Severity: High
12 August, 2008
Summary:
§ These vulnerabilities affect: All current versions of Windows
§ How an attacker exploits them: Multiple vectors of attack, including enticing your users into downloading and viewing malicious images or sending specially crafted packets
§ Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
§ What to do: Install the appropriate Microsoft patches immediately
Severity: High
12 August, 2008
Summary:
§ These vulnerabilities affect: All current versions of Windows
§ How an attacker exploits them: Multiple vectors of attack, including enticing your users into downloading and viewing malicious images or sending specially crafted packets
§ Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
§ What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released five security bulletins describing vulnerabilities that affect Windows and components shipping with it. Each vulnerability affects different versions of Windows to a different extent. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities in order from highest to lowest severity.
MS08-046: Microsoft Image Color Management (ICM) Buffer Overflow vulnerability
Image Color Management (ICM) is a Windows component that uses data in ICC profiles to perform color translation operations. ICM suffers from a buffer overflow vulnerability. By tricking one of your users into opening a maliciously crafted image file, which he could host on a web site, an attacker might exploit this vulnerability to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker could gain complete control of the victim’s computer.
Microsoft rating: Critical.
MS08-049: Two Event System Code Execution Vulnerabilities
Event System is a Windows service that manages the event logs which different applications send to the Windows operating system (you can view these logs with Event Viewer). The Event System suffers from two vulnerabilities involving its inability to properly parse specially malformed event requests or subscriptions. By creating an application that sends such event requests to the Event System, an attacker could exploit either flaw to gain complete control of Windows PCs. However, the attacker would need valid login credentials and access to a victim’s machine in order to run his malicious program.
Microsoft rating: Important.
MS08-048: Outlook Express and Windows Mail Cross-Domain Information Disclosure Vulnerability
Outlook Express (OE) and Windows Mail are the email clients that ship with different versions of Windows. Both clients suffer from a Cross-Domain information disclosure vulnerability (similar to a Cross-Site Scripting attack) due to the way their protocol handlers interpret MHTML URL redirections. While the vulnerability lies within OE and Mail, an attacker triggers it via Internet Explorer (IE). By luring one of your users to a malicious web page, an attacker could exploit this vulnerability to read data from another Internet Explorer security domain, or even the local computer.
Microsoft rating: Important.
MS08-050: Windows Messenger Information Disclosure Vulnerability
Windows Messenger is the instant messaging (IM) client that ships with Windows. According to Microsoft, Messenger ships with an ActiveX control that is marked safe for scripting, which means web sites can runs scripts using this control. Unfortunately, this leads to an information disclosure vulnerability. By enticing one of your users into visiting a malicious web page, an attacker could exploit this vulnerability to gain control of that user’s Messenger chat client. The attacker could capture your user’s Messenger login ID, gain access to all of his or her contacts, and even launch new audio and video chat sessions without your user’s knowledge. However, security features in both IE and Windows 2003 mitigate the risk of this sort of attack to some degree.
Microsoft rating: Important.
MS08-047: IPSec Information Disclosure Vulnerability
IPsec is a security encryption protocol that allows you to make Virtual Private Network tunnels (VPN) to security your communications over a network. Windows ships with IPsec services. If an attacker could sniff your local network traffic, he might be able to modify an IPsec policy when it’s transmitted over your local network to other computers. For instance, he could modify the policy so that it doesn’t encrypt VPN traffic. However, the IPsec policy in question is typically transmitted over the network with encryption. The attacker could only exploit this issue if he had administrative access to your domain controller, or you unknowingly misconfigured your IPsec rule set to cause information to be transmitted in the clear. In short, many mitigating circumstances around this vulnerability significantly lower its risk.
Microsoft rating: Important.
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
§ For Windows Server 2003 Itanium
§ For Windows Server 2003 Itanium
§ For Windows Server 2008 Itanium
§ Outlook Express 5.5 for Windows 2000
§ Outlook Express 6.0 for:
§ For Windows Server 2003 Itanium
§ Windows Mail for:
§ For Windows Server 2008 Itanium
§ Windows Messenger 4.7 for:
§ For Windows Server 2003 Itanium
§ Windows Messenger 5.1 for all versions of Windows
§ For Windows Server 2008 Itanium
For All WatchGuard Users:
WatchGuard Fireboxes, by default, reduce the risks presented by some of these vulnerabilities. However, attackers could exploit many of them locally, without passing traffic through your firewall. For that reason, we urge you to apply the patches above.
Status:
Microsoft has released patches correcting these issues.
References:
§ Microsoft Security Bulletin MS08-046
§ Microsoft Security Bulletin MS08-047
§ Microsoft Security Bulletin MS08-048
§ Microsoft Security Bulletin MS08-049
- Microsoft Security Bulletin MS08-050