Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 04.03.07: Microsoft Windows WMF TriggerableKernel Design Error DoS Vulnerability



> -----Original Message-----
> From: 
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com 
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Tuesday, April 03, 2007 10:06 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 04.03.07: Microsoft 
> Windows WMF TriggerableKernel Design Error DoS Vulnerability
> 
> Microsoft Windows WMF Triggerable Kernel Design Error DoS 
> Vulnerability
> 
> iDefense Security Advisory 04.03.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Apr 03, 2007
> 
> I. BACKGROUND
> 
> The Microsoft Windows kernel controls which processes are 
> allowed to run
> and is responsible for accessing hardware such as storage devices and
> video adapters, scheduling time for each process to execute, managing
> memory, and other system control tasks. For more information on on the
> Windows kernel visit MSDN at the URL shown below.
> 
> http://msdn.microsoft.com/
> 
> II. DESCRIPTION
> 
> Remote exploitation of a design error in certain kernel GDI 
> functions in
> multiple versions of Microsoft Corp.'s Windows operating system may
> allow an attacker to cause a denial of service condition.
> 
> During testing of the MS06-001 WMF (Windows Metafile) vulnerability, a
> flaw was found in the handling of WMF files. This flaw can cause the
> kernel to perform a bug check, also known as a "blue screen" or system
> crash, when it tries to parse the file. The cause of this bug check is
> an attempt by a function in a kernel system call to read a value
> obtained by dereferencing an offset into a kernel structure. 
> This value
> had been previously created and then reset by previous system 
> calls, and
> at the point it is accessed it does not contain a valid memory
> reference. This results in an access violation error, which in turn
> triggers the bug check.
> 
> This vulnerability is different from both the Microsoft MS06-001 WMF
> vulnerability and the MS05-053 WMF vulnerability and is not fixed by
> either of these patches.
> 
> III. ANALYSIS
> 
> Exploitation of this vulnerability would allow a remote attacker to
> perform a denial of service against an affected system.
> 
> Depending on where the file was saved and configuration details of the
> target, this could result in a persistent denial of service condition,
> causing an immediate reboot upon logging on after an attack. The
> results of testing this vulnerability suggest that in some 
> cases it may
> cause corruption of the system in a manner that prevents the 
> system from
> rebooting.
> 
> It is likely that Enhanced Windows Metafiles (EMF) are also affected,
> but this has not yet been confirmed.
> 
> Currently, due to the type of location being referenced by the kernel,
> it appears that the vulnerability may only be exploitable by a remote
> attacker to cause a DoS condition. The vectors that could be used to
> remotely exploit this vulnerability would most likely be similar to
> those that the MS06-001 vulnerability used.
> 
> IV. DETECTION
> 
> This vulnerability has been confirmed to affect the following 
> Microsoft
> Windows operating systems:
> 
>   * Windows XP with Service Pack 2
>   * Windows 2003 Server
> 
> Other Windows operating systems may also be affected.
> 
> V. WORKAROUND
> 
> Blocking .wmf files at all e-mail and Web gateways is strongly
> recommended. However, this is not effective if blocking is done based
> on file extensions (e.g., .wmf), as an attacker can simply rename the
> file to a new extension.
> 
> Reading e-mail in plain-text can prevent automatic exploitation via
> electronic mail.
> 
> VI. VENDOR RESPONSE
> 
> Microsoft has addressed this vulnerability within MS07-017. For more
> information, consult their bulletin at the following URL.
> 
> http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2007-1211 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 01/10/2006  Initial vendor notification
> 01/10/2006  Initial vendor response
> 04/03/2007  Coordinated public disclosure
> 
> IX. CREDIT
> 
> This vulnerability was discovered by Greg MacManus of iDefense Labs.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2007 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
> 



 




Copyright © Lexa Software, 1996-2009.