IT professionals have two Microsoft threats to worry about as they start the new week.
First, Microsoft is warning those who haven't deployed a patch for flaws in the Remote Access Connection Manager (RASMAN) to do so immediately. Detailed exploit code is circulating, and attackers could use it to target the flaws.
Secondly, Cupertino, Calif.-based antivirus giant Symantec Corp. is warning of new proof-of-concept code that targets a security hole in Microsoft Windows Live Messenger, the instant messaging client formerly called MSN Messenger.
Microsoft released an advisory for the first threat Friday night, saying it targets a pair of critical remote code-execution flaws affecting versions of Windows 2000, XP and Server 2003. The RASMAN flaws could enable someone with malicious intent to take control of an affected system. Microsoft issued a patch for this problem in its MS06-025 security bulletin June 13.
"Microsoft is aware that detailed exploit code has been published on the Internet for the vulnerability addressed by Microsoft security bulletin MS06-025," a Microsoft spokesman said by email. He said the company is not currently aware of any active attacks based on this exploit code, but it is monitoring the situation closely. "Our investigation of this exploit code has verified that it does not affect users who have installed the update detailed in MS06-025 on their computers."
Symantec sent an advisory on the Windows Live Messenger issue to customers of its DeepSight Threat Management System Monday morning, saying version 8.0 is reportedly prone to a heap overflow vulnerability when processing malformed contact lists.
"This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers," Symantec said. "The vulnerability presents itself when the application processes a malicious contact list (.ctt) file."
An attacker could craft a malicious contact list that supplies excessive data to the application through a large string value, such as a contact name, thus triggering the overflow condition. "This issue may lead to memory corruption," Symantec said. "An attacker may also leverage this issue to execute arbitrary code on a computer with the privileges of an affected user. Exploitation attempts may result in crashing the application as well."
While Symantec is not aware of any active exploits targeting the flaw, it confirmed that a proof-of-concept .ctt file is available. To mitigate the threat, Symantec recommended IT professionals take some of the following measures: