Researchers warn of new Microsoft Windows security flaw

By Bill Brenner, Senior News Writer 18 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers could exploit a newly discovered security flaw in Microsoft Windows to run malicious code on targeted computers, several security firms warned Monday. The news comes a week after Microsoft released its monthly batch of security updates, and no fix is available in this case.

Jonathan Sarba of the GoodFellas Security Research Team discovered the flaw in the MFC42 and MFC71 libraries offered natively in Windows. "Any application that uses the API, allowing the user to manipulate its first argument, is vulnerable to this heap overflow," he wrote in an analysis. He said the flaw was discovered June 14 and reported to Microsoft June 21. Having received no official patching timetable from Microsoft by Sept. 5, Sarba decided to go public with the flaw details.

Microsoft did not immediately respond to an inquiry from SearchSecurity.com.

Recent Microsoft updates: Microsoft issues Windows, MSN Messenger updates: Microsoft issued a critical update to Windows 2000 and plugged several other holes in MSN Messenger, Visual Studio and Windows Services for Unix 3.0. Inside MSRC: Visual Studio update affects multiple systems: Microsoft's Christopher Budd explains how the Visual Studio bulletin can affect multiple systems in Unix environments.

The French Security Incident Response Team (FrSIRT) described the problem in its FrSIRT/ADV-2007-3182 bulletin as a buffer overflow error in the "CFileFind::FindFile()" function within the "MFC42.dll" and "MFC42u.dll" libraries when processing an overly long argument.

According to the Symantec DeepSight threat management service, attackers who exploit this could execute arbitrary code in the context of applications that use the vulnerable method. Symantec noted that the MFC library included with Microsoft Windows XP SP2 is affected by the flaw. Danish vulnerability clearinghouse Secunia said in its SA26800 advisory that it was able to independently confirm the flaw on a fully-patched Windows XP SP2 machine with MFC42.dll version 6.2.4131.0 and MFC42u.dll version 6.2.8071.0.

Until a patch is available, Secunia recommends users restrict access to applications allowing user-controlled input to be passed to the vulnerable function. Also, Secunia said, IT shops should make sure that applications using the vulnerable library check the length of the user input before passing it to the affected function.

Secunia and FrSIRT both rated the flaw a moderate risk, typically reserved for remotely and locally exploitable flaws that could lead to a denial of service, privilege escalation, and for vulnerabilities that allow system compromises but require user interaction.

News of this latest flaw comes a week after Microsoft released security fixes that included an update to Windows 2000 that patches a critical flaw that could allow an attacker to gain remote access to a system. Also patched were flaws in MSN Messenger and Visual Studio.

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary