Microsoft patch day fixes critical bug in TCP/IP stack

Microsoft's implementation of the TCP/IP protocol stack for Windows contains a critical bug which can be remotely exploited to inject and execute code. This is something of a surprise given how closely the code has previously been scrutinised. Added to this is the fact that the bug was apparently discovered and reported by an outside agency that wishes to remain anonymous.

The bug, described in security bulletin MS11-083, is the result of an integer overflow in a UDP packet counter. The problem occurs when an attacker sends a continuous stream of packets to a UDP port which is not being used by a local service. The bulletin does not list the Windows firewall as a potential mitigating factor, strongly suggesting that the bug occurs despite – or even because of – the Windows firewall.

An unpatched system would be protected from exploitation of this vulnerability by an external firewall which does not forward such packets to the local network. Company networks and home computers which are behind a hardware router with firewall functionality are therefore unlikely to be vulnerable to attack. Windows XP and Server 2003 are not affected by this vulnerability. In an atypical move, Microsoft has admitted that it was informed of the vulnerability "through a co-ordinated disclosure" but has omitted to name the benefactor behind the disclosure. Microsoft personally thanks the discoverers of each of the other three vulnerabilities fixed by today's patches in its Security Bulletin Summary for November 2011.

The second vulnerability is in Windows Mail and Windows Meeting. Its severity is classified merely as high, because it requires the user to open an EML or WCINV file in an external directory. Should the user do so, this can result in the Windows program used to open the file loading a malicious dll placed in the same directory. The third bug only occurs if Active Directory is deployed with SSL-encrypted LDAP, which is not the default case. Finally, Microsoft has also released an update for a kernel driver bug triggered by TrueType fonts which can crash Windows 7 and Server 2008.

Although the zero-day vulnerability exploited by Duqu also involves handling TrueType fonts in the Windows kernel, it does not appear to be the same bug. The Duqu vulnerability can enable an attacker to escalate their privileges and is designated CVE-2011-3402, while the vulnerability fixed by today's patch is filed under CVE-2011-2004. The advice to install Microsoft's "fix-it" therefore remains in place.

(djwm)