Severity: High
Summary:
These vulnerabilities affect: Most current versions of Windows (including 8 and RT), the .NET Framework, and Silverlight 5 (for PC and Mac). Some of these flaws also affect Office and Lync.
How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web content or running specially crafted programs
Impact: In the worst case, an attacker can gain complete control of your Windows computer.
What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released five security bulletins that describe 18 vulnerabilities in Windows, the .NET Framework, Silverlight, and to some extent, Office and Lync. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.
The summary below lists the vulnerabilities, in order from highest to lowest severity.
MS13-053 : Various Kernel-Mode Driver Code Execution Flaws
The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from eight local code execution flaws. The flaws differ technically, but most have to do with the kernel-mode driver improperly handling certain objects, which can result in memory corruptions. Smart attackers can leverage memory corruption flaws to execute code. In a nutshell, if a local attacker can run a specially crafted application, he could leverage most of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. That said, a Google researcher disclosed the details about one of these vulnerabilities to the public awhile ago. There have been reports of attackers already leveraging it in targeted attacks. Therefore, we highly recommend you apply this update immediately.
Microsoft rating: Critical
MS13-052: .NET Framework and Silverlight Code Execution Flaws
The .NET Framework and Silverlight are both software frameworks used by developers to create rich media web applications. The newer Silverlight framework is also known for being a cross-platform and cross-browser. These frameworks suffer from seven security vulnerabilities. The flaws differ quite a bit technically, but all share the same impact—attackers could exploit them to gain full (SYSTEM-level) control of your computer. The attacker would only have to lure one of your Silverlight or .NET users to a malicious web site (or a legitimate site booby-trapped with malicious code) in order to trigger the flaws. Since two of these vulnerabilities were pre-disclosed publicly, before Microsoft released this patch, we recommend you install the .NET Framework and Silverlight updates as soon as possible.
Microsoft rating: Critical
MS13-054 : GDI+ TrueType Font Handling Vulnerability
The Graphics Device Interface (GDI+) is one of the Windows components that handles images, specifically 2D vector graphics. GDI+ suffers from an unspecified remote code execution vulnerability involving its inability to properly handle specially malformed TrueType (TTF) fonts. By luring one of your users into viewing a malicious font, perhaps hosted on a web site, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. GDI+ ships with Windows; but also with Office, Visual Studio, and Lync. You need to patch all the affected products.
Microsoft rating: Critical
MS13-056: DirectShow Memory Overwrite Vulnerability
DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from a memory overwrite vulnerability having to do with how it handles specially crafted graphics interchange format (GIF) images. By getting your users to view such a malicious image, perhaps via a web site or email, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, the attacker gains full control of the users’ machines.
Microsoft rating: Critical
MS13-057 : Windows WMV Remote Code Execution Vulnerability
Windows ships with various components, such as the Media Format Runtime, to help it process and play media files. The Windows Media Format Runtime suffers from an unspecified code execution vulnerability involving the way it handles Windows Media Video (WMV) media files. By enticing one of your users to download and play a specially crafted WMV file, or by luring them to a website containing such media, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical
Solution Path:
Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:
MS13-052
MS13-053
MS13-054
MS13-056
MS13-057
For All WatchGuard Users:
Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws, attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.
Status:
Microsoft has released patches correcting these issues.
References:
Microsoft Security Bulletin MS13-052
Microsoft Security Bulletin MS13-053
Microsoft Security Bulletin MS13-054
Microsoft Security Bulletin MS13-056
Microsoft Security Bulletin MS13-057
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.