Microsoft

Xfocus prematurely discloses three Windows flaws

A trio of dangerous new vulnerabilities have been uncovered and published by the Xfocus Team, a Chinese organization. Get a look at the flaws and the software they affect.

Several new Windows vulnerabilities are under investigation. A China-based group has published information about new vulnerabilities related to the Help function, the LoadImage API function, and the ANI format authentication.

Details

Apparently skipping the step of letting Microsoft know in advance so the company could take steps to protect users, Xfocus Team (xfocus.net) has published a number of high-risk vulnerabilities affecting Windows products.

Minimal details of the vulnerabilities are posted on the xfocus.net site, but "test" code (exploit examples) links are provided.

Confidence in the accuracy of the explanations may be eroded a bit by phrases such as, "warning:you host maybe restart!" but Microsoft is taking these reports seriously and is investigating.

The LoadImage API vulnerability is a buffer overflow problem that can allow remote code execution on the vulnerable system.

Applicability

  • AD_LAB-04004 (Xfocus designation) – The LoadImage API buffer overflow threat does not affect Windows XP SP2 but does occur in other versions of XP, Windows 2003, all versions of Windows 2000, and NT. You need IE 6.x to test for the vulnerability, but it isn't clear whether this means IE 6 needs to be installed on one of the operating system versions to make them vulnerable.
  • AD_LAB-04005 – The ANI file parsing vulnerability is related to CVE 2004-1305. It can be exploited remotely to trigger a system crash. The Windows versions affected are the same as for AD_LAB-04004.
  • AD_LAB-04006 – This is related to CVE 2004-1306 and is a heap overflow and integer buffer overflow error in winhlp32.exe due to poor boundary checking. The initial Xfocus report claims this affects the same versions as the other two bulletins above, with the exception that it also affects Windows XP SP2.

Details have not been independently verified or verified by Microsoft yet.

Risk level

The risk is moderate to high.

Mitigating factors

There are currently no known mitigating factors for avoiding damage from these flaws.

Fix

No fixes have been released at the time this article was published, and we can reasonably expect that it will take at least 30 days for patches to emerge.

Final word

As far as the problem posed by the Xfocus group publishing new Windows vulnerabilities without first notifying Microsoft, I fully support Microsoft on this one. This doesn't appear to be the result of some group growing frustrated over a vendor's failure to respond to earlier notices and finally publishing the exploits for everyone to see. As far as I can determine, the Xfocus investigators simply published the information without regard to whether it might be best to give the vendor a chance to do something about it before they let everyone (including malicious hackers) know about the vulnerabilities. The Mitre CVEs relating to two threats were assigned after Xfocus published the vulnerability details.

I understand the frustration when legitimate attempts to notify vendors don't result in any action, but certainly this sort of thing is irresponsible in the extreme, and there is simply no excuse for it.

I also caution others who discover vulnerabilities to remember that investigating and fixing threats can take some time, especially with vendors moving toward pre-scheduled patch release dates to ease the upgrade burden on harried administrators. Have a little patience, even with Microsoft.


Also watch for …

  • Microsoft has dropped the big one by announcing that it will introduce its own brand of antivirus software and other security tools. The beta version of the company's recently-purchased Giant AntiSpyware is scheduled to be available for download by the middle of this month. Details are vague but Neowin.net says some beta copies are already circulating among the cognoscenti.
  • Oracle 10g/9i contains multiple vulnerabilities. See Oracle for an upgrade via a new cumulative patch. The original advisories came from NGS Research.
  • According to Government Computer News, a new FDIC (Federal Deposit Insurance Corp.) study says ID theft resulting in bank account captures is still a small problem but it is growing, creating the need for stronger authentication methods.
  • In related news, several major vendors with a large Web presence have opted out of Microsoft Passport services, but the coup de gras was recently delivered by eBay, which announced that it will cease accepting Passport identification. It remains to be seen whether Microsoft can take advantage of the FDIC's new call for two-factor authentication and re-create Passport to use both smart card or biometric validation and the usual single-factor password.
  • According to a report on the Open Source Vulnerability Database, Mozilla versions 1.0 through 1.7.3 contain a denial of service vulnerability triggered by a specially-crafted "news://" URL. Upgrade to a newer version to fix the problem.
  • And, finally, remember to warn your users about vultures pushing e-mail scams in the name of tsunami victims. All such messages are probably bogus even if they appear legit, due to phishing techniques. But on the positive side, there is a special dispensation this year only for disaster donations to real charities – keep an eye on the news to see if it gets passed into law. If it does (which seems likely), then U.S. tax payers can deduct January 2005 donations in the 2004 tax year. When in doubt, just make your donations to The American Red Cross.

Editor's Picks

Free Newsletters, In your Inbox