[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Critical TCP/IP Worm Hole Dings Windows Vista


By Ryan Naraine
January 8, 2008

Microsoft has issued a high-priority security update to fix a pair of 
"critical" flaws that expose Windows users to remote code execution 

The Redmond, Wash. software giant's first batch of patches for 2008 
includes a fix for at least two vulnerabilities in TCP/IP (Transmission 
Control Protocol/Internet Protocol) processing.

The bugs, rated critical for all supported versions of Windows XP and 
Windows Vista, could be exploited by remote attackers to "take complete 
control of an affected system," Microsoft warned in its MS08-001 

In worst-case scenarios, Microsoft said attackers could hijack Windows 
XP and Vista systems to install programs; view, change, or delete data; 
or create new accounts with full user rights.

The TCP/IP bulletin affects Windows Server 2003 Windows 2000 but the 
severity rating is downgraded for those operating systems.

The most serious of the two bugs, discovered and reported by researchers 
at IBM's ISS X-Force, is a remote code execution vulnerability in the 
way the Windows kernel handles TCP/IP structures storing the state of 
IGMPv3 and MLDv2 queries.

"An anonymous attacker could exploit the vulnerability by sending 
specially crafted IGMPv3 and MLDv2 packets to a computer over the 
network," Microsoft warned. Although this makes the vulnerability 
wormable, several anti-exploitation mechansisms built into Windows Vista 
and the presence of a firewall turned on by default in Windows XP means 
there is little likelihood of a remote network worm affecting Windows 

The second vulnerability in the MS08-001 bulletin is described as a 
denial-of-service issue in the way the Windows Kernel processes 
fragmented router advertisement ICMP queries.

It's important to note that ICMP Router Discovery Protocol (RDP) is not 
enabled by default and is required in order to exploit this 

However, on Windows 2003 Server and on Windows XP, Microsoft warned that 
RDP can be turned on by a setting in DHCP or by a setting in the 
registry. Also, on Windows 2000, RDP can be turned on by a setting in 
the registry.

Microsoft said an anonymous attacker could exploit the vulnerability by 
sending specially crafted ICMP packets to a computer over the network, 
causing the computer to stop responding and automatically restart.

The company also shipped MS08-002, an "important" bulletin that patches 
a privilege elevation flaw in the in the Microsoft Windows Local 
Security Authority Subsystem Service (LSASS).

The LSASS bug, which was found by Thomas Garnier of SkyRecon, affects 
Windows 2000, Windows XP and Windows Server 2003. Windows Vista is not 

Visit InfoSec News