Attackers could exploit a newly discovered security flaw in Microsoft Windows to run malicious code on targeted computers, several security firms warned Monday. The news comes a week after Microsoft released its monthly batch of security updates, and no fix is available in this case.
Jonathan Sarba of the GoodFellas Security Research Team discovered the flaw in the MFC42 and MFC71 libraries offered natively in Windows. "Any application that uses the API, allowing the user to manipulate its first argument, is vulnerable to this heap overflow," he wrote in an analysis. He said the flaw was discovered June 14 and reported to Microsoft June 21. Having received no official patching timetable from Microsoft by Sept. 5, Sarba decided to go public with the flaw details.
Microsoft did not immediately respond to an inquiry from SearchSecurity.com.
The French Security Incident Response Team (FrSIRT) described the problem in its FrSIRT/ADV-2007-3182 bulletin as a buffer overflow error in the "CFileFind::FindFile()" function within the "MFC42.dll" and "MFC42u.dll" libraries when processing an overly long argument.
According to the Symantec DeepSight threat management service, attackers who exploit this could execute arbitrary code in the context of applications that use the vulnerable method. Symantec noted that the MFC library included with Microsoft Windows XP SP2 is affected by the flaw. Danish vulnerability clearinghouse Secunia said in its SA26800 advisory that it was able to independently confirm the flaw on a fully-patched Windows XP SP2 machine with MFC42.dll version 6.2.4131.0 and MFC42u.dll version 6.2.8071.0.
Until a patch is available, Secunia recommends users restrict access to applications allowing user-controlled input to be passed to the vulnerable function. Also, Secunia said, IT shops should make sure that applications using the vulnerable library check the length of the user input before passing it to the affected function.
Secunia and FrSIRT both rated the flaw a moderate risk, typically reserved for remotely and locally exploitable flaws that could lead to a denial of service, privilege escalation, and for vulnerabilities that allow system compromises but require user interaction.
News of this latest flaw comes a week after Microsoft released security fixes that included an update to Windows 2000 that patches a critical flaw that could allow an attacker to gain remote access to a system. Also patched were flaws in MSN Messenger and Visual Studio.