Several new Windows vulnerabilities are under investigation.
A China-based group has published information about new vulnerabilities related
to the Help function, the LoadImage API function, and the ANI format
Apparently skipping the step of letting Microsoft know in
advance so the company could take steps to protect users, Xfocus Team
(xfocus.net) has published a number of high-risk vulnerabilities affecting Windows
Minimal details of the vulnerabilities are posted on the xfocus.net site,
but “test” code (exploit examples) links are provided.
Confidence in the accuracy of the explanations may be eroded
a bit by phrases such as, “warning:you host maybe restart!” but Microsoft is
taking these reports seriously and is investigating.
The LoadImage API vulnerability is a buffer overflow problem
that can allow remote code execution on the vulnerable system.
(Xfocus designation) – The LoadImage API buffer overflow threat does not
affect Windows XP SP2 but does occur in other versions of XP, Windows
2003, all versions of Windows 2000, and NT. You need IE 6.x to test for
the vulnerability, but it isn’t clear whether this means IE 6 needs to be
installed on one of the operating system versions to make them vulnerable.
– The ANI file parsing vulnerability is related to CVE 2004-1305. It can
be exploited remotely to trigger a system crash. The Windows versions
affected are the same as for AD_LAB-04004.
– This is related to CVE 2004-1306 and is a heap overflow and integer
buffer overflow error in winhlp32.exe due to poor boundary checking. The
initial Xfocus report claims this affects the same versions as the other two
bulletins above, with the exception that it also affects Windows XP SP2.
Details have not been independently verified or verified by
The risk is moderate to high.
There are currently no known mitigating factors for avoiding
damage from these flaws.
No fixes have been released at the time this article was
published, and we can reasonably expect that it will take at least 30 days for
patches to emerge.
As far as the problem posed by the Xfocus group publishing
new Windows vulnerabilities without first notifying Microsoft, I fully support
Microsoft on this one. This doesn’t appear to be the result of some group
growing frustrated over a vendor’s failure to respond to earlier notices and
finally publishing the exploits for everyone to see. As far as I can determine,
the Xfocus investigators simply published the information without regard to
whether it might be best to give the vendor a chance to do something about it
before they let everyone (including malicious hackers) know about the
vulnerabilities. The Mitre CVEs relating to two threats were assigned after Xfocus published the vulnerability
I understand the frustration when legitimate attempts to
notify vendors don’t result in any action, but certainly this sort of thing is
irresponsible in the extreme, and there is simply no excuse for it.
I also caution others who discover vulnerabilities to
remember that investigating and fixing threats can take some time, especially
with vendors moving toward pre-scheduled patch release dates to ease the
upgrade burden on harried administrators. Have a little patience, even with
Also watch for …
has dropped the big one by announcing that it will introduce its own brand
of antivirus software and other security tools. The beta version of the
company’s recently-purchased Giant AntiSpyware is scheduled to be
available for download by the middle of this month. Details are vague but Neowin.net says some beta copies are already
circulating among the cognoscenti.
10g/9i contains multiple vulnerabilities. See Oracle for an upgrade via a
new cumulative patch. The original advisories came from NGS Research.
Computer News, a new FDIC (Federal Deposit Insurance Corp.)
says ID theft resulting in bank account captures is still a small problem
but it is growing, creating the need for stronger authentication methods.
- In related news,
several major vendors with a large Web presence have opted out of
Microsoft Passport services, but the coup de gras was recently delivered
by eBay, which announced that it will cease accepting Passport
identification. It remains to be seen whether Microsoft can take advantage
of the FDIC’s new call for two-factor authentication and re-create
Passport to use both smart card or biometric validation and the usual
to a report on the Open Source
Vulnerability Database, Mozilla versions 1.0 through 1.7.3 contain a
denial of service vulnerability triggered by a specially-crafted “news://”
URL. Upgrade to a newer version to fix the problem.
finally, remember to warn your users about vultures pushing e-mail scams
in the name of tsunami victims. All such messages are probably bogus even
if they appear legit, due to phishing techniques. But on the positive
side, there is a special dispensation this year only for disaster
donations to real charities – keep an eye on the news to see if it gets
passed into law. If it does (which seems likely), then U.S. tax payers can
deduct January 2005 donations in the 2004 tax year. When in doubt, just
make your donations to The American Red Cross.