December 13, 2005 Microsoft Patch Disclosure - December 2005

Microsoft issued two patches today for December's updates, one correcting a kernel vulnerability and the other pertaining to multiple Internet Explorer vulnerabilities.

The kernel level vulnerability, discovered by the eEye Research Team, is a local privilege escalation vulnerability which could be used by a malicious user, or in conjunction with other methods of attack, to gain full access to every level of a system. The Internet Explorer vulnerabilities pertain to four different issues one of the more high profile ones being the much publicized Mismatched Document Object Model Objects Memory corruption Vulnerability (also known as Onload windows() exploit) which had been reported as being used in the wild in the spread of malware.

This Month's Bulletins Critical MS05-054 - Cumulative Security Update for Internet Explorer Important MS05-055 - Vulnerability in Windows Kernel Allows Elevation of Privilege Bulletin Summary MS05-054 Cumulative Security Update for Internet Explorer Microsoft Severity Rating: Critical Description Microsoft has patched four separate Internet Explorer issues with this update. Of the four, two are considered critical, and two are moderate. In order of criticality, the issues are: * HTTPS Proxy Vulnerability (CAN-2005-2830) * File Download Dialog Box Manipulation Vulnerability (CAN-2005-2829) * COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831) * Mismatched Document Object Model Objects Memory Corruption Vulnerability (CAN-2005-1790) CAN-2005-2830 is the least serious of the four. It allows an attacker to read web addresses being sent to a HTTPS proxy server, even though the traffic should be encrypted. Note that only the web address is exposed and not any actual web content. CAN-2005-2829 allows for remote code to be run in the context of the logged-on user, and requires the attacker to trick the user into visiting a malicious web page or opening a malicious HTML file. CAN-2005-2831 covers code execution vulnerabilities related to instantiating COM objects that are not supposed to be instantiated in Internet Explorer, along the same lines as the Javaprxy.dll and MS Design Tools flaws patched in the last few Internet Explorer hotfixes.

CAN-2005-1790 received substantial media coverage last month as it was actively being used to distribute malware. This flaw allows an attacker to execute remote code on a target machine; however, like the other issues, it requires the user to be tricked into visiting a malicious website, and the attack code executes in the context of the logged-in user.

This cumulative update also sets the kill bit for the First4Internet ActiveX control distributed by Sony BMG as part of the XCP uninstallation process. eEye finds it very interesting to see Microsoft fixing an issue with a third-party's ActiveX control in a security rollup.

Recommendations Because one of the issues fixed in this patch has already been used in the wild to distribute malware, eEye Digital Security highly recommends testing and installing this patch as soon as possible.

MS05-055 Vulnerability in Windows Kernel Allows Elevation of Privilege Microsoft Severity Rating: Important Description eEye Digital Security has discovered a local privilege escalation vulnerability in the Windows kernel that could allow any code executing on a Windows NT 4.0 or Windows 2000 system to elevate itself to the highest possible local privilege level (kernel). For example, a malicious user, network worm, or email virus could take advantage of this vulnerability in order to completely compromise the vulnerable system on which the exploit code is executing, regardless of that code's original privilege level. The vulnerability exists in the thread termination routine contained within NTOSKRNL.EXE. Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a "data free" vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly.

For more details, please see the eEye Research Advisory on this vulnerability: http://www.eeye.com/html/research/advisories/AD20051213.html Recommendations eEye recommends that this patch be tested and installed on affected systems as soon as possible, as the potential in using this vulnerability in a blended threat is high and could lead to a remote system compromise. For example, if an attacker was to use one of the recent remote code execution vulnerabilities, they could combine the attack with this vulnerability, thereby elevating their privileges and granting further system access.