Severity: High
10 March, 2009
Summary:
- These vulnerabilities affect: All current versions of Windows
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to a malicious web site
- Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released three security bulletins describing eight vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.
Severity: High
10 March, 2009
Summary:
- These vulnerabilities affect: All current versions of Windows
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to a malicious web site
- Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released three security bulletins describing eight vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.
MS09-006: Three Windows Kernel Vulnerabilities
The kernel is the core component of any operating system (OS), and is responsible for managing communication between hardware and software. According to Microsoft’s security bulletin, the Windows kernel suffers from three vulnerabilities. The worst of these flaws involves the kernel component for the Windows Graphics Device Interface (GDI). This is a component Windows uses to output graphics to your monitor or printer. Unfortunately, the GDI kernel component doesn’t properly validate certain graphic input. By enticing one of your users to view a maliciously crafted image (either a .wmf or .emf image), possibly hosted on a malicious web site, a remote attacker can exploit this vulnerability to execute code on that user’s computer with full “SYSTEM” privileges. This means the attacker gains complete control of that user’s PC. The remaining two kernel flaws are both elevation of privilege vulnerabilities that require Windows credentials and local access to exploit.
Microsoft rating: Critical.
MS09-007: SChannel Certificate Authentication Spoofing Vulnerability
SChannel is the Windows component used to implement the Secure Sockets Layer (SSL) protocol, and its successor, the Transport Layer Security (TLS) protocol. Many network clients use these protocols to build secure connections over the Internet. For instance, your web browser commonly uses these protocols to establish connections to secure web sites. These protocols also support certificate-based authentication, where users have public and private keys they use to authenticate to secure servers (you can learn more about public key infrastructure (PKI) here).
Unfortunately, SChannel does not properly enforce the public/private key relationship. Typically, when your web browser authenticates to a secure web site using the public key component of your certificate, it should also validate that you have access to the correct private key corresponding to that public key. SChannel does not correctly validate this public/private key relationship. As a result, if an attacker can gain access to only your public key, he can use it to authenticate to secure servers, impersonating you. The attacker would not need access to your private key to carry out this attack. Granted, your public key doesn’t get as widely distributed as its name might suggest. An attacker would have to packet sniff on your network, or entice you to a specially crafted site in order to get your public key. However, it is still much more available than your private key. Not validating the private key completely defeats the security that public key cryptology offers.
Microsoft rating: Important.
MS09-008: Four Windows DNS and WINS Server Vulnerabilities.
The DNS and WINS servers that ship with the Server versions of Windows suffer from four security vulnerabilities. First, the DNS Server suffers from two DNS cache poisoning vulnerabilities due to programmatic flaws that allow attackers a better chance of predicting the next DNS transaction ID. These flaws are similar to the major DNS flaws Dan Kaminsky described last year. If you’d like to learn more about the flaws reported by Dan Kaminsky, and how greater predictability of DNS transaction IDs can lead to DNS cache poisoning attacks, you can read our previous DNS alerts [ 1 / 2 ], or listen to the July ’08 episode of Radio Free Security.
Next, both the DNS and WINS servers suffer from what Microsoft calls Web Proxy Auto-Discovery (WPAD) registration vulnerabilities. WPAD is a Microsoft-designed protocol that allows your web browser to automatically find proxy servers on your network by looking for host names or domain names that start with “wpad”. Unfortunately, if you are not using this feature, and haven’t registered the “wpad” domain or hostname on your WINS and DNS servers, any attacker on your network can register the “wpad” name for you. Once they do, any browsers that support WPAD (such as IE and Firefox) will redirect all your users web traffic through that attacker’s server, thus allowing the attacker to see all of your users web traffic (commonly referred to as a Man-in-the-Middle (MitM) attack).However, only a local attacker can leverage this vulnerability.
Microsoft rating: Important.
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
- For Windows 2000
- For Windows XP
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 x64
- For Windows Server 2003 Itanium
- For Windows Vista
- For Windows Vista x64
- For Windows Server 2008
- For Windows Server 2008 x64
- For Windows Server 2008 Itanium
- For Windows 2000
- For Windows XP
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 x64
- For Windows Server 2003 Itanium
- For Windows Vista
- For Windows Vista x64
- For Windows Server 2008
- For Windows Server 2008 x64
- For Windows Server 2008 Itanium
- For Windows 2000
- For Windows Server 2003
- For Windows Server 2003 x64
- For Windows Server 2003 Itanium
- For Windows Server 2008
- For Windows Server 2008 x64
Note: This vulnerability only affects the Server versions of Windows.
For All WatchGuard Users:
Attackers exploit most of these attacks locally, without passing traffic through your firewall. For that reason, we urge you to apply the patches above.
However, many of WatchGuard’s Firebox models allow you to prevent your users from accessing certain content based on file extensions. If you like, you can temporarily mitigate the risk of one of these vulnerabilities by blocking .WMF and .EMF image files using your Firebox’s proxy services. Keep in mind, doing this also blocks legitimate .WMF and .EMF images as well.
If you choose to block these image types, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .WMF and .EMF files by their file extensions:
- Firebox X Edge running 10.x
- Firebox X Core and X Peak running Fireware 10.x
Status:
Microsoft has released patches correcting these issues.