Vulnerability in Direct2D Could Allow Remote Code Execution (2912390)

ITS Advisory Number: 
2014-008
Date(s) Issued: 
Tuesday, February 11, 2014
Subject: 
Vulnerability in Direct2D Could Allow Remote Code Execution (2912390)
Overview: 

A vulnerability has been discovered in Microsoft Direct2D that could allow remote code execution. Direct2D is a 2D and vector graphics application programming interface designed by Microsoft. This vulnerability can be exploited when a user views a specially crafted image file. Successful exploitation could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Microsoft Windows 7
  • Microsoft Windows 8
  • Microsoft Windows RT
  • Microsoft Windows 2008 R2
  • Microsoft Server 2012
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A remote code execution vulnerability exists in the way that affected Windows components handle specially crafted 2D geometric figures. The vulnerability could allow remote code execution if a user views files containing such specially crafted figures using Internet Explorer. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Actions: 
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack
References: 
Microsoft:
https://technet.microsoft.com/en-us/security/bulletin/ms14-007
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0263