003 x64
        • IIS 6.0 (FTP Service 6.0)
        • Windows Server 2003 Itanium
        • IIS 6.0 (FTP Service 6.0)
        • Windows Vista
        • IIS 7.0 (FTP Service 6.0)
        • Windows Vista x64
        • IIS 7.0 (FTP Service 6.0)
        • Windows Server 2008
        • IIS 7.0 (FTP Service 6.0)
        • Windows Server 2008 x64
        • IIS 7.0 (FTP Service 6.0)
        • Windows Server 2008 Itanium
        • IIS 7.0 (FTP Service 6.0)
        MS09-058:
        • Windows 2000
        • Windows XP
        • Windows XP x64
        • Windows Server 2003
        • Windows Server 2003 x64
        • Windows Server 2003 Itanium
        • Windows Vista
        • Windows Vista x64
        • Windows Server 2008
        • Windows Server 2008 x64
        • Windows Server 2008 Itanium
        MS09-057:
        • Windows 2000
        • Windows XP
        • Windows XP x64
        • Windows Server 2003
        • Windows Server 2003 x64
        • Windows Server 2003 Itanium
        MS09-059:
        • Windows XP
        • Windows XP x64
        • Windows Server 2003
        • Windows Server 2003 x64
        • Windows Server 2003 Itanium
        • Windows Vista
        • Windows Vista x64
        • Windows Server 2008
        • Windows Server 2008 x64
        • Windows Server 2008 Itanium
        • Windows 7
        • Windows 7 x64
        • Windows Server 2008 R2 x64
        • Windows Server 2008 R2 Itanium
        MS09-056:
        • Windows 2000
        • Windows XP
        • Windows XP x64
        • Windows Server 2003
        • Windows Server 2003 x64
        • Windows Server 2003 Itanium
        • Windows Vista
        • Windows Vista x64
        • Windows Server 2008
        • Windows Server 2008 x64
        • Windows Server 2008 Itanium
        • Windows 7
        • Windows 7 x64
        • Windows Server 2008 R2 x64
        • Windows Server 2008 R2 Itanium
        FOR ALL WATCHGUARD USERS:
        
        By default, your WatchGuard Firebox blocks the network traffic associated with many of these attacks. However, attackers leverage some of the attacks locally, or by sending normal-looking HTTP traffic. Therefore, the patches above are your best solution.
        
        STATUS:
        Microsoft has released patches correcting these issues.
        
        REFERENCES:
        • Microsoft Security Bulletin MS09-050
        • Microsoft Security Bulletin MS09-051
        • Microsoft Security Bulletin MS09-052
        • Microsoft Security Bulletin MS09-053
        • Microsoft Security Bulletin MS09-055
        • Microsoft Security Bulletin MS09-056
        • Microsoft Security Bulletin MS09-057
        • Microsoft Security Bulletin MS09-058
        • Microsoft Security Bulletin MS09-059
        • Microsoft Security Bulletin MS09-061
        • Microsoft Security Bulletin MS09-062