Two Microsoft security advisories on January's Patch Tuesday
As announced, Microsoft has released two security advisories and related patches on January's Patch Tuesday. In the advisories, Microsoft describes two extremely critical vulnerabilities in Windows' TCP/IP network stack (MS08-001) and a vulnerability in the Windows Local Security Authority Subsystem Service (LSASS) (MS08-002).
The TCP/IP flaws concern all versions of Windows. On Windows 2000 SP4, attackers can only exploit the flaw to take systems down, but on all later Windows versions attackers would be able to get complete control of vulnerable systems remotely by means of arbitrary malicious code.
However, to do so they need to send manipulated IGMPv3- or MLDv2 packets or fragmented RDP routing packets to an unpatched Windows computer, which is not necessarily possible without further ado for systems behind a corporate firewall or a DSL router. Furthermore, the ICMP Router Discovery Protocol required for the second vulnerability is not enabled by default. More details are available from Microsofts Security Vulnerability Research & Defense blog.
In contrast, the LSASS can only be exploited via local procedure calls to inject and execute arbitrary malicious code. Attackers with limited access to a vulnerable system would then be able to escalate their access privileges and get complete control. Vista installations are not affected by the problem.
In light of the severity of these vulnerabilities, users and administrators of Windows systems should install the new patches immediately or at least restrict access to vulnerable systems.
- Microsoft Security Bulletin Summary for January 2008, Microsoft's summary
- Microsoft Security Bulletin MS08-001 – Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644), Microsoft's advisory
- Microsoft Security Bulletin MS08-002 – Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485), Microsoft's advisory