Severity: High
8 April, 2008
Summary:
- These vulnerabilities affect: All current versions of Windows (and in some cases, Internet Explorer)
- How an attacker exploits them: Multiple vectors of attack, including luring one of your users to a malicious Web page or enticing the user into opening a specially crafted image
- Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released five security bulletins describing vulnerabilities which affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to a different extent; in the worst cases, a remote attacker could exploit these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities in order from highest to lowest severity.
Severity: High
8 April, 2008
Summary:
- These vulnerabilities affect: All current versions of Windows (and in some cases, Internet Explorer)
- How an attacker exploits them: Multiple vectors of attack, including luring one of your users to a malicious Web page or enticing the user into opening a specially crafted image
- Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released five security bulletins describing vulnerabilities which affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to a different extent; in the worst cases, a remote attacker could exploit these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities in order from highest to lowest severity.
MS08-021: Two GDI Buffer Overflow Vulnerabilities
The Windows Graphic Device Interface (GDI) is a one of the Windows components which helps to output graphics to your monitor or printer. According to Microsoft’s bulletin, GDI suffers from two buffer overflow vulnerabilities involving how it handles the Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats. By tricking one of your users into opening a specially crafted WMF or EMF image, an attacker could exploit either vulnerability to execute code on that user’s machine, with that user’s privileges. If your user has local administrative privileges, the attacker would gain total control of the user’s computer. These vulnerabilities affect all current versions of Windows, including Vista and Server 2008.
Microsoft rating: Critical.
MS08-022: VBScript/JScript Code Execution Vulnerability
Visual Basic Script (VBScript) and JScript are both Microsoft scripting languages, often used to create dynamic web sites. Microsoft warns that the engine used to decode these scripting languages suffers from an unspecified vulnerability. By enticing one of your users to a malicious web site containing specially crafted scripts, an attacker could exploit this vulnerability to execute code on that user’s computer. The attacker’s code would run with the privileges of the victimized user; if the user has local administrative privileges, the attacker gains absolute control over that user’s PC.
Microsoft rating: Critical.
MS08-023: ActiveX Control Memory Corruption Vulnerability
An ActiveX control that ships with Windows (called hxvz.dll) suffers from an unspecified memory corruption vulnerability. By luring one of your users to a malicious web page, an attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. Like most code execution flaws in Windows, if your user has local administrator privileges, an attacker could exploit this flaw to take over that user’s machine. Note: Microsoft’s patch also disables Yahoo’s Music Jukebox ActiveX control in order to fix a different vulnerability in that third party vendor’s ActiveX control.
Microsoft rating: Critical.
MS08-020: DNS Client Spoofing Vulnerability
According to Microsoft, “the Windows DNS Client service doesn’t provide enough entropy in its random choice of transaction values when performing DNS queries.” This is just a fancy way of saying that the DNS Client makes it too easy for bad guys to guess enough about a victim’s DNS query that they could send a properly formed, but spoofed, DNS reply. The Domain Name System controls how your computer finds things on the Internet; an attacker who could monitor your users’ DNS queries, and send spoofed replies, could redirect them from legitimate sites to malicious ones. The attacker could then leverage this vulnerability to force your users into a malicious drive-by download or phishing web site.
Microsoft rating: Important.
MS08-025: Windows Kernel Elevation of Privilege Vulnerability
The kernel is the core of any operating system and provides the lowest abstract layer of communication between hardware and software. The Windows kernel suffers from a unspecified elevation of privilege vulnerability involving its inability to validate certain input coming from the user level of the operating system. By running a specially crafted program, a local attacker could exploit this vulnerability to gain full SYSTEM level privileges on a Windows system — in other words, total control. However, the attacker would need valid login credentials and access to the Windows machine in order to carry out this attack.
Microsoft rating: Important.
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
Note: Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft suggests you migrate to supported versions to prevent potential exposure to vulnerabilities. You can learn more about Microsoft’s extended security update support at its Product Support Services Web site.
- 2000 w/SP4
- XP w/SP2
- XP x64
- Server 2003
- Server 2003 x64
- Server 2003 Itanium-Edition
- Vista w/SP1
- Vista x64 w/SP1
- Server 2008
- Server 2008 x64
- Server 2008 Itanium-Edition
Doesn’t affect Vista or Server 2008
- 2000 w/SP4
- XP w/SP2
- XP x64
- Server 2003
- Server 2003 x64
- Server 2003 Itanium-Edition
- Vista w/SP1
- Vista x64 w/SP1
- Server 2008
- Server 2008 x64
- Server 2008 Itanium-Edition
Doesn’t affect Vista w/SP1 or Server 2008
- 2000 w/SP4
- XP w/SP2
- XP x64
- Server 2003
- Server 2003 x64
- Server 2003 Itanium-Edition
- Vista w/SP1
- Vista x64 w/SP1
- Server 2008
- Server 2008 x64
- Server 2008 Itanium-Edition
For All WatchGuard Users:
You can configure your WatchGuard Firebox’s HTTP and SMTP proxies to reduce the risks presented by some of these vulnerabilities; however, the remaining ones either travel as normal HTTP traffic (which you must allow for your users to browse the web) or get exploited locally. For these reasons, we urge you instead to apply the patches described above.
Status:
Microsoft has released patches correcting these issues.