// back

Microsoft Windows DirectPlay Invalid Free Memory Corruption Vulnerability

12.11.12

BACKGROUND

Microsoft Windows is an operating system produced by Microsoft. More information can be found at the following vendor's website:

http://windows.microsoft.com

DESCRIPTION

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Windows DirectPlay could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when instantiating the DirectPlay ActiveX control to determine if it can be loaded in Office. When this occurs, there is an error in instantiation that leads to a pointer being incorrectly freed. The result is that the control calls free (pointer + 8), which can lead to a memory corruption vulnerability.

ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. Attackers typically accomplish this by e-mailing a targeted user the file or hosting the file on a Web page.

DETECTION

The following Microsoft products are vulnerable:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

WORKAROUND

If Office is the attack vector, it is possible (on Office 2007 and 2010) to use the Trust Center settings to block all ActiveX controls from loading. This will prevent exploitation of the vulnerability; however, it may affect the viewing of files that rely on the use of embedded controls.

VENDOR RESPONSE

Microsoft has released a fix which addresses this issue. For more information, consult their advisory at the following URL:

http://technet.microsoft.com/en-us/security/bulletin/ms12-082

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-1537 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

08/01/2012 Initial Vendor Notification
08/01/2012 Initial Vendor Reply
12/11/2012 Coordinated Public Disclosure

CREDIT

This vulnerability was reported to iDefense by Aniway.Anyway@gmail.com.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2013 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense Verisign. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.