Microsoft Corp. released a critical alert and patch Tuesday afternoon for a buffer overrun vulnerability in the way Windows converts HTML files during cut and paste operations. An attacker exploiting the flaw could run code on a vulnerable system.
Several versions of Windows are affected, including Windows 2000, XP, NT 4.0 and NT 4.0 Terminal Services Edition.
The HTML converter in Windows is primarily used by Internet Explorer. Therefore, an attacker using a specially crafted Web page or HTML e-mail could cause the converter to fail in such a way that an outsider could assume the system privileges of the logged-in user.
There are several conditions that must be present to allow an outsider to exploit the flaw. The attacker would first have to create the malicious Web page or HTML e-mail, then persuade a user to either visit the site or open the message.
The flaw is also found in the recently released Windows Server 2003, but the software runs in Enhanced Security Configuration, which by default blocks this type of attack. Administrators should determine whether this configuration has been disabled, Microsoft said.
"While this vulnerability is primarily a threat to desktop PCs running Internet Explorer or Outlook, compromising individual workstations can provide an effective back door route into a corporate network," said Oliver Lavery, an independent security consultant based in Canada. "So, while it may not be quite as important as a vulnerability in IIS or SQL Server, it is something that businesses must address."
The flaw was reported to NT Bugtraq in late June by a Russian hacker known as Digital Scream. Bugtraq editor Russ Cooper points out in a posting to the mailing list that Microsoft failed to mention that the Outlook E-mail Security Update and Outlook 2002 in default mode would mitigate attacks that involve HTML-based e-mail and scripting. Cooper wrote that these environments render e-mail in the Restricted Sites Zone with scripting disabled.
Cooper wondered whether Microsoft had simply forgotten to offer this as a mitigator or whether an exploit could bypass these security measures.
Digital Scream said in an e-mail interview this morning that enterprises need to be wary of this, despite the difficulties associated with an exploit.
"A competent [attacker] can get access to confidential information to establish [a] Trojan, [a] keyboard spy and other nocuous programs," Digital Scream said. "But I think [there is nothing] to be afraid [of], as [a] public exploit was not present, and only a few can write it."
Lavery agreed that the flaw is difficult to exploit, but said he had experimented with a proof-of-concept exploit posted to Bugtraq by a hacker. Lavery said the exploit is not effective, but demonstrates it is possible and could be a matter of time before a more viable exploit appears.
"The vulnerability is a stack-based buffer overflow, which is generally considered trivial to exploit, but in this case the range of malicious input that an attacker can supply is limited," Lavery said. "This shouldn't prevent anyone from taking the issue seriously, however. Difficult exploits are only difficult until somebody comes up with an effective method for making them work."
Microsoft also issued two other security alerts and patches Tuesday, both rated "important," one notch below "critical."
A buffer overrun in the Server Message Block protocol that Windows uses to share files, printers, serial ports and communicate among computers using named pipes and mail slots could lead to data corruption or, in extreme cases, code execution. Windows 2000, XP Professional, NT 4.0 and NT 4.0 Terminal Services Edition are affected.
The flaw is in the way that a Windows server validates the parameters of an SMB packet. These packets are requests for resources like those present in client-server requests. Windows servers do not validate the buffer length established by the packet, Microsoft said. If a client asks for a buffer length shorter than what is needed, it could be overrun.
Specially crafted SMB packets could cause an overrun and corrupt data, crash a system or enable code execution if the attacker had a valid user account and was authenticated by the server, Microsoft said.
Microsoft said Windows Server 2003 is not affected by this vulnerability. Also, blocking port 139/445 at the firewall will prevent the possibility of an attack from the Internet.
The final warning concerns the accessibility features in Windows that enable disabled persons to use the operating system. The flaw is found in the way Utility Manager handles Windows messages, which enable interactive processes to react to keystrokes or mouse commands and communicate with other interactive processes. Utility Manager is a utility that allows users to check the status of accessibility programs.
Windows messages are not properly validated, and this could lead an outsider to gain elevated privileges on a Windows 2000 machine. An attacker, however, cannot exploit this flaw remotely and would have to have valid credentials to log on to a machine.
FOR MORE INFORMATION:
FEEDBACK: How do you prioritize your patching duties?
Send your feedback to the SearchSecurity.com news team.