Microsoft Issues Two Security Patches, One For 'Critical' Flaw - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
03:24 PM
Connect Directly

Microsoft Issues Two Security Patches, One For 'Critical' Flaw

One flaw in the way Windows handles TCP/IP processing could let an attacker take control of a computer.

Microsoft on Tuesday released two security bulletins as part of its monthly patch schedule.

Microsoft Security Bulletin MS08-001, rated "Critical," fixes a flaw in the way that Windows handles Transmission Control Protocol/Internet Protocol (TCP/IP) processing.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft explains. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1 and SP2, and Windows Vista are affected. The vulnerability is only rated "Moderate" for Windows 2000 users and "Important" for Windows Server 2003 users.

"The vulnerability affecting Windows Kernel TCP/IP IGMP could be significant depending on the user's firewall settings," said Ben Greenbaum, senior research manager Symantec Security Response said in an e-mailed statement. "This issue is compounded by the fact the user's computer may automatically reboot upon a failed exploit attempt, giving the attacker multiple opportunities to compromise the computer. Users should utilize firewall best practices, such as blocking IGMP packets, so their computers will not be at risk."

"This is definitely an interesting one," said Don Leatham, director of solutions and strategies for Lumension Security. "It's down in the TCP/IP kernel. That allows whoever exploits this to have control over the machine at the highest levels."

"This is the second month in a row that we have vulnerabilities that affect all [of Microsoft's supported] operating systems," said Amol Sarwate, manager of vulnerability research at Qualys. "The TCP/IP vulnerability is important not just cause it affects every Windows OS, but because the attack does not require any login credentials or a user to click on an Web page. And the consequences are pretty high."

Leatham said that organizations that use IP broadcasting to stream media and to collaborate should pay particular attention to this patch. "IP broadcasting is becoming more and more prevalent in the Web 2.0 collaborative environment," he said. "It's definitely something that shouldn't be ignored."

Microsoft Security Bulletin MS08-002, rated "Important," resolves a vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). Windows 2000 SP4, Windows XP SP2, and Windows Server 2003 SP1 and SP2 are affected. Windows Vista is not affected by this flaw.

LSASS helps manage local security, domain authentication, and Active Directory service processes.

Microsoft is addressing the LSASS issue by validating parameters passed to LSASS APIs.

Sarwate said that because exploiting the LSASS flaw requires valid login credentials, "it is something to be worried about but not as much as the first one."

Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies, said both vulnerabilities are significant in their own way. The TCP/IP flaw could allow an attacker to execute code remotely or to conduct a denial of service attack, he said. However, he added, the attack surface is fairly small since the multicast protocol required to exploit this flaw is not enabled by default and is often blocked.

The LSASS vulnerability itself, Schultz said, isn't terribly dangerous, since it requires a user to execute exploit code locally rather than over a network. But combined with another unpatched vulnerability in Internet Explorer, for example, the LSASS flaw could be used to compromise a machine from afar.

Not addressed this month was the WPAD vulnerability that Microsoft acknowledged last November. "Its omission is a little puzzling since many people have described the resolution as simple and it's been known for quite a while," said Andrew Storms, director of security operations for nCircle, in an e-mailed statement. "It may be that this vulnerability has been out long enough so that Microsoft already has a good sense of the attack method and they feel comfortable delaying based on their assessment of its risk in the wild."

And there's a RealPlayer vulnerability, for which exploit code exists, that has yet to be patched.

Microsoft also issued a security advisory aimed at improving the security protection in Windows Vista for Windows Sidebar gadgets. The advisory points to a document about safe Windows Sidebar gadget use.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll