|
New Batch of Windows Flaws Give Hackers a Roadmap to Riches
Published: April 9, 2008
by Alex Woodie
Microsoft yesterday issued eight patches for 10 flaws, including six critical vulnerabilities that hackers have already started to pore over. While there were no zero-day flaws, the new batch poses a very real danger to users, who can be unknowingly redirected to a malicious site, or infected by viewing a malicious ad inserted onto an otherwise trusted Web site. April's Patch Tuesday also takes the shine off Windows Server 2008 and Windows Vista SP1, which needed patching due to their extensive reuse of legacy Windows code.
The fun starts with Security Bulletin MS08-018, which addresses the newly discovered Project Memory Validation vulnerability in Microsoft Project versions 2000, 2002, and 2003. This flaw could allow a nefarious user to take complete control of a victim's computer by tricking him or her into opening a malformed Project file from a Web site or an e-mail attachment. Microsoft says this critical vulnerability has not been exploited on the Web, and was reported by the South Korean government's National Cyber Security Center.
Two critical vulnerabilities in Windows graphics device interface (GDI) were addressed with Security Bulletin MS08-021. These two vulnerabilities, which could allow a hacker to take total control, affect all versions of Windows going back to Windows 2000, and are the first flaws in the new Windows Server 2008 and Windows Vista Service Pack 1 (SP1) operating systems publicly disclosed by Microsoft. The flaws, which Microsoft says are not being exploited in the wild, were reported by a group of security experts, including Jun Mao of iDefense Labs, Sebastian Apelt of Zero Day Initiative, Thomas Garnier of SkyRecon, and Yamata Li of Palo Alto Networks.
A critical flaw in Windows' VBScript and JScript rendering engines was fixed with Security Bulletin MS08-022. The flaw, which could allow hackers to take total control of victims' computers when they visit a malformed Web page, affects most versions of Windows 2000, Windows XP, and Windows Server 2003; Vista and Windows Server 2008 are not affected. Microsoft credits Peter Ferrier of Symantec with pointing out the vulnerability, which Microsoft says is not being exploited (yet).
This patch, which was previously slated for February's Patch Tuesday, but was delayed two months, caught the eye of Sheldon Malm, director of security research and development for nCircle. "We've been very concerned about this one," he says. "It's another case where Web sites hosting third-party content can be used in multi-staged attacks. This is a particularly troubling trend for users because trusted sites can be used in an attack without compromising the site itself."
Moving on, Security Bulletin MS08-023 fixes a memory corruption vulnerability with the ActiveX killbit included in previous products that could allow a hacker to launch a Web-based attack using ActiveX controls. The flaw is considered critical when combinations of Internet Explorer and Windows are in use, including IE 5 and IE 6 on Windows 2000 and Windows XP, but only important on Windows Vista, moderate on Windows Server 2003, and low on Windows Server 2008. The problem isn't being exploited in the wild, says Microsoft, which credits an anonymous researcher with iDefense Labs with reporting the bug.
These three patches--MS08-21, MS08-22, and MS08-23--are the most critical patches issued yesterday by Microsoft, says Amol Sarwate, manager of the vulnerability research lab at Qualys. "By Qualys' standards, these are especially important given that all versions of Windows from 2000-2008 are affected and do not require any special software such as Project or Visio to be exploited," Sarwate says. "The attack vector is simple--users are lured via a Web link to a Web site that contains malformed image files that only require viewing to infect a machine."
The final critical patch, Security Bulletin MS08-024, is a cumulative update for IE versions 5, 6, and 7. The update includes a patch for a recently discovered flaw, the Data Stream Handling Memory Corruption Vulnerability, that could give hackers complete control of computers that are directed to a malicious Web site. Carsten Eiram of Secunia gets credit for spotting this flaw, which Microsoft says in no way is currently being exploited.
Three Important Patches
Microsoft also issued three less-important patches that still rate as "important" on Microsoft's danger scale.
The first of these is Security Bulletin MS08-019, which fixes two remote code execution vulnerabilities in Visio versions 2002, 2003, and 2007. Normally, a remote code execution flaw would qualify for the "critical" rating. For some reason (probably because Visio is as widely used, Microsoft gave this remote code execution flaw a less severe rating. But obviously, for users of Visio, this is a pretty important patch. Visio viewers were not affected. Check the security bulletin for known issues with this patch, which replaces a patch issued last year. Microsoft says there are no current attacks using these flaws, and it didn't name who reported them.
A spoofing flaw in Windows has been fixed with Security Bulletin MS08-020. Microsoft cited a lack of "entropy" in the DNS Client's random number generator potentially allowing hackers to redirect Web traffic from a legitimate address to a malicious Web site, without the user knowing it. The problem exists in Windows 2000, Windows XP, Windows Server 2003, and Windows Vista, but it doesn't affect Windows Vista SP1 nor Windows Server 2008. Amit Klein of Trusteer, Alla Berzroutchko of Scanit, and Roy Arends of Nominet UK get credit for reporting the flaw, which Microsoft says is not being exploited in the wild.
The final fix, Security Bulletin MS08-025, addresses an elevation of privilege flaw in the Windows kernel. Microsoft says a problem with the way Windows validates input passed from user mode to the kernel could allow an attacker to run code with elevated privilege--and possibly execute arbitrary code, which is never a good thing. Luckily, none of the evildoers have started to exploit this flaw, according to Microsoft, which gives SkyRecon's Garnier credit with finding it.
White there were no zero-day vulnerabilities exposed with yesterday's patches, the fixes highlight another concerning trend: reuse of flawed code in Windows Vista and Windows Server 2008, according to Qualys' Sarwate.
"There is an alarming trend in that the majority of the patches, five out of the eight, address vulnerabilities contained in legacy Microsoft code," Sarwate says. "This means that code reuse from older Windows versions dating back to 2000 is rampant and therefore affects a very wide base of Microsoft users."
|
