• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases April 2007 Security Bulletin for Multiple Vulnerabilities

Security Alerts

Search Security Alerts:

April 10, 2007

Microsoft Releases April 2007 Security Bulletin for Multiple Vulnerabilities

Summary

On April 10, 2007 Microsoft released their monthly security bulletin (revision 2) with the latest security updates for workstations and servers. The Microsoft bulletin lists six (6) security vulnerabilities, with five (5) listed as critical and one (1) listed as important. All these patches should be applied. The five critical ones are patches for GDI (Graphical Device Interface), Content Management Server, Universal Plug and Play (UPnP), Microsoft Agent, and the Client/Server Run-time Subsystem (CSRSS) which all lead to remote execution when a system is left unpatched. The GDI patch includes the ANI cursor vulnerability fix that was released last week. A vulnerability in the Windows Kernel that could allow elevation of privilege is designated as important. Of particular importance is the UPnP patch, as an attacker who has successfully exploited this vulnerability could run arbitrary code in the context of a local service. The UPnP framework uses UDP port 1900 and TCP port 2869, and the Simple Service Discovery Protocol (SSDP) uses multicast remote searches to discover UPnP devices via these two ports. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4
* Windows Vista

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. All six patches will be delivered via BigFix. Details are in the Technical Details section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all six patches. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, those with an * delivered via BigFix:

Critical (5)

*MS07-017 - Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
Impact: Remote Code Execution

GDI Local Elevation of Privilege Vulnerability - CVE-2006-5758 :
A privilege elevation vulnerability exists in the Graphics Rendering Engine in the way that it starts applications. This vulnerability could allow a logged on user to take complete control of the system.

WMF Denial of Service Vulnerability - CVE-2007-1211:
A denial of service vulnerability exists in Windows when rendering Windows Metafile (WMF) image format files. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding and possibly restart.

EMF Elevation of Privilege Vulnerability CVE-2007-1212:
An elevation of privilege vulnerability exists in the rendering of Enhanced Metafile (EMF) image format files. Any program that renders EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

GDI Invalid Window Size Elevation of Privilege Vulnerability - CVE-2006-5586:
A privilege elevation vulnerability exists in the Graphics Rendering Engine in the way that it renders layered application windows. This vulnerability could allow a logged on user to take complete control of the system.

Windows Animated Cursor Remote Code Execution Vulnerability - CVE-2007-0038:
A remote code execution vulnerability exists in the way that Windows handles cursor, animated cursor, and icon formats. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

GDI Incorrect Parameter Local Elevation of Privilege Vulnerability - CVE-2007-1215:
A local elevation of privilege vulnerability exists in the Graphics Device Interface due to the way it processes color-related parameters. This vulnerability could allow an attacker to take complete control of the system.

Font Rasterizer Local Elevation of Privilege Vulnerability - CVE-2007-1213:
A local elevation of privilege vulnerability exists in the TrueType Fonts rasterizer in the way that it handles defective or modified font types. This vulnerability could allow a logged-on user to take complete control of the system.

*MS07-018 - Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939)
Impact: Remote Code Execution

CMS Memory Corruption Vulnerability - CVE-2007-0938:
A remote code execution vulnerability exists in Content Management Server because of the way that it handles a specially crafted HTTP request.

Cross-site Scripting and Spoofing Vulnerability in CMS Vulnerability - CVE-2007-0939:
A cross-site scripting and spoofing vulnerability exists in Microsoft Content Management Server (MCMS) which could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. Attempts to exploit this vulnerability require user interaction. This vulnerability could allow an attacker access to any data on the affected systems that was accessible to the individual user.

*MS07-019 - Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261)
Impact: Remote Code Execution

UPnP Memory Corruption Vulnerability - CVE-2007-1204:
A remote code execution vulnerability exists in the Universal Plug and Play service in the way that it handles specially crafted HTTP requests. An attacker who has successfully exploited this vulnerability could run arbitrary code in the context of local service.

*MS07-020 - Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168)
Impact: Remote Code Execution

Microsoft Agent URL Parsing Vulnerability Could Allow Remote Code Execution- CVE-2007-1205:
A remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs.

*MS07-021 - Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
Impact: Remote Code Execution

MsgBox (CSRSS) Remote Code Execution Vulnerability - CVE-2006-6696:
A remote code execution vulnerability exists in the Windows Client/Server Run-time Subsystem (CSRSS) process because of the way that it handles error messages. An attacker could exploit the vulnerability by constructing a specially crafted application that could potentially allow remote code execution.

CSRSS Local Elevation of Privilege Vulnerability - CVE-2007-1209:
A privilege elevation vulnerability exists in the way that the Windows 32 Client/Server Run-time Subsystem (CSRSS) handles its connections during the startup and stopping of processes.

CSRSS DoS Vulnerability - CVE-2006-6797:
A denial of service vulnerability exists in the Client/Server Run-time Subsystem (CSRSS) service because of the way it handles error messages. An attacker could exploit the vulnerability by running a specially crafted application causing the system to restart.

Important (1)

*MS07-022 - Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)
Impact: Elevation of Privilege

Kernel Local Elevation of Privilege Vulnerability - CVE-2007-1206:
A privilege elevation vulnerability exists in Windows Kernel because of incorrect permissions on a mapped memory segment. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Affected Platforms and Applications:

Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista x64 Edition

Content Management Server 2001 Service Pack 1
Content Management Server 2002 Service Pack 2

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-apr.mspx