Slashdot Mirror

← Back to Stories (view on slashdot.org)

Four New Unpatched Windows Vulnerabilities

Posted by CowboyNeal on from the most-wonderful-time-of-the-year dept.

peeon writes "Right before Christmas, four new Windows NT/2k/XP vulnerabilities were posted to the Bugtraq list. This story discusses two of the vulnerabilities in the LoadImage function (buffer overflow) and Windows Help program (heap overflow), but the Chinese company discovered two more exploits in the parsing of a specially crafted ANI file (causes DoS). A Bugtraq posting has more details."

6 of 273 comments (clear)

  1. YAWN by tarunthegreat2 · · Score: 5, Funny

    Hmmm, so windows has bugs in it. Surprise surprise. Merry Christmas everyone. In Soviet Russia, Windows Exploits you...oh wait...

    --
    My Favourite Meme
  2. Forced Upgrade. by datadriven · · Score: 5, Interesting

    Vulnerable:
    Windows NT
    Windows 2000 SP0
    Windows 2000 SP1
    Windows 2000 SP2
    Windows 2000 SP3
    Windows 2000 SP4
    Windows XP SP0
    Windows XP SP1
    Windows 2003
    Not vulnerable:
    Windows XP SP2

    They'll do anything to get you to upgrade.

    --
    GETPKG - Package Management for Slackware
  3. bugtraq links for the vulnerabilities / demo by tsager · · Score: 5, Informative

    Demonstration of exploits:
    http://www.xfocus.net/flashsky/icoExp/index.html

    http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0387.html
    http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0360.html
    http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0359.html

    (Source: http://www.heise.de/newsticker/meldung/54610 [German])

  4. Bah! by rubberband · · Score: 5, Insightful

    Hi, you've missed the point. I hope you're not trolling, because I'm going to bite.

    Every box at my workplace is patched with SP2. In this case, it doesn't matter - one of the exploits is still useable.

    The problem is not (this time, thankfully) the corporate enterprise deployment of windows. It's friends and family. Every time a new windows exploit like this comes out, jerk spyware/worm/virus writers are on it within 24 hours, populating their zombie networks with your mom's, friends' and families' computers. Manditory regular patching at work is easy. The same for people you see occaisionally who are not computer literate is not. These are the people who it really screws with - for example, all one of my buddies wants to do with his dell is play games, send email and surf. He knows nothing beyond that, and is certainly not going to run down to the basement on christmas eve to make sure his operating system is secure RIGHT NOW.

    This business of "patch or you deserve it" is utter BS. I maintain that virus writers should be dragged into the street and beaten with keyboards, followed shortly by geeks who empower them by putting any of the blame on the end user. If I paid thousands for an OS site license, I should not be spending my holidays fixing it. If I spend hundreds for an oem copy at home, the same applies. The only ones who deserve ANYTHING bad here are the exploiters and the providers of the crappy OS in question.

    1. Re:Bah! by rubberband · · Score: 5, Insightful

      I still think the point is valid. Consider that a) That means that the vendor has had 7 years to secure their product. I any other industry they would have litigated into oblivion by now. It is *NOT* the end user's fault that the current world standard for personal computer operating systems is frequently bugged.

      Sure, carrying $1000 in cash is dumb, but there are easily accessible alternatives. Credit cards, debit cards, traveller's cheques, travel wallets, etc are all viable alternatives. Carrying cash is like opening attachments from unknown senders. Getting your windows box 0wned without your action because a new exploit came out 8 hours ago is like the jacket manufacturer attaching a big red "steal from me!" sign to the back and cutting a pickpockt access hole out, too. (Except then they take over the world jacket manufacturing business and force you to wear one unless you want to freeze or learn to sew).

      To use the token comparison to a vehicle - yes, when you buy a car you should be responsible enough to get it serviced from time to time, and act on any critical recall issues that might arise. You shouldn't however have to open the hood and check the internals 3 times per day to ensuire it doesn't explode and require expensive maintenance the next time you turn the key in the ignition.

      Don't get me wrong - I'm not saying sysadmins should have no responsability whatsoever. They are after all paid to deal with systems. But when was the last time you head of a dell salesperson telling an unexperienced buyer that if they wish to have their computer on regularly they'll need to spend 5 minutes every single day, and an hour of two each week making sure they're machine doesn't get destroyed?

  5. Re:I don't get it.... by cnettel · · Score: 5, Informative

    This doesn't have to apply to kernel stuff. A lot of Windows apps rely on for example the "common controls" API. It handles toolbars, tooltips, listviews and so on. Quite a lot of UI goodies. Most of those are implemented without any kernel side, they're normal user mode controls/"windows" with their own drawing.

    Now to the point: This DLL was updated quite a few times with Internet Explorer 3, 4 and 5. The versions in Windows 98, 2000 and XP are/were directly related to the matching (sub-)version of Internet Explorer. If you wrote an app for Win-95 and wanted to use one of those common controls, the recommended redistribution scenario was redistributing IE.

    If they simply ripped out anything that is officially part of the "IE codebase", it's completely true that quite a few apps would fail.

    This is of course even more true of some of other APIs with a more apparent connection to Internet Explorer, like WinInet for interacting with HTTP/FTP without doing sockets yourself (and using the IE cache and other stuff) or employing the IE HTML/XML parsing and possibly rendering hosted in another application. I chose common controls because they're very frequently used, and some quite significant updates were introduced through IE. These updates are still there in "Win98 lite" and whatever you would do to a Windows system to rip out IE, but retain a reasonable level of compatibility. Just because it's part of the OS and a frequently used API doesn't mean it's kernel mode. And very little IE related code is *in the kernel*.

    Now to the point: LoadImage is quite a low level function. Display drivers are allowed to use it on their own and modify its functionality. That makes it belong in kernel mode. Even if they moved back some more UI stuff from the kernel, stuff like this probably belongs there, if you buy the concept of placing display drivers in kernel mode at all.