11 December, 2007
Summary:
Today, Microsoft released four security bulletins describing vulnerabilities that affect Windows and components shipping with it. A remote attacker could exploit the worst of these flaws to execute code on your Windows PC, potentially gaining complete control of it. For a table briefly summarizing which vulnerabilities affect which versions of Windows, see Microsoft’s Security Bulletin Summary for December and expand the section, “Affected Software and Download Location.” If you manage a Windows network, you should download, test, and deploy the appropriate Windows patches throughout your network as soon as possible.
Exposure:
Microsoft’s four security bulletins detail vulnerabilities found in, or affecting, components of Windows. Each vulnerability affects different versions of Windows to a different extent. The summary below lists the vulnerabilities from highest to lowest severity.
MS07-063: Windows Vista SMBv2 Signing Vulnerability
11 December, 2007
Summary:
Today, Microsoft released four security bulletins describing vulnerabilities that affect Windows and components shipping with it. A remote attacker could exploit the worst of these flaws to execute code on your Windows PC, potentially gaining complete control of it. For a table briefly summarizing which vulnerabilities affect which versions of Windows, see Microsoft’s Security Bulletin Summary for December and expand the section, “Affected Software and Download Location.” If you manage a Windows network, you should download, test, and deploy the appropriate Windows patches throughout your network as soon as possible.
Exposure:
Microsoft’s four security bulletins detail vulnerabilities found in, or affecting, components of Windows. Each vulnerability affects different versions of Windows to a different extent. The summary below lists the vulnerabilities from highest to lowest severity.
MS07-063: Windows Vista SMBv2 Signing Vulnerability
Server Message Block (SMB) is the file and printer sharing protocol used by Windows. SMB version 2 (SMBv2) is an updated version of SMB, supported by Windows Vista and the upcoming Server 2008. SMBv2 allows for packet signing, which adds an extra layer of authentication and security to SMB communications. When your computer receives a properly signed SMBv2 packet, the packet’s signature should guarantee the authenticity of its sender. However, Microsoft’s alert warns of an unspecified flaw in the implementation of SMBv2 signing in Windows Vista. An attacker could exploit this flaw to modify SMBv2 packets even though they still retain seemingly authentic SMBv2 signatures. An attacker could then leverage this vulnerability to impersonate a trusted user on your network, which allows the attacker to execute code on your computers with the impersonated user’s privileges. The impact of this vulnerability is reduced by the fact that most administrators don’t allow SMB traffic through their firewalls. Furthermore, most administrators don’t use SMBv2 at all. This vulnerability poses primarily an internal threat.
Microsoft rating: Important.
MS07-065: Windows Message Queuing Buffer Overflow Vulnerability
Windows Message Queuing is a technology that allows Windows applications to communicate with one another, even when each application happens to run at different times (learn more about Message Queuing on Microsoft’s site). The Message Queuing component that ships with Windows 2000 and XP suffers from a buffer overflow vulnerability. By sending a specially-crafted message to a Windows computer that uses the Message Queuing component, an attacker can exploit this flaw to gain complete control of that machine. To exploit this flaw in Windows XP, that attacker would need valid login credentials. However, he doesn’t need credentials to exploit the flaw against Windows 2000 machines. Windows does not install the Message Queuing component by default, greatly mitigating the threat of an attack exploiting this flaw.
Microsoft rating: Important.
MS07-066: Windows Vista Kernel Privilege Elevation Vulnerability
According to Microsoft, a Windows Vista Kernel component called Windows Advanced Local Procedure Call (ALPC) doesn’t properly validate “certain conditions in legacy reply paths.” This flaw leads to a privilege elevation vulnerability. If an attacker has valid login credentials for one of your Vista machines (even as a guest), and he writes a special program that leverages this ALPC flaw, he can exploit this vulnerability to gain full control of that Vista system. Of course, the attacker needs valid login credentials and access to your Vista machines in order to exploit this flaw. For those reasons, it poses minimal risk.
Microsoft rating: Important.
MS07-067: Macrovision Driver Privilege Elevation Vulnerability
Some versions of Windows ship with a Macrovision SafeDisc driver used to validate the authenticity of certain games that use SafeDisc CD copy protection technology. The Macrovision SafeDisc driver suffers from an elevation of privilege vulnerability involving its mishandling of configuration parameters. Like the flaw above, if an attacker has valid login credentials on one of your Windows machines (even as a guest), and he writes a special program that leverages this Macrovision driver flaw, he can exploit this vulnerability to gain full control of that system. Again, the attacker needs local access and login credentials in order to exploit this flaw. If an attacker has this level of control over your computers, you have much bigger problems to worry about.
Microsoft rating: Important.
Solution Path
Microsoft has released patches for Windows to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
Note: Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft suggests you migrate to supported versions to prevent potential exposure to vulnerabilities. You can learn more about Microsoft’s extended security update support at their Product Support Services Web site.
Doesn’t affect 64-bit versions of XP, nor any other versions of Windows
For All WatchGuard Users:
WatchGuard Fireboxes, by default, reduce the risks presented by some of these vulnerabilities. However, attackers would exploit most of them locally, without passing traffic through your firewall. For that reason, we urge you to apply the patches above.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS07-063
- Microsoft Security Bulletin MS07-065
- Microsoft Security Bulletin MS07-066
Microsoft Security Bulletin MS07-067