Microsoft Confirms 17-year-old Windows Vulnerability.

[Samsonite 196]

Just when you think mickeysoft can't sink any lower......

 

"January 21st, 2010

Microsoft confirms 17-year-old Windows vulnerability

Posted by Ryan Naraine @ 8:05 am

 

One day after a Google security researcher released code to expose a flaw that affects every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks.

 

Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode. For an attack to be successful, the attacker must have valid logon credentials.

 

The flaw does not affect Windows operating systems for x64-based and Itanium-based computers, Microsoft said.

 

According to Tavis Ormandy, the Google researcher who released the flaw details, Microsoft was notified about the issue in June 2009. After waiting several months and not seeing a patch, he decided it was in the best interest of everyone to go public.

 

As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals.

 

Ormandy’s advisory includes instructions for temporarily disabling the MSDOS and WOWEXEC subsystems to prevent an attack from functioning. This can be done via Group Policy.

 

The mitigation in Microsoft’s advisory mirrors the advice from Ormandy.

 

Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations."

 

http://blogs.zdnet.com/security/?p=5307

 

and...

 

"January 21st, 2010

Microsoft knew of IE zero-day flaw since last September

 

Posted by Ryan Naraine @ 12:34 pm

 

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

 

The flaw was in the Microsoft Security Response Center’s (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

 

The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.

 

The patches are included in the critical MS10-002 bulletin.

 

The vulnerability used in the attacks (CVE-2010-0249) was private reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.

 

The vulnerability is described as a remote code execution issue in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted.

 

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Even if you don’t user Internet Explorer for regular Web browser, it’s important for Windows users to apply this update immediately. That’s because the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file.

 

“Customers would have to open a malicious file to be at risk of exploitation,” Microsoft’s Bryant said, urging users to disable ActiveX controls in Microsoft Office."

 

http://blogs.zdnet.com/security/?p=5324&tag=wrapper;col1

Edited January 23, 2010 by Samsonite