Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (MS13-081)

ITS Advisory Number: 
2013-095
Date(s) Issued: 
Tuesday, October 8, 2013
Subject: 
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (MS13-081)
Overview: 

Seven vulnerabilities have been discovered in Microsoft Windows Kernel-Mode Drivers that could allow for remote code execution. Exploitation of these vulnerabilities could result in the execution of arbitrary code in kernel mode resulting in full control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

Systems Affected: 
  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows 8
  • Windows Server 2012
  • Windows RT
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Seven vulnerabilities have been discovered in Microsoft Windows Kernel-Mode Drivers that could allow for remote code execution.  The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling. The details of the vulnerabilities are as follows:

A remote code execution vulnerability exists in the way that Windows parses specially crafted OpenType fonts (OTF). To exploit this vulnerability, an attacker could convince a user to visit a webpage that contains a specially crafted embedded font. When the user visits the specially crafted site, the vulnerability could result in remote code execution as the embedded font is parsed and displayed.

An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory.

An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory.

An elevation of privilege vulnerability exists in the Windows App Container. The App Container is a process isolation mechanism that offers more fine-grained security permissions than operating systems prior to Windows 8. This security feature can block write and read access to most of the system. An attacker could convince an authenticated user to execute a specially crafted application. The application could be used to disclose information from a different App Container than the one that is running in the malicious application on the affected system.

An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

An elevation of privilege vulnerability exists when the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) improperly handles objects in memory.

A remote code execution vulnerability exists in the way that Windows parses specially crafted TrueType fonts (TTF). The vulnerability is caused when the Windows kernel-mode driver does not properly parse the CMAP table when rendering a specially crafted TrueType font.

An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Actions: 
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. 
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
References: 
Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms13-081
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3128
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3200
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3879
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3880
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3881
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3888
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3894