Six Cracks in Windows Yield One Critical Flaw

Severity: High

13 February, 2007

Summary:

Today, Microsoft released six security bulletins describing vulnerabilities that affect Windows and components that ship with it. A remote attacker could exploit the worst of these flaws to execute code and potentially gain complete control of your Windows PCs. For a table briefly summarizing which vulnerabilities affect which versions of Windows, see Microsoft’s Security Bulletin Summary for February and expand the section, “Affected Software and Download Location.” If you manage a Windows network, you should download, test, and deploy the appropriate Windows patches throughout your network as soon as possible.

Exposure:

Microsoft’s six security bulletins detail vulnerabilities found in, or affecting, components of Windows. Each vulnerability affects different versions of Windows to a different extent. Two of the vulnerabilities also affect Microsoft Office and Visual Studio to some degree. We summarize these vulnerabilities below, listed from highest to lowest severity.

MS07-008: HTML Help ActiveX Control Vulnerability

HTML Help is the standard help system that ships with Windows. It includes various ActiveX controls that Internet Explorer uses to display HTML Help pages. Unfortunately, some of HTML Help’s ActiveX controls don’t properly validate input. By enticing one of your users to a specially crafted Web page, an attacker can exploit this flaw to execute code on your user’s computer, with that user’s privileges. If you grant your users local administrative privileges, the attacker could exploit this flaw to gain complete control of the victim’s computer.
Microsoft rating: Critical.

Severity: High

13 February, 2007

Summary:

Exposure:

MS07-008: HTML Help ActiveX Control Vulnerability

MS07-011, MS07-012, MS07-013: Three Vulnerabilities Involving OLE objects embedded in RTF Documents

Microsoft Security Bulletins MS07-011 through MS07-013 cover three very different Windows components, including the OLE Dialog, the MFC component, and RichEdit. However, all three of these components suffer from vulnerabilities that have the exact same scope and impact.

Specifically, none of the three affected Windows components properly handles specially crafted Rich Text Format (RTF) documents that contain Object Linking and Embedding (OLE) objects. In all three cases, if an attacker can trick one of your users into downloading, opening, and interacting with an RTF document embedded with a maliciously crafted OLE object, he can exploit these flaws to execute code on that user’s computer, with that user’s privileges. As with most Windows code execution flaws, if the victim has administrative privileges, the attacker could exploit these vulnerabilities to gain complete control of their computer. While the three affected components come with Windows, two of the components also come with Visual Studio, Office, and other Microsoft productivity packages. Make sure to install the patches for all the software packages you use.
Microsoft rating: Important.

MS07-006: Windows Shell Hardware Detection Elevation of Privilege Vulnerability

According to Microsoft, the Shell Hardware Detection Service provides notification for Autoplay hardware events. If you’ve ever plugged in a USB storage device, a digital camera, or any piece of hardware and seen the Autoplay dialog pop up and ask what you want to do with the device, the Shell Hardware Detection Service is the component responsible for spawning that pop up. The Shell Hardware Detection Service suffers from an elevation of privilege vulnerability because it does not validate input properly. By running a specially crafted application, an attacker can exploit this vulnerability to gain complete control of vulnerable Windows machines. However, the attacker needs valid user credentials on the targeted machine in order to log in and run his malicious application. This mitigating factor limits the flaw primarily to an insider threat.
Microsoft rating: Important.

MS07-007: Windows Image Acquisition Service Elevation of Privilege Vulnerability

The Windows Image Acquisition Service enables imaging programs to communicate with your digital camera or scanner. This service suffers from a buffer overflow vulnerability similar in scope and impact to the Shell Hardware Detection flaw described above. Like the flaw above, if an attacker can run a specially crafted program on a vulnerable Windows computer, he can gain complete control of that machine. However, the attacker needs to log in to the targeted machine with valid user credentials in order to carry out this attack. Thus, this flaw primarily poses an inside threat. Furthermore, this flaw affects Windows XP only.
Microsoft rating: Important.

Solution Path

Microsoft has released patches for Windows to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

Note: Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft suggests you migrate to supported versions to prevent potential exposure to vulnerabilities. You can learn more about Microsoft’s extended security update support at their Product Support Services Web site.

MS07-008: