More Windows Flaws Found

by Alex Woodie

Four new vulnerabilities were discovered in Microsoft Windows systems over the Christmas holiday, including flaws that could allow hackers to execute code on a victim's computer remotely over the Internet. The reports put the onus on Microsoft, which blasted the firm that revealed three of the problems just before Christmas, to come up with fixes quickly before exploits can cause damage.

The first three vulnerabilities, having to do with the LoadImage API, the winhlp32.exe program, and Windows kernel .ani file, were discovered by a team of Chinese security researchers, XFocus and Venustech. The fourth vulnerability, an HTML help control exploit for which Trojan horse viruses have already been written, was discovered by a security researcher at Greyhats Security.

The LoadImage API integer buffer overflow vulnerability could enable an attacker to run arbitrary code on victims' computers if they open an HTML page or e-mail containing a specially crafted icon, cursor, or bitmap file. It affects Windows NT, Windows 2000, Windows XP, and Windows Server 2003, according to Venustech.

The winhlp32.exe heap overflow vulnerability exists as a result of decoding errors that manifest themselves in the parsing of a malicious help file, according to Symantec. Malicious help files encountered either through e-mail or malicious Web pages can be used to exploit this vulnerability. This vulnerability also affects Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

Just being on Windows XP Service Pack 2 (SP2) doesn't guarantee protection this time around. The virus written to exploit the HTML help control vulnerability, dubbed Trojan.Phel-A by Symantec, targets Windows XP SP2 systems, as do two of the three vulnerabilities described by XFocus and Venustech.

The one vulnerability for which Windows XP SP2 is immune, the so-called Windows Kernel ANI File Parsing Crash and Dos Vulnerability, actually covers two vulnerabilities having to do with problems in the way that Windows parses Windows Animated Cursor (ANI) files. It can be used to cause a system to freeze or crash, and affects Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

In addition to allowing attackers to take over control of a victim's system computer, or initiating a denial-of-service attack, some of the vulnerabilities can be used as an avenue to load spyware onto a victim's computer. This is an area where Microsoft is looking to take the lead. By the end of January, Microsoft expects to launch a beta version of its new anti-spyware product, which is based on technology obtained in its acquisition of Giant Company in December.

Microsoft lashed out at Xfocus for its handling of the new vulnerabilities. The Redmond, Washington, software giant reportedly claimed that the researchers did not notify the company of the security problems privately before the security researchers posted them on the SecurityFocus public BugTraq mailing list.

The Greyhats Security researcher, who goes by the name of Paul, said he decided to post exploit code for the Windows help vulnerability because it has been known about for a while, and because Microsoft hadn't yet done anything about it. "Contrary to popular opinion, I do disclose my vulnerabilities to Microsoft before release. They do not res[p]ond to any of my e-mails, so I assumed they either 1) didn't care, or 2) were taking considerable action to patch these vulnerabilities," Paul wrote on his Web site. "The Microsoft statement that I do not disclose the vulnerabilities to them is untrue and is probably just an attempt by Microsoft to make me look bad because of their own incompetence."

Microsoft's next "Big Tuesday," the day it releases its monthly batch of security fixes and patches, is January 11. Microsoft holds a Big Tuesday on the second Tuesday of every month. In December, Microsoft started a new practice of providing a preview of the content of Big Tuesday on the Friday before the patches and their associated Microsoft Security Bulletins are to be released. Microsoft is reportedly looking into the newly disclosed vulnerabilities.

Microsoft has come under fire for the rigidity of its monthly patch cycle. Although the vendor says it considers breaking out of its cycle to address certain critical security flaws, it rarely does that in practice. And while the Big Tuesday events may help train users on the importance of keeping their systems up to date, it also gives hackers and virus writers an advantage, since they can plan their activities around the security upgrade cycle.