Tuesday 14 December 2004

MS Security Bulletins - 14 December

Five MS Security Bulletin issued today. All are rated important. Four are 'Remote Code Execution' vulnerabilities and one is an 'Elevation of Privilege' Vulnerability.

Microsoft Security Bulletin MS04-041

Vulnerability in WordPad Could Allow Code Execution (885836)

A remote code execution vulnerability exists in the Microsoft Word for Windows 6.0 Converter. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system.

The Word for Windows 6.0 Converter helps users convert documents from Word 6.0 formats to the WordPad file format and is included on all affected operating systems.

The vulnerability is due to boundary errors in the table and font conversion in the Word for Windows 6.0 converter. This can (for example) be exploited via a malicious ".wri", ".rtf", or ".doc" document.

References:

Microsoft Security Bulletin MS04-042

Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service (885249)

Kostya Kortchinsky has reported two vulnerabilities in Microsoft Windows NT, allowing malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system

  1. The vulnerability is caused due to an unchecked buffer during logging of a certain value from specific network packets. This can be exploited to cause the DHCP service to stop responding
  2. The vulnerability is caused due to an unchecked buffer in the handling of DHCP request traffic. This can be exploited to cause a buffer overflow and allow execution of arbitrary code
References:

Microsoft Security Bulletin MS04-043

Vulnerability in HyperTerminal Could Allow Code Execution (873339)

Brett Moore has reported a vulnerability in Microsoft HyperTerminal, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to boundary errors in the handling of HyperTerminal session files and telnet URLs. This can be exploited to cause a buffer overflow by tricking a user into opening a malicious HyperTerminal session file (.ht) or clicking a specially crafted telnet URL in a malicious e-mail or on a website.

Successful exploitation can lead to execution of arbitrary code.

NOTE: Exploitation via a telnet URL requires that HyperTerminal is set as the default telnet client (not default setting).

References:

Microsoft Security Bulletin MS04-044

Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835)

Cesar Cerrudo has reported two vulnerabilities in Microsoft Windows, allowing malicious, local users to escalate their privileges.

  1. The vulnerability is caused due to an unchecked buffer in the handling of data sent through a LPC (Local Procedure Call) port. This can be exploited to cause a buffer overflow and lead to execution of arbitrary code with elevated privileges.
  2. The vulnerability is caused due to an error in the validation of identity tokens in LSASS (Local Security Authority Subsystem Service). This can be exploited to gain elevated privileges.
References:

Microsoft Security Bulletin MS04-045

Vulnerability in WINS Could Allow Remote Code Execution (870763)

Kostya Kortchinsky has reported two vulnerabilities in Microsoft Windows, allowing malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unchecked buffer in the handling of the "Name" parameter from certain packets. This can be exploited to cause a buffer overflow and lead to execution of arbitrary code.

References:

Related Tools