TITLE:
Microsoft Windows 14 Vulnerabilities
SECUNIA ADVISORY ID:
SA11064
VERIFY ADVISORY:
http://secunia.com/advisories/11064/
CRITICAL:
Highly critical
IMPACT:
Privilege escalation, DoS, System access
WHERE:
From remote
OPERATING SYSTEM:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows NT 4.0 Workstation
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
SOFTWARE:
Windows NetMeeting 3.x
DESCRIPTION:
Microsoft has acknowledged 14 vulnerabilities in the Windows
operating system, where the most serious can be exploited by
malicious people to compromise a vulnerable system.
1) A boundary error within LSASS (Local Security Authority Subsystem
Service) can be exploited to cause a buffer overflow via a specially
crafted message. Successful exploitation allows execution of
arbitrary code with SYSTEM privileges.
The vulnerability can reportedly only be exploited remotely on
Windows 2000 and Windows XP systems.
2) An error within LSASS (Local Security Authority Subsystem Service)
when processing LDAP requests can be exploited by malicious people to
reboot a vulnerable domain controller via a specially crafted LDAP
message.
The vulnerability only affects Windows 2000 domain controllers.
3) A boundary error within the Microsoft Secure Sockets Layer (SSL)
library when checking message inputs can be exploited to cause a
buffer overflow via specially crafted PCT (Private Communications
Transport) messages. Successful exploitation allows execution of
arbitrary code.
4) A boundary error within the Windows logon process (Winlogon) can
be exploited by malicious users with permissions to modify domain
objects to cause a buffer overflow. Successful exploitation allows
execution of arbitrary code.
The vulnerability affects Windows NT 4.0, Windows 2000, and Windows
XP systems that are members of a domain.
5) A boundary error within the rendering of Metafiles can be
exploited to cause a buffer overflow via specially crafted files.
This may be related to:
SA10968
6) An input validation error within the "Help and Support Center"
when handling HCP URLs can be exploited to execute arbitrary code on
a vulnerable system via specially crafted HCP URLs.
7) An error within the Utility Manager when launching applications
can be exploited by malicious, local users to gain SYSTEM
privileges.
The vulnerability only affects Windows 2000 systems.
8) An error within the Windows task management may in certain
circumstances allow creation of tasks, which will be executed with
SYSTEM privileges. This can be exploited by malicious, local users to
gain escalated privileges on a vulnerable system.
The vulnerability only affects Windows XP systems.
9) An error within a programming interface used for creating entries
in the Local Descriptor Table (LDT) can be exploited to access
protected memory. This may allow malicious, local users to gain
escalated privileges on a vulnerable system.
10) Boundary errors within the H.323 protocol implementation can be
exploited to cause a buffer overflow via specially crafted H.323
requests. Successful exploitation allows execution of arbitrary
code.
This may be related to:
SA10611
11) An error within the operating system component handling the
Virtual DOS Machine (VDM) subsystem can be exploited to access
protected kernel memory. This may allow malicious, local users to
gain escalated privileges.
12) A boundary error within the Negotiate Security Software Provider
(SSP) interface can be exploited to cause a buffer overflow via a
specially crafted network message. Successful exploitation commonly
results in a Denial of Service but may also allow execution of
arbitrary code.
13) An error within the Microsoft Secure Sockets Layer (SSL) library
when handling SSL messages can be exploited to cause a vulnerable
system to stop accepting SSL connections or restart.
14) A "double free" error within the Microsoft ASN.1 Library can be
exploited to corrupt memory. Successful exploitation commonly results
in a Denial of Service but may also allow execution of arbitrary
code.
SOLUTION:
Apply patches manually or via Windows Update.
Microsoft Windows NT Workstation 4.0 (requires SP6a):
http://www.microsoft.com/downloads/...x?FamilyId1713FC-F95C-43E5-B825-3CF72C1A0A3E&displaylang=en
Microsoft Windows NT Server 4.0 (requires SP6a):
http://www.microsoft.com/downloads/...laylang=en
Microsoft Windows NT Server 4.0 Terminal Server Edition (requires
SP6):
http://www.microsoft.com/downloads/...laylang=en
Microsoft Windows 2000 (requires SP2, SP3, or SP4):
http://www.microsoft.com/downloads/...x?FamilyId92C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows XP:
http://www.microsoft.com/downloads/...laylang=en
Microsoft Windows XP 64-Bit Edition (requires SP1):
http://www.microsoft.com/downloads/...laylang=en
Microsoft Windows XP 64-Bit Edition Version 2003:
http://www.microsoft.com/downloads/...laylang=en
Microsoft Windows Server 2003:
http://www.microsoft.com/downloads/...laylang=en
Microsoft Windows Server 2003 64-Bit Edition:
http://downloads/details.aspx?Famil...laylang=en
PROVIDED AND/OR DISCOVERED BY:
1, 5, 9, 11) eEye Digital Security
2) Carlos Sarraute, Core Security Technologies.
3) ISS
4) Ondrej Sevecek
6) Jouko Pynnönen
7) Brett Moore of Security-Assessment.com, Cesar Cerrudo, and Ben
Pryor.
8) Erik Kamphuis, LogicaCMG.
12) NSFOCUS Security Team
13) John Lampe, Tenable Network Security.
14) Foundstone Labs and Qualys.
ORIGINAL ADVISORY:
http://www.microsoft.com/technet/se...4-011.mspx
OTHER REFERENCES:
SA10611:
http://secunia.com/advisories/10611/
SA10968:
http://secunia.com/advisories/10968/
-
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Salu2!!!
Javier Inglés
MS-MVP
e-m@il:jjingles2000@NOSPAMhotmail.com
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>
Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho
Leer las respuestas