Windows Updates Include .NET and MSXML Fixes

Windows Updates Include .NET and MSXML Fixes

Severity: High


  • These vulnerabilities affect: All current versions of Windows and components that often ship with it (like XML Core Services and the .NET Framework). Some vulnerable components also affect Office and Server Software products.
  • How an attacker exploits them: Multiple vectors of attack, including sending malicious print jobs to luring victims to malicious web pages.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.


Today, Microsoft released six security bulletins that describe 11 vulnerabilities affecting Windows or components related to it,  such as the .NET Framework and XML Core Services (MSXML). Each of these vulnerabilities affects different versions of Windows to varying degrees. One of the component vulnerabilities (MSXML) also affects other Microsoft products, including Office, SharePoint Server, and Microsoft Expression.

A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones – as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS13-001: Print Spooler Remote Code Execution Vulnerability

The print spooler is a Windows service that manages printing. It suffers from an unspecified vulnerability having to do with its inability to handle specially crafted print jobs. By sending a specially crafted print request, an attacker can exploit this flaw to execute code on a Windows computer with full system privileges.  That said, most administrators do not allow the ports necessary for Windows printing through their firewall. By default, a WatchGuard XTM appliance will block Internet-based attackers from leveraging this flaw, so it primarily poses an internal threat.

Microsoft rating: Critical

  • MS13-002: Two MSXML Remote Code Execution Flaws

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It often ships with various versions of Windows, and other Microsoft products like Office, SharePoint Server, Groove Server, and Expressions. If you have a Windows computer, you very likely have MSXML, and you need to update if you use any of the aforementioned products.

According to today’s bulletin, MSXML suffers from two vulnerabilities – likely memory corruption flaws, but Microsoft doesn’t specify – which remote attackers could leverage to execute code on vulnerable computers with the privileges of the currently logged-in user. An attacker would only have to lure you to a web site containing malicious XML content for his attack to succeed. Since most Windows users have local administrative privileges, this sort of attack often gives the attacker complete control of their computers.

Don’t forget, attackers often booby-trap legitimate web sites with drive-by download code. So it’s possible you could encounter attacks leveraging this sort of vulnerability when visiting perfectly legitimate web sites. We recommend you patch quickly to avoid these sorts of attacks.

Microsoft rating: Critical

  • MS13-004Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework component suffers from four new security vulnerabilities.  The flaws differ in scope and impact, and include an information disclosure issue, and three elevation of privilege vulnerabilities; two due to buffer overflow flaws. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit the worst of these flaws to execute code on that user’s computer with full system privileges. This flaw also can affect non-web .NET applications, including custom ones you may have developed in-house. In short, if you’ve installed the .NET framework on any of your servers or clients, you should update them as quickly as possible.

Microsoft rating: Important

  • MS13-005Kernel-Mode Driver Elevation of Privilege Flaw

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from a new local elevation of privilege flaw having to do with how it improperly handles window broadcast messages. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker would first need to gain local access to your computer or trick you into running the program yourself, which significantly lessens the severity of this vulnerability.

Microsoft rating: Important

  • MS13-006: Windows SSLv3/TLS Degradation Attack

The Secure Socket Layer and Transport Layer Security (SSL/TLS) protocols are responsible for helping computers establish secure connection over networks. For instance, SSL/TLS is what you use when connecting to secure web sites. Like all operating systems, Windows ships with components necessary to handle SSL/TLS connections.

According to Microsoft’s bulletin, the SSL/TLS implementation that ships with most versions of Windows suffers from what they call a “Security Feature Bypass vulnerability.” Windows supports SSLv3, which includes the latest encryption ciphers. However, if an attacker can perform a Man-in-the-Middle attack on your SSL traffic, he can inject maliciously crafted traffic that forces Windows to downgrade to SSLv2. This doesn’t give the attacker immediate access to the SSL encrypted traffic, but it theoretically makes it easier to crack the SSL encryption, since SSLv2 supports weaker ciphers. Since this attack is relatively difficult to carry out, and doesn’t result in any true decryption of the SSL communication, we believe it poses a relatively low risk in the real world. Of course, we still recommend you patch it.

Microsoft rating: Important

At the highest level, the Open Data (OData) protocol is a standard that web applications can use to query and update data. In short, it’s like the many other protocols developers might use to get a web application to interact with a database. The OData component that ships with the .NET Framework suffers from a Denial of Service (DoS) vulnerability. By sending specially crafted HTTP requests, an attacker can leverage this flaw to disrupt your web server, preventing visitors from accessing it. Any IIS web server that includes the .NET Framework and has the Windows Communication Foundation (WCF) services installed is vulnerable to this DoS flaw, as is any Windows Server 2012 with IIS and the Management OData IIS Extension installed.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows, .NET Framework, and XML Core Services patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a new signature that can detect and block the OData DoS vulnerability against IIS servers with the .NET Framework. Your XTM appliance should get this new IPS update shortly.

Nonetheless, attackers can exploit some of these flaws in other ways, including by convincing users to run executable files locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at [email protected].

Published with permission from WatchguardWire. Source.

Leave a comment!

You must be logged in to post a comment.