News Stay informed about the latest enterprise technology news and product updates.

Windows kernel, LSASS flaws fixed

Microsoft issued five "important" security patches for December, including one for a vulnerability that could give a malicious user administrator rights in Windows.

As anticipated, Microsoft today released five security bulletins rated "important." All five fix vulnerabilities in Windows that could have been exploited by attackers to run malicious code, to change or delete data or to cause a denial-of-service attack. Windows 2000 Server, XP, NT and Server 2003 are among the affected products.

Two of this month's bulletins apply to Windows XP Service Pack 2, but the severity rating is reduced to "moderate" for SP2 users.

Microsoft also reissued MS04-028, affecting JPEG parsing (GDI+) in Windows, to account for new updates for Microsoft Visual FoxPro 8.0 and the Windows .NET Framework 1.0 and 1.1 without Service Pack 1.

Eric Schultze, chief security architect with Shavlik Technologies LLC, in Roseville, Minn., said MS04-044, which addresses vulnerabilities in Windows kernel and LSASS, was the most critical of those issued.

"Microsoft has it labeled as important, but it would allow somebody to become administrator on their system," Schultze said. "If I have valid login credentials, I could then become administrator, but none of these are worm-style issues. They would require either you to already be a user or for you to incense somebody to run some malicious code on their system to exploit the vulnerabilities. They're not as critical as security bulletins from prior months."

The software company broke out of its normal cycle earlier this month to release a critical fix to an IFRAME vulnerability in Internet Explorer that attackers could have exploited to run malicious code on a user's computer.

This month's bulletins are:

MS04-041, which fixes several table and font conversion vulnerabilities in WordPad. According to the bulletin: "If a user is logged on with administrative privileges, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit this vulnerability."

For this vulnerability, Windows 2003 Server and XP Service Pack 2 are rated at "moderate" severity.

Michael Sutton, director of iDefense Inc.'s labs in Reston, Va., said these vulnerabilities are not likely targets, but are interesting because they involve text files. "It's not typically something that administrators are watching out for," he said. "They're not typically blocking those types of files. It's unique and I could see it being used to attack people."

MS04-042, which fixes vulnerabilities that could allow an attacker to take over a user's computer and potentially cause a denial of service of the Dynamic Host Configuration Protocol (DHCP) Server service.

"That one is usually just going to crash the system, it's not really going to result in owning the box," Schultze said. "You'd have to probably be on the internal network, something that's not available to the external hackers. It would be very difficult to try and get access. I'm not saying it can't be done, but it's less likely to be a real serious issue."

MS04-043, which fixes a Hyperterminal vulnerability that could allow an attacker to take control of a user's computer if that user were logged in with administrator privileges. The attacker would then have the ability to install programs, change or delete data or create new accounts with full privileges.

This vulnerability is rated "moderate" in severity for Windows Server 2003.

MS04-044, which fixes a Windows kernel and LSASS vulnerability that could allow an attacker to elevate a user's privilege level. Microsoft has issued a caveat on this bulletin, and has documented issues that may occur when the update is installed and recommended solutions in Microsoft Knowledge Base Article 885835.

MS04-045, which fixes a vulnerability in Windows Internet Naming Service (WINS) that could allow remote code execution in a similar fashion to the other bulletins.

Kostya Kortchinsky of France's CERT-Renater found these name validation and association context vulnerabilities during an audit of several network services. "Those two vulnerabilities as well as the two others in DHCP server in MS04-042 (and others that will be disclosed later) were found thanks to a disassembler, IDA Pro, and several scripts I developed to scan for various possible errors," Kortchinsky said in an e-mail.

Shavlik's Schultze said the impact of this vulnerability is somewhat limited.

"WINS is receiving a lot of attention because someone announced it about a month ago," he said. "This is important for those folks that are running a WINS environment, but this is on your internal network, so it's not a big target for external hackers."

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.