• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases January 2008 Security Bulletin for Multiple Vulnerabilities

Security Alerts

January 23, 2008

Microsoft Releases January 2008 Security Bulletin for Multiple Vulnerabilities

Summary

On January 8, 2008 Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. The Microsoft bulletin lists two (2) security vulnerabilities, one critical and one important. The critical patch addresses the vulnerability in TCP/IP processing which can lead to remote code execution if unpatched. The other addresses a vulnerability in the Microsoft Windows Local Security Authority Subsystem Service (LSASS) which when exploited could lead to local elevation of privilege and complete system compromise. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4
* Windows Small Business Server 2003 Service Pack 2
* Windows Vista

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. Stanford's BigFix will be delivering all these patches. Details are in the Technical Details section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. Individual updates can be downloaded by going to the Summary section of this Microsoft site. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, those with an * delivered via BigFix:

Critical (1)

*MS08-001 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
Impact: Remote Code Execution

Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability - CVE-2007-0069
A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Important (1)

*MS08-002 Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)
Impact: Local Elevation of Privilege

LSASS Bypass Vulnerability - CVE-2007-5352
An elevation of privilege vulnerability exists in the Microsoft Windows Local Security Authority Subsystem Service (LSASS) due to its improper handling of local procedure call (LPC) requests. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Platforms and Applications:

Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Small Business Server 2003 Service Pack 2
Windows Vista
Windows Vista x64 Edition

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx