Multiple Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)

ITS Advisory Number: 
2013-063
Date(s) Issued: 
Tuesday, July 9, 2013
Subject: 
Multiple Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
Overview: 

Eight vulnerabilities have been discovered in Microsoft Windows Kernel-Mode Drivers that could allow for remote code execution.  These vulnerabilities are due to the way Windows handles specially crafted TrueType Font (TTF) files. Exploitation of these vulnerabilities could result in the execution of arbitrary code in kernel mode resulting in full control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

Systems Affected: 
  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows 8
  • Windows Server 2012
  • Windows RT
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Eight vulnerabilities have been discovered in Microsoft Windows Kernel-Mode Drivers that could allow for remote code execution.  The security updates address these vulnerabilities by correcting the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory. The details of the vulnerabilities are as follows:

An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory.

A remote code execution vulnerability exists in the way that affected components handle specially crafted TrueType font files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

An information disclosure vulnerability that could lead to elevation of privilege exists in the way that the Windows kernel-mode driver improperly handles objects in memory.

A denial of service vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could cause the target system to stop responding.

An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

An attacker who successfully exploited this vulnerability as a remote code execution vulnerability could execute arbitrary code in the security context of the Windows kernel.

Exploitation of these vulnerabilities could result in the execution of arbitrary code in kernel mode resulting in full control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

Actions: 
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
References: 
Microsoft:
https://technet.microsoft.com/en-us/security/bulletin/ms13-053
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3660