Several new Windows vulnerabilities are under investigation.
A China-based group has published information about new vulnerabilities related
to the Help function, the LoadImage API function, and the ANI format
authentication.

Details

Apparently skipping the step of letting Microsoft know in
advance so the company could take steps to protect users, Xfocus Team
(xfocus.net) has published a number of high-risk vulnerabilities affecting Windows
products.

Minimal details of the vulnerabilities are posted on the xfocus.net site,
but “test” code (exploit examples) links are provided.

Confidence in the accuracy of the explanations may be eroded
a bit by phrases such as, “warning:you host maybe restart!” but Microsoft is
taking these reports seriously and is investigating.

The LoadImage API vulnerability is a buffer overflow problem
that can allow remote code execution on the vulnerable system.

Applicability

  • AD_LAB-04004
    (Xfocus designation) – The LoadImage API buffer overflow threat does not
    affect Windows XP SP2 but does occur in other versions of XP, Windows
    2003, all versions of Windows 2000, and NT. You need IE 6.x to test for
    the vulnerability, but it isn’t clear whether this means IE 6 needs to be
    installed on one of the operating system versions to make them vulnerable.
  • AD_LAB-04005
    – The ANI file parsing vulnerability is related to CVE 2004-1305. It can
    be exploited remotely to trigger a system crash. The Windows versions
    affected are the same as for AD_LAB-04004.
  • AD_LAB-04006
    – This is related to CVE 2004-1306 and is a heap overflow and integer
    buffer overflow error in winhlp32.exe due to poor boundary checking. The
    initial Xfocus report claims this affects the same versions as the other two
    bulletins above, with the exception that it also affects Windows XP SP2.

Details have not been independently verified or verified by
Microsoft yet.

Risk level

The risk is moderate to high.

Mitigating factors

There are currently no known mitigating factors for avoiding
damage from these flaws.

Fix

No fixes have been released at the time this article was
published, and we can reasonably expect that it will take at least 30 days for
patches to emerge.

Final word

As far as the problem posed by the Xfocus group publishing
new Windows vulnerabilities without first notifying Microsoft, I fully support
Microsoft on this one. This doesn’t appear to be the result of some group
growing frustrated over a vendor’s failure to respond to earlier notices and
finally publishing the exploits for everyone to see. As far as I can determine,
the Xfocus investigators simply published the information without regard to
whether it might be best to give the vendor a chance to do something about it
before they let everyone (including malicious hackers) know about the
vulnerabilities. The Mitre CVEs relating to two threats were assigned after Xfocus published the vulnerability
details.

I understand the frustration when legitimate attempts to
notify vendors don’t result in any action, but certainly this sort of thing is
irresponsible in the extreme, and there is simply no excuse for it.

I also caution others who discover vulnerabilities to
remember that investigating and fixing threats can take some time, especially
with vendors moving toward pre-scheduled patch release dates to ease the
upgrade burden on harried administrators. Have a little patience, even with
Microsoft.


Also watch for …

  • Microsoft
    has dropped the big one by announcing that it will introduce its own brand
    of antivirus software and other security tools. The beta version of the
    company’s recently-purchased Giant AntiSpyware is scheduled to be
    available for download by the middle of this month. Details are vague but Neowin.net says some beta copies are already
    circulating among the cognoscenti.
  • Oracle
    10g/9i contains multiple vulnerabilities. See Oracle for an upgrade via a
    new cumulative patch. The original advisories came from NGS Research.
  • According
    to Government
    Computer News
    , a new FDIC (Federal Deposit Insurance Corp.)
    study
    says ID theft resulting in bank account captures is still a small problem
    but it is growing, creating the need for stronger authentication methods.
  • In related news,
    several major vendors with a large Web presence have opted out of
    Microsoft Passport services, but the coup de gras was recently delivered
    by eBay, which announced that it will cease accepting Passport
    identification. It remains to be seen whether Microsoft can take advantage
    of the FDIC’s new call for two-factor authentication and re-create
    Passport to use both smart card or biometric validation and the usual
    single-factor password.
  • According
    to a report on the Open Source
    Vulnerability Database
    , Mozilla versions 1.0 through 1.7.3 contain a
    denial of service vulnerability triggered by a specially-crafted “news://”
    URL. Upgrade to a newer version to fix the problem.
  • And,
    finally, remember to warn your users about vultures pushing e-mail scams
    in the name of tsunami victims. All such messages are probably bogus even
    if they appear legit, due to phishing techniques. But on the positive
    side, there is a special dispensation this year only for disaster
    donations to real charities – keep an eye on the news to see if it gets
    passed into law. If it does (which seems likely), then U.S. tax payers can
    deduct January 2005 donations in the 2004 tax year. When in doubt, just
    make your donations to The American Red Cross.