Microsoft Security Bulletin MS13-027 - Important

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• In a default configuration, an unauthenticated attacker could only exploit this vulnerability if they have physical access to the system.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent users from connecting to a USB device that has already been installed on the system

  Use this workaround to block the attack vector through a USB device that has already been installed on the system. You can change the registry to make sure that the device does not work when the user connects to the computer.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  Impact of workaround. Users cannot install a USB RNDIS device on the computer.

  1. Create backups of the registry keys. Backup copies can be made using a managed deployment script with the following commands:

     Regedit.exe /e Usb_rndis_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis
Regedit.exe /e Usb_rndisx_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndisx
Regedit.exe /e Usb_rndis6_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis6

  2. Create a text file named Disable_USB_RNDIS.reg with the following contents:

     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndisx]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usbrndis6]
"Start"=dword:00000004

  3. Run the registry script you created in step 2 on the target system with the following command:

     Regedit /s Disable_USB_RNDIS.reg

  How to undo the workaround. 

  Restore the backup files you created in step 1 of the Prevent users from connecting to a USB device that has already been installed on the system Workaround, above, with the following commands:

  Regedit /s Usb_rndis_backup.reg
Regedit /s Usb_rndisx_backup.reg
Regedit /s Usb_rndis6_backup.reg

• Disable the USB driver for a USB device that is not already installed on the system

  Use this workaround to block the attack vector through a USB device that has not already been installed on the system. Run the following commands from a command prompt as an administrator:

  For Windows XP and Windows Server 2003:

  cacls "%SystemRoot%\Inf\Netrndis.pnf" /E /P everyone:N
cacls "%SystemRoot%\Inf\Netrndis.inf" /E /P everyone:N

  For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012:

  takeown /f "%SystemRoot%\Inf\Netrndis.pnf"
icacls "%SystemRoot%\Inf\Netrndis.pnf" /save %TEMP%\NETRNDIS_PNF_ACL.TXT
icacls "%SystemRoot%\Inf\Netrndis.pnf" /deny everyone(F)

takeown /f "%SystemRoot%\Inf\Netrndis.inf"
icacls "%SystemRoot%\Inf\Netrndis.inf" /save %TEMP%\NETRNDIS_INF_ACL.TXT
icacls "%SystemRoot%\Inf\Netrndis.inf" /deny everyone(F)

  Impact of workaround. Users cannot install a USB RNDIS device on the computer.

  How to undo the workaround:

  Run the following commands from a command prompt as an administrator:

  For Windows XP and Windows Server 2003:

  cacls "%SystemRoot%\Inf\Netrndis.pnf" /E /R everyone
cacls "%SystemRoot%\Inf\Netrndis.inf" /E /R everyone

  For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012:

  icacls "%SystemRoot%\Inf\" /restore %TEMP%\NETRNDIS_PNF_ACL.TXT
icacls "%SystemRoot%\Inf\" /restore %TEMP%\NETRNDIS_INF_ACL.TXT

What is the scope of the vulnerability? 
This is an elevation of privilege vulnerability.

What causes the vulnerability? 
The vulnerability is caused when the Windows kernel-mode driver improperly handles objects in memory.

What is the Windows kernel? 
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

How could an attacker exploit the vulnerability? 
An attacker could exploit the vulnerability by inserting a malicious USB device into the system.

What systems are primarily at risk from the vulnerability? 
Workstations are primarily at risk.

What does the update do? 
The update addresses the vulnerability by correcting the way that the Windows kernel-mode driver handles objects in memory.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• In a default configuration, an unauthenticated attacker could only exploit this vulnerability if they have physical access to the system.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent users from connecting to a USB device that has already been installed on the system

  Use this workaround to block the attack vector through a USB device that has already been installed on the system. You can change the registry to make sure that the device does not work when the user connects to the computer.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  Impact of workaround. Users cannot install a USB RNDIS device on the computer.

  1. Create backups of the registry keys. Backup copies can be made using a managed deployment script with the following commands:

     Regedit.exe /e Usb_rndis_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis
Regedit.exe /e Usb_rndisx_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndisx
Regedit.exe /e Usb_rndis6_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis6

  2. Create a text file named Disable_USB_RNDIS.reg with the following contents:

     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndisx]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usbrndis6]
"Start"=dword:00000004

  3. Run the registry script you created in step 2 on the target system with the following command:

     Regedit /s Disable_USB_RNDIS.reg

  How to undo the workaround. 

  Restore the backup files you created in step 1 of the Prevent users from connecting to a USB device that has already been installed on the system Workaround, above, with the following commands:

  Regedit /s Usb_rndis_backup.reg
Regedit /s Usb_rndisx_backup.reg
Regedit /s Usb_rndis6_backup.reg

• Disable the USB driver for a USB device that is not already installed on the system

  Use this workaround to block the attack vector through a USB device that has not already been installed on the system. Run the following commands from a command prompt as an administrator:

  For Windows XP and Windows Server 2003:

  cacls "%SystemRoot%\Inf\Netrndis.pnf" /E /P everyone:N
cacls "%SystemRoot%\Inf\Netrndis.inf" /E /P everyone:N

  For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012:

  takeown /f "%SystemRoot%\Inf\Netrndis.pnf"
icacls "%SystemRoot%\Inf\Netrndis.pnf" /save %TEMP%\NETRNDIS_PNF_ACL.TXT
icacls "%SystemRoot%\Inf\Netrndis.pnf" /deny everyone(F)

takeown /f "%SystemRoot%\Inf\Netrndis.inf"
icacls "%SystemRoot%\Inf\Netrndis.inf" /save %TEMP%\NETRNDIS_INF_ACL.TXT
icacls "%SystemRoot%\Inf\Netrndis.inf" /deny everyone(F)

  Impact of workaround. Users cannot install a USB RNDIS device on the computer.

  How to undo the workaround:

  Run the following commands from a command prompt as an administrator:

  For Windows XP and Windows Server 2003:

  cacls "%SystemRoot%\Inf\Netrndis.pnf" /E /R everyone
cacls "%SystemRoot%\Inf\Netrndis.inf" /E /R everyone

  For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012:

  icacls "%SystemRoot%\Inf\" /restore %TEMP%\NETRNDIS_PNF_ACL.TXT
icacls "%SystemRoot%\Inf\" /restore %TEMP%\NETRNDIS_INF_ACL.TXT

What is the scope of the vulnerability? 
This is an elevation of privilege vulnerability.

What causes the vulnerability? 
The vulnerability is caused when the Windows kernel-mode driver improperly handles objects in memory.

What is the Windows kernel? 
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

How could an attacker exploit the vulnerability? 
An attacker could exploit the vulnerability by inserting a malicious USB device into the system.

What systems are primarily at risk from the vulnerability? 
Workstations are primarily at risk.

What does the update do? 
The update addresses the vulnerability by correcting the way that the Windows kernel-mode driver handles objects in memory.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• In a default configuration, an unauthenticated attacker could only exploit this vulnerability if they have physical access to the system.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent users from connecting to a USB device that has already been installed on the system

  Use this workaround to block the attack vector through a USB device that has already been installed on the system. You can change the registry to make sure that the device does not work when the user connects to the computer.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  Impact of workaround. Users cannot install a USB RNDIS device on the computer.

  1. Create backups of the registry keys. Backup copies can be made using a managed deployment script with the following commands:

     Regedit.exe /e Usb_rndis_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis
Regedit.exe /e Usb_rndisx_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndisx
Regedit.exe /e Usb_rndis6_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis6

  2. Create a text file named Disable_USB_RNDIS.reg with the following contents:

     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndis]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb_rndisx]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usbrndis6]
"Start"=dword:00000004

  3. Run the registry script you created in step 2 on the target system with the following command:

     Regedit /s Disable_USB_RNDIS.reg

  How to undo the workaround. 

  Restore the backup files you created in step 1 of the Prevent users from connecting to a USB device that has already been installed on the system Workaround, above, with the following commands:

  Regedit /s Usb_rndis_backup.reg
Regedit /s Usb_rndisx_backup.reg
Regedit /s Usb_rndis6_backup.reg

• Disable the USB driver for a USB device that is not already installed on the system

  Use this workaround to block the attack vector through a USB device that has not already been installed on the system. Run the following commands from a command prompt as an administrator:

  For Windows XP and Windows Server 2003:

  cacls "%SystemRoot%\Inf\Netrndis.pnf" /E /P everyone:N
cacls "%SystemRoot%\Inf\Netrndis.inf" /E /P everyone:N

  For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012:

  takeown /f "%SystemRoot%\Inf\Netrndis.pnf"
icacls "%SystemRoot%\Inf\Netrndis.pnf" /save %TEMP%\NETRNDIS_PNF_ACL.TXT
icacls "%SystemRoot%\Inf\Netrndis.pnf" /deny everyone(F)

takeown /f "%SystemRoot%\Inf\Netrndis.inf"
icacls "%SystemRoot%\Inf\Netrndis.inf" /save %TEMP%\NETRNDIS_INF_ACL.TXT
icacls "%SystemRoot%\Inf\Netrndis.inf" /deny everyone(F)

  Impact of workaround. Users cannot install a USB RNDIS device on the computer.

  How to undo the workaround:

  Run the following commands from a command prompt as an administrator:

  For Windows XP and Windows Server 2003:

  cacls "%SystemRoot%\Inf\Netrndis.pnf" /E /R everyone
cacls "%SystemRoot%\Inf\Netrndis.inf" /E /R everyone

  For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012:

  icacls "%SystemRoot%\Inf\" /restore %TEMP%\NETRNDIS_PNF_ACL.TXT
icacls "%SystemRoot%\Inf\" /restore %TEMP%\NETRNDIS_INF_ACL.TXT

What is the scope of the vulnerability? 
This is an elevation of privilege vulnerability.

What causes the vulnerability? 
The vulnerability is caused when the Windows kernel-mode driver improperly handles objects in memory.

What is the Windows kernel? 
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

How could an attacker exploit the vulnerability? 
An attacker could exploit the vulnerability by inserting a malicious USB device into the system.

What systems are primarily at risk from the vulnerability? 
Workstations are primarily at risk.

What does the update do? 
The update addresses the vulnerability by correcting the way that the Windows kernel-mode driver handles objects in memory.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Reference Table

The following table contains the security update information for this software.

Note The update for supported versions of Windows XP Professional x64 Edition also applies to supported versions of Windows Server 2003 x64 Edition.

Reference Table

The following table contains the security update information for this software.

Note The update for supported versions of Windows Server 2003 x64 Edition also applies to supported versions of Windows XP Professional x64 Edition.

Reference Table

The following table contains the security update information for this software.

Reference Table

The following table contains the security update information for this software.

Reference Table

The following table contains the security update information for this software.

Reference Table

The following table contains the security update information for this software.

Reference Table

The following table contains the security update information for this software.

Reference Table

The following table contains the security update information for this software.