myITforum.com
Welcome to myITforum.com Sign in | Join | Help
in Search
Site Home Home Bloggers List Blogs Photos Downloads

Harry Waldron at myITforum.com

Sharing Security Developments, and Best Practices for corporate and home users

New Windows Security LoadImage & Help Vulnerabilities

PLEASE BE VERY CAREFUL WITH ALL WEB SITES AND EMAIL. There are already Proof-of-Concept (POC) exploits circulating in-the-wild related to brand new unpatched flaws in Microsoft Windows. With POC code circulating in the public, this provides the "bad guys" with tools to quickly build viruses, phishing attacks, and spyware around these Windows Security holes.

This is called a "Zero Day Attack", where the vendor has yet to patch the security hole and there are exploits circulating in the wild. Do not install HELP FILES and follow further breaking news on what to avoid. Finally, some AV Vendors are offering protection as noted in the McAfee examples below. Please update and protect your PC environment.

QUOTE: Because the flaws are in a library used by Windows programs, almost all browsers and e-mail clients are likely affected by the flaws, said Alfred Huger, senior director of engineering at Symantec.

New Windows Security LoadImage & Help Vulnerabilities
http://isc.sans.org//diary.php?date=2004-12-23

The holiday news continues to be bleak, with a pair of critical vulnerabilities for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited via HTML delivered either via email or a website. This vulnerability can be used to execute code. Secondly, there is a heap overflow in winhlp32.exe while processing help files on Windows, including XP SP2, apparently. Try not to install help files until some Tuesday in, we hope, January.

Exploits released for new Windows flaws
http://www.dozleng.com/updates/index.php?showtopic=3383

LoadImage API Integer Buffer overflow
http://vil.nai.com/vil/content/v_130605.htm

This detection covers code attempting to exploit a Microsoft Windows LoadImage API Integer Buffer overflow vulnerability that was announced on December 23, 2004. Reportedly, the vulnerability exists on the following operating systems:

* Windows NT4
* Windows 2000
* Windows XP (SP2 is not vulnerable)
* Windows 2003

Kernel ANI File Parsing Crash Vulnerability
http://vil.nai.com/vil/content/v_130604.htm

This detection covers code attempting to exploit a Microsoft Windows Kernel ANI File Parsing Crash Vulnerability that was announced on December 23, 2004. Reportedly, the vulnerability exists on the following operating systems:

* Windows NT4
* Windows 2000
* Windows XP (SP2 is not vulnerable)
* Windows 2003

PROOF-OF-CONCEPT TESTS & MORE DETAILED INFORMATION

I would encourage everyone to be VERY CAREFUL in selecting links to install or test their PCs as these POC tests may crash your PC requiring a reboot and you might even loose information you were working on at the time. Please just read the comments only

Windows Issues, original notification
http://www.xfocus.net/flashsky/icoExp/index.html

Bugtraq Discussion
http://www.securityfocus.com/archive/1/385...21/2004-12-27/0
http://www.securityfocus.com/archive/1/385...21/2004-12-27/0
http://www.securityfocus.com/archive/1/385...21/2004-12-27/0

Published Dec 25 2004, 07:43 AM by hwaldron

Comments

No Comments

This Blog

Syndication
Copyright - www.myITforum.com, Inc. - 2007 All Rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems