News

Microsoft Patches 4 Critical Windows Vulnerabilities

As expected, Microsoft Corp. today published five new security bulletins that patch vulnerabilities in its Windows and Microsoft Content Management Server products.

• By Stephen Swoyer
• April 10, 2007

Microsoft's Tuesday patch haul includes fixes for four "critical" and one "important" vulnerability -- on top of the critical GDI patch Redmond released just last week.

All four of the "critical" security bulletins patch flaws that, if exploited, could result in Remote Code Execution attacks. They include fixes for vulnerabilities in:

• Microsoft's Windows Content Management Server
• Windows' Universal Plug and Play
• Microsoft Agent
• Microsoft's Client Server Runtime Subsystem

This month's sole "important" update fixes a flaw in the Windows kernel that could result in an Elevation of Privilege attack.

The Windows CMS bulletin linked above actually addresses two vulnerabilities: a Memory Corruption vulnerability and a Cross-Site Scripting and Spoofing vulnerability, the latter of which can result in information disclosure or spoofing, Microsoft confirmed. The former flaw -- which can be exploited by means of a malicious HTTP request -- is the more serious of the two; it's the one that, if exploited, could result in a Remote Code Execution attack. This vulnerability had not previously been disclosed, and no known exploit or proof-of-concept code exists.

The Universal Plug and Play (UPnP) vulnerability affects only Windows XP systems (including SP2 and x64 versions), Microsoft said. Windows 2000 SP4, as well as any of the available flavors of Windows Server 2003 and Windows Vista, are not affected. This vulnerability had not previously been disclosed, and no known exploit or proof-of-concept code exists.

The Microsoft Agent flaw takes the form of an URL Parsing vulnerability. Microsoft gives it a "critical" rating on Windows 2000 SP4 and Windows XP SP2 (x86 versions only) and a "moderate" rating on Windows XP Professional x64, Windows Server 2003 (all versions). Windows Vista is not affected by the vulnerability, Microsoft says.

The CSRSS bulletin also addresses multiple vulnerabilities, including a MsgBox Remote Code Execution vulnerability (the most serious of the three), a CSRSS Local Elevation of Privilege vulnerability and a CSRSS DoS vulnerability.

This critical bulletin affects all supported versions of Windows, including Windows Vista. The CSRSS MsgBox vulnerability stems from a flaw in the way in which Microsoft's CSRSS implementation processes error messages. An attacker would have to craft a malicious Web page or application in order to exploit the vulnerability, according to Microsoft. This vulnerability had been publicly disclosed, according to Microsoft; the security community at large dubs it "Vista Memory Corruption Zero-Day" -- although, to date, to there's no evidence of any exploit activity. Microsoft's Patch Tuesday release addresses this flaw as well as the other aforementioned vulnerabilities.

The "important" Kernel Elevation of Privilege vulnerability affects all versions of Windows except Vista. Today's patch for this flaw -- resulting from incorrect permissions on a mapped memory segment -- replaces a prior update for Windows 2000 Server SP4, Microsoft said.

Microsoft also released several non-security updates for its Windows Malicious Software Removal Tool, Windows Server Update Services (WSUS), Microsoft Update and Software Update Service.