Severity: High
10 June, 2008
Summary:
- These vulnerabilities affect: All current versions of Windows
- How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets or enticing your users into downloading and playing media files
- Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released six security bulletins describing vulnerabilities that affect Windows and components shipping with it. Each vulnerability affects different versions of Windows to a different extent. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities in order from highest to lowest severity.
MS08-033: Two DirectX Remote Code Execution Vulnerabilities
Severity: High
10 June, 2008
Summary:
- These vulnerabilities affect: All current versions of Windows
- How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets or enticing your users into downloading and playing media files
- Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released six security bulletins describing vulnerabilities that affect Windows and components shipping with it. Each vulnerability affects different versions of Windows to a different extent. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities in order from highest to lowest severity.
MS08-033: Two DirectX Remote Code Execution Vulnerabilities
DirectX is a collection of application programming interfaces (APIs) which ships with all versions of Windows; coders use it to create multimedia content. According to Microsoft, DirectX suffers from two security vulnerabilities involving the way it handles certain media content. Though they differ technically, both vulnerabilities share the same general characteristics: By luring one of your users into downloading and opening a maliciously crafted multimedia file, an attacker can exploit either of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker could gain complete control of the victim’s computer. The primary difference between these flaws involves which multimedia file the attacker can use to exploit them. The potentially dangerous files include Synchronized Accessible Media Interchange files (.sami) and MJPEF video files (.asf, .avi).
Microsoft rating: Critical.
MS08-030: Bluetooth Stack Code Execution Vulnerability
Windows ships with its own Bluetooth stack to support the Bluetooth wireless connectivity standard. According to Microsoft’s bulletin, the Windows Bluetooth stack suffers from a remote code execution vulnerability due to its inability to handle a large number of service description requests correctly. By sending a large number of such requests to one of your users, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, an attacker could then leverage this vulnerability to gain complete control of their PCs. (Of course, only Windows devices that have Bluetooth suffer from this vulnerability.)
Microsoft rating: Critical.
MS08-034: WINS Elevation of Privilege Vulnerability
Windows Internet Name Service (WINS) is a Windows service that translates NetBIOS names into addresses on a TCP/IP network. WINS suffers from an elevation of privilege vulnerability in which it is unable to correctly validate the data structures within specifically crafted WINS network packets. By sending specially crafted packets to one of your Windows computers, an attacker could exploit this vulnerability to execute code on that computer with the full system privileges. In other words, the attacker would gain complete control of that machine.
Microsoft rating: Important.
MS08-035: Active Directory Denial of Service Vulnerability
Active Directory is the Windows component that provides central authentication and authorization services for Windows computers. Active Directory runs on Windows servers, but it is also found on Windows clients as the Active Directory Application Mode (ADAM) service. Microsoft’s security bulletin warns of an unspecified Denial of Service (DoS) vulnerability involving the way Active Directory handles specially crafted LDAP packets. By sending a malicious LDAP request, a remote attacker could exploit this vulnerability to cause your Windows computer to lock up or to reboot. The attacker could repeatedly exploit this vulnerability to keep your Windows machines offline for as long as he could sustain this attack. However, most administrators don’t allow LDAP traffic (TCP ports 389 and 3268) through their perimeter firewall; therefore, this vulnerability primarily poses an internal threat. This vulnerability is nearly identical to MS08-003, which we reported in our February Windows alert, except that the new flaw affects Windows Server 2008 as well.
Microsoft rating: Important.
MS08-036: Pragmatic General Multicast (PGM) Denial of Service Vulnerabilities
According to Microsoft, Pragmatic General Multicast (PGM) is a reliable and scalable multicast protocol. According to a Wikipedia article though, PGM is an IETF experimental protocol and is not yet a standard. Microsoft’s bulletin describes two DoS vulnerabilities in Microsoft’s implementation of PGM. By sending specially crafted PGM packets, a remote attacker could exploit either of these vulnerabilities to cause your Windows computer to lock up or reboot. The attacker could repeatedly exploit this vulnerability to keep your Windows machines offline for as long as he could sustain this attack. By default, however, PGM is not enabled on many Windows computers.
Microsoft rating: Important.
MS08-032: Speech Recognition Code Execution Vulnerability
Windows ships with a Speech Recognition component which allows you to issue voice commands to your Windows computer through a microphone. Researchers have pointed out that by enticing a user into playing back an audio file, an attacker could exploit the Speech Recognition feature to execute commands on that user’s computer, with that user’s privileges. Since you can embed audio into web pages, attackers could exploit this flaw simply by luring one of your users to a malicious web site. However, many mitigating factors greatly limit the severity of this flaw; one is that Speech Recognition is not enabled by default in Windows.
Microsoft rating: Moderate.
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
Note: Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft suggests you migrate to supported versions in order to prevent potential exposure to vulnerabilities. You can learn more about Microsoft’s extended security update support at its Product Support Services Web site.
- DirectX 10.0
Doesn’t affect Windows 2000, Server 2003, or Server 2008
- For Windows 2000 Server
- For Windows Server 2003
- For Windows Server 2003 Itanium
- For Windows Server 2003 x64
Doesn’t affect the non-server versions of Windows, or Server 2008
- For Windows 2000
- For Windows XP
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 x64
- For Windows Server 2003 Itanium
- For Windows Server 2008
- For Windows Server 2008 x64
- For Windows XP
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 Itanium
- For Windows Server 2003 x64
- For Windows Vista
- For Windows Vista x64
- For Windows Server 2008
- For Windows Server 2008 Itanium
- For Windows Server 2008 x64
Doesn’t affect Windows 2000
- For Windows 2000
- For Windows XP
- For Windows XP x64
- For Windows Server 2003
- For Windows Server 2003 Itanium
- For Windows Server 2003 x64
- For Windows Vista
- For Windows Vista x64
- For Windows Server 2008
- For Windows Server 2008 Itanium
- For Windows Server 2008 x64
For All WatchGuard Users:
WatchGuard Fireboxes, by default, reduce the risks presented by some of these vulnerabilities. However, attackers could exploit many of them locally, without passing traffic through your firewall. For that reason, we urge you to apply the patches above.
Status:
Microsoft has released patches correcting these issues.