two
Volume 5, Number 14 -- April 9, 2008

New Batch of Windows Flaws Give Hackers a Roadmap to Riches

Published: April 9, 2008

by Alex Woodie

Microsoft yesterday issued eight patches for 10 flaws, including six critical vulnerabilities that hackers have already started to pore over. While there were no zero-day flaws, the new batch poses a very real danger to users, who can be unknowingly redirected to a malicious site, or infected by viewing a malicious ad inserted onto an otherwise trusted Web site. April's Patch Tuesday also takes the shine off Windows Server 2008 and Windows Vista SP1, which needed patching due to their extensive reuse of legacy Windows code.

The fun starts with Security Bulletin MS08-018, which addresses the newly discovered Project Memory Validation vulnerability in Microsoft Project versions 2000, 2002, and 2003. This flaw could allow a nefarious user to take complete control of a victim's computer by tricking him or her into opening a malformed Project file from a Web site or an e-mail attachment. Microsoft says this critical vulnerability has not been exploited on the Web, and was reported by the South Korean government's National Cyber Security Center.

Two critical vulnerabilities in Windows graphics device interface (GDI) were addressed with Security Bulletin MS08-021. These two vulnerabilities, which could allow a hacker to take total control, affect all versions of Windows going back to Windows 2000, and are the first flaws in the new Windows Server 2008 and Windows Vista Service Pack 1 (SP1) operating systems publicly disclosed by Microsoft. The flaws, which Microsoft says are not being exploited in the wild, were reported by a group of security experts, including Jun Mao of iDefense Labs, Sebastian Apelt of Zero Day Initiative, Thomas Garnier of SkyRecon, and Yamata Li of Palo Alto Networks.

A critical flaw in Windows' VBScript and JScript rendering engines was fixed with Security Bulletin MS08-022. The flaw, which could allow hackers to take total control of victims' computers when they visit a malformed Web page, affects most versions of Windows 2000, Windows XP, and Windows Server 2003; Vista and Windows Server 2008 are not affected. Microsoft credits Peter Ferrier of Symantec with pointing out the vulnerability, which Microsoft says is not being exploited (yet).

This patch, which was previously slated for February's Patch Tuesday, but was delayed two months, caught the eye of Sheldon Malm, director of security research and development for nCircle. "We've been very concerned about this one," he says. "It's another case where Web sites hosting third-party content can be used in multi-staged attacks. This is a particularly troubling trend for users because trusted sites can be used in an attack without compromising the site itself."

Moving on, Security Bulletin MS08-023 fixes a memory corruption vulnerability with the ActiveX killbit included in previous products that could allow a hacker to launch a Web-based attack using ActiveX controls. The flaw is considered critical when combinations of Internet Explorer and Windows are in use, including IE 5 and IE 6 on Windows 2000 and Windows XP, but only important on Windows Vista, moderate on Windows Server 2003, and low on Windows Server 2008. The problem isn't being exploited in the wild, says Microsoft, which credits an anonymous researcher with iDefense Labs with reporting the bug.

These three patches--MS08-21, MS08-22, and MS08-23--are the most critical patches issued yesterday by Microsoft, says Amol Sarwate, manager of the vulnerability research lab at Qualys. "By Qualys' standards, these are especially important given that all versions of Windows from 2000-2008 are affected and do not require any special software such as Project or Visio to be exploited," Sarwate says. "The attack vector is simple--users are lured via a Web link to a Web site that contains malformed image files that only require viewing to infect a machine."

The final critical patch, Security Bulletin MS08-024, is a cumulative update for IE versions 5, 6, and 7. The update includes a patch for a recently discovered flaw, the Data Stream Handling Memory Corruption Vulnerability, that could give hackers complete control of computers that are directed to a malicious Web site. Carsten Eiram of Secunia gets credit for spotting this flaw, which Microsoft says in no way is currently being exploited.

Three Important Patches

Microsoft also issued three less-important patches that still rate as "important" on Microsoft's danger scale.

The first of these is Security Bulletin MS08-019, which fixes two remote code execution vulnerabilities in Visio versions 2002, 2003, and 2007. Normally, a remote code execution flaw would qualify for the "critical" rating. For some reason (probably because Visio is as widely used, Microsoft gave this remote code execution flaw a less severe rating. But obviously, for users of Visio, this is a pretty important patch. Visio viewers were not affected. Check the security bulletin for known issues with this patch, which replaces a patch issued last year. Microsoft says there are no current attacks using these flaws, and it didn't name who reported them.

A spoofing flaw in Windows has been fixed with Security Bulletin MS08-020. Microsoft cited a lack of "entropy" in the DNS Client's random number generator potentially allowing hackers to redirect Web traffic from a legitimate address to a malicious Web site, without the user knowing it. The problem exists in Windows 2000, Windows XP, Windows Server 2003, and Windows Vista, but it doesn't affect Windows Vista SP1 nor Windows Server 2008. Amit Klein of Trusteer, Alla Berzroutchko of Scanit, and Roy Arends of Nominet UK get credit for reporting the flaw, which Microsoft says is not being exploited in the wild.

The final fix, Security Bulletin MS08-025, addresses an elevation of privilege flaw in the Windows kernel. Microsoft says a problem with the way Windows validates input passed from user mode to the kernel could allow an attacker to run code with elevated privilege--and possibly execute arbitrary code, which is never a good thing. Luckily, none of the evildoers have started to exploit this flaw, according to Microsoft, which gives SkyRecon's Garnier credit with finding it.

White there were no zero-day vulnerabilities exposed with yesterday's patches, the fixes highlight another concerning trend: reuse of flawed code in Windows Vista and Windows Server 2008, according to Qualys' Sarwate.

"There is an alarming trend in that the majority of the patches, five out of the eight, address vulnerabilities contained in legacy Microsoft code," Sarwate says. "This means that code reuse from older Windows versions dating back to 2000 is rampant and therefore affects a very wide base of Microsoft users."



                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
IT SECURITY

Get Maximum Pain Relief for Your
Windows & Linux Integration!

Directory services play a critical role in ensuring computer networks
are properly secured and efficiently managed.

While Linux machines running in Microsoft Windows networks can
interoperate with Active Directory, configuration is complicated.
This is especially true for administrators lacking Linux expertise.

Download this FREE white paper to learn more.
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2009 conference, April 26 - April 30, in Reno, Nevada
MoshiMoshi:  An Interactive Experience for the System i Community. See Episode 1 now!
LANSA:  It's Time for 4 days of education at the LANSA User Conference, May 4 – 7, in Orlando
 
 

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
It's Official: Now We're Power Systems and i for Business

Power6 Chips Get i Support in New Entry and Blade Machines

We're Listening About and Acting For the i Platform, Says IBM

Mad Dog 21/21: Bears' Turns

Goodbye, AS/400, Old Friend

The Linux Beacon
Oracle Touts Unbreakable Linux, Adds Clusterware Support

Ubuntu 6.10 Comes to the End of the Line

IBM Merges System p and System i Server Lines

IBM Launches Dual-Core Power6 JS12 Blade Server

Most CIOs Say 2008 IT Budgets Are Stable, So Far

Four Hundred Stuff
Coglin Mill Debuts Lower Cost Versions of ETL Tools

Profound Ships New Web-Based DB2/400 Editor

Linoma Unveils Browser-Based Data Transfer Tool

RJS Adds Document Capture, Packaging Offerings to WebDocs

Readers Respond to "IBM Changes Name Back to AS/400 . . ."

Big Iron
Bears' Turns

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
An Alternative to Externally Described Printer Files, Take 2

Performance Advice from a Mysterious Friend, Part 3

Admin Alert: How System i Boxes Impersonate Each Other, Part 2

System i PTF Guide
April 5, 2008: Volume 10, Number 14

March 29, 2008: Volume 10, Number 13

March 22, 2008: Volume 10, Number 12

March 15, 2008: Volume 10, Number 11

March 8, 2008: Volume 10, Number 10

March 1, 2008: Volume 10, Number 9

The Unix Guardian
Yen Steps Down as Microelectronics Head, Exits Sun

Sun Bags $44.3 Million DARPA Contract for Funky Chip Interconnect

Disk Array Capacity and Sales Still Growing at Historical Rates

CMDB: A Journey, Not a Destination

Dell Inks OEM Deal with Egenera for Server Management Software

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

IT Security
Storage Guardian
Guild Companies
World Data Products
MKS


Printer Friendly Version


TABLE OF CONTENTS
New Batch of Windows Flaws Give Hackers a Roadmap to Riches

Yahoo Rebuffs Microsoft's Threat of a Hostile Takeover

AMD to Slash 10 Percent of Workforce Amid Sales Shortfall

Options to Microsoft's Hosted E-Mail Abound

Oracle to Support 10g on Windows Server 2008 by July

But Wait, There's More:
Microsoft to Build Giant Data Center from Containerized Gear . . . Microsoft Posts 14,000 Pages of Office, SharePoint, and Exchange Protocols . . . Most CIOs Say 2008 IT Budgets Are Stable, So Far . . . AMR Says Companies Spend Big on SOA Software . . . Linoma Unveils Browser-Based Data Transfer Tool . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement