Microsoft patches follow on
Following on from the recently fixed animated cursor file bug, the critical vulnerability in the Client/Server Run-time Subsystem (CSRSS) fixed today affects not only classic Windows versions, but also Vista, touted as the latest, most secure version of Windows. Further bugs in Universal Plug and Play (UPnP), Content Management Server (CMS) and Microsoft Agent are also classed as critical, as they allow remote code execution. By contrast, a vulnerability in the Windows kernel merely allows local users to escalate their privileges. The associated patch is classified as important.
The CSRSS bug, related to error messages, was reported back in December. At the time, the Microsoft Security Response Center spoke of the possibility of logged on users being able to escalate their privileges. The operating system vendor has now admitted that the bug can be triggered from a website and classified it as critical for Windows 2000, XP, 2003 Server and Vista. The relevant bulletin MS07-021 describes two further bugs, of which one affects Vista only.
It is not clear from MS07-019 why it's only under Windows XP that Universal Plug and Play, as a result of special HTTP queries, is able to abuse memory to the extent that it is possible to inject and execute code. The affected HTTP queries are restricted to the local network, which reduces the risk.
By contrast the bug in Windows Agent, according to MS07-020, can be exploited via the internet, although not under Vista, with IE 7 even under XP, or with the Enhanced Security Configuration for IE on Windows 2003 Server. The two vulnerabilities in MS07-018 merely affect Microsoft's Content Management Server, but could allow the worst case scenario of remote intrusion.
Because the Windows kernel does not prevent incorrect permissions when mapping memory segments in the address area of a process, it permits local attacks to gain control of a Windows system - not however, according to MS07-022, under Windows Vista.
The CSRSS bug in particular is already known and at least local exploits already exist. It must be feared that the technology required to exploit this bug remotely will not remain a black art. Rapid installation of the patches is therefore, as for last week's ANI update, to be recommended. The issues with the latter that resulted in an error message about "Illegal System DLL Relocation" in combination with among other the Realtek HD Audio Control Panel can be resolved with another update form Microsoft. With the other bugs, administrators can afford, depending on their system and configuration, to spend a little more time testing. End users should install the updates using Windows' automatic update function.
- Microsoft Security Bulletin Summary for April 2007, summary from Microsoft