Column

Inside MSRC: Critical Windows flaw affects XP, Vista


For January 2008, we are releasing two new security bulletins. One of the bulletins is rated as Critical; the remaining bulletin is rated as Important. For your risk assessment and deployment planning, I will help you to better understand the nature of these vulnerabilities and what systems should be updated.

MS08-001

Requires Free Membership to View


MS08-001, which has a maximum severity rating of Critical, addresses two vulnerabilities. The first rated as Critical and the second rated as Important. A remote code execution vulnerability exists in the Internet Group Management Protocol Version 3 (IGMPv3) for IPv4 and the Multicast Listener Discovery (MLD) for IPv6. That is, a remote, unauthenticated attacker, sending specially crafted packets, could run arbitrary code in the security context of SYSTEM – no user interaction is required for the attack to be successful. All supported versions of Windows are affected by this vulnerability with the exception of Windows 2000 Service Pack 4 (Windows 2000 Service Pack 4 does not support IGMPv3—it supports IGMPv2). The vulnerability does not exist in IGMPv2. Systems most at risk are Windows XP Service Pack 2 and Windows Vista – given that IGMP is listening by default. In contrast, Windows Server 2003 does not enable IGMP by default. However, a word of caution: an application that is installed on Windows Server 2003, that requires IGMP, will expose IGMP to attack. Types of applications that require IGMP range from video conferencing systems to IP Telephony systems. If you are not using IGMP in your environments then it can be disabled. Please refer to the bulletin for additional information.

The second vulnerability covered in MS08-001, which is rated as Important, is a denial of service vulnerability in the ICMP Router Discovery Protocol (RDP). This protocol is not enabled by default. A remote, unauthenticated attacker, sending specially crafted packets, could render the target system unresponsive; again no user interaction is required. All supported versions of Windows are affected by this vulnerability with the exception of Windows Vista. Router Discovery Protocol Processing can be disabled if it is not being utilized in your computing environment. Please refer to the bulletin for additional information.

MS08-002
MS08-002, which is rated as important, addresses an elevation of privilege (EOP) vulnerability that can be exploited locally by a logged on user. The EOP would give an attacker "SYSTEM" level privileges. All supported versions of Windows are affected by this vulnerability with the exception of Windows Vista. MS08-002 goes into more detail regarding the vulnerability. The particular technology that is affected is the Local Security Authority Subsystem Service (LSASS). As you may already know, LSASS facilitates functionality that manages local security authority, domain authentication and Active Directory management.

If you would like a deeper understanding of the intricacies of these vulnerabilities addressed by this month's security bulletin release, I would encourage you to visit our Security Vulnerability Research & Defense blog. The information posted there goes a step further than the information found in the bulletin. How big is that "step" you might ask? The answer to that question can be found here.

As I have noted in the past, testing the security updates on non-production machines first will help you identify issues that may arise from the security update process. While all of our security updates are rigorously tested prior to public release, we cannot duplicate the multitude of diverse computing environments that exist.

If you haven't already, I would encourage you to become familiar with the next version of the Microsoft Baseline Security Analyzer (MBSA), slated for release soon, which will have full Microsoft Vista support as well as other enhancements.

Conclusion
I want to encourage you to take a moment and register for our regular monthly security bulletin webcast, which will be held on Wednesday, January 9, at 11:00 a.m., Pacific Standard Time.

Adrian Stone, lead security program manager, and Tim Rains, security response communications lead, (standing in for me this month) will review information about each bulletin to help you with your planning and deployment. After our review session, they will answer your questions – with information from our assembled panel of experts. If you can't make the live webcast, you can also access it on-demand.

Please take a moment and mark your calendars for the February 2008 monthly bulletin. The release is scheduled for Tuesday, February 12, 2008, and the advance notification is scheduled for Thursday, February 7, 2008. Look for the February edition of this column on release day with information to help you with your planning and deployment of the most recent security bulletins.