3 New Windows Security Problems Found

DotNM writes "USA Today is running a story that outlines three security issues in Microsoft Corporation's popular Windows desktop operating system product. It describes the issues and urges users not to download .hlp files from email attachments. Apparently there are issues, even for a Windows XP system patched with Service Pack Two."

ANI...

[Stile+65]

According to a report on eWeek.com, one of the three vulnerabilities involves image handling, which has posed problems for Windows and Unix systems in the past. The other two vulnerabilities involve Windows' Help system and its .hlp files, and Windows' ANI (Automatic Number Identification) authentication capabilities.

That's what ANI is in the context of telephone networks. In the context of a Windows system, it's an animated mouse cursor.

Besides, these vulnerabilities were announced yesterday morning on Slashdot!

Re:ANI...

[the+unbeliever]

When in the case of Windows NT/2k/2k3 server, ANI authentication also means the number(s) that people are allowed to dial in remotely from, so the article text is correct.

Re:ANI...

The actual vulnerability is in the ANImated cursor file parser. so the article text is not correct.

dupe

dupe.

NX != security

[generationxyu]

SP2 adds NX "protection." While this adds protection against buffer overflows on the stack, it does nothing for overflows on the heap, which can be just as bad. Also, if the return address is simply changed to an address on the heap, code in the heap can be executed. The heap has the executable bit, because of dynamic libraries loaded into the heap.

Re:NX != security

[hobo2k]

Two things: SP2 supports NX only where available. Not many people have hardware that supports it.

Secondly, dlls are not loaded into "The Heap". In fact, the entire dll is not even executable. The PE header of a dll or exe specifies which segments are executable and which are not.

www.prcview.com has a program which will show you the layout permissions for a process's memory.

You are certainly correct that no one thing will solve all security problems. But everything else in your post is plain wrong.

Re:NX != security

[btg]

Sorry, you have no idea what you are talking about. First of all, NX doesn't really have much to do with stack buffer overflows in particular - you'd normally mark the heap as NX too - you are thinking (and here I give you the benefit of the doubt) of the Stackguard-like protection (stack canary) with which all SP2+ apps are compiled. Anyway, NX is only relevent with processors that support that flag.

Secondly, SP2 contains a BUNCH of useful technologies which are actually specifically designed to make heap overflow exploitation more difficult. These include PEB randomisation (make PEB overwrites harder), safe unlinking (no more unlinking pointer copies -> arbirary overwrite -> root) and chunk header cookies (like stack cookies).

Oh, yeah, and DLLs aren't loaded into the heap. They're loaded at their preferred address and reloated by the loader if required.

Apart from that, good post. Well done.

Re:NX != security

[kasperd]

SP2 adds NX "protection." While this adds protection against buffer overflows on the stack, it does nothing for overflows on the heap,
In Linux it is easier to use NX to protect the heap than to use NX to protect the stack. That is because on the heap, every allocation is explicitly marked executable or not executable. On the stack OTOH you don't have any way to know, if a particular page needs to be executable or not. Not all applications needs an executable stack, but gcc used to use the stack for trampolines, when you had a pointer to a nested function. Unless you can document, why it should be the other way arround in Windows, I don't believe it.

which can be just as bad.
It usually takes more work to exploit an overflow in the heap than in the stack, but as soon as working exploit code have been written, they are equally bad.

Also, if the return address is simply changed to an address on the heap, code in the heap can be executed.
Only if the heap is executable. You might find a usable function in the executable or a library, but you still need to pass arguments to really exploit it.

The heap has the executable bit, because of dynamic libraries loaded into the heap.
This is just plain wrong. The NX bit is about per page protection. Protecting an entire segment was always possible, it is just not usable in most cases.

Open Source Christmas present

[DrunkenPenguin]

Yeah! Tell me about it. Nice present from Redmond guys. But let me tell you a happy story! Open Source world gave me the nicest Christmas present I could ever imagine! (well.. I had to download some software and compile a few libraries to make it work, but..)

Linux audio community gave me Yamaha DX-7 synthesizer! This is my dream come true, I can now play some great tunes that made this synthesizer one of the most well known synthesizers. This synthesizer was used on U2's Unforgettable Fire and The Joshua Tree albums. This synthesizer was used by these artists: the Crystal Method, Kraftwerk, Underworld, Orbital, BT, Talking Heads, Brian Eno, Tony Banks, Mike Lindup of Level 42, Jan Hammer, Roger Hodgson, Teddy Riley, Brian Eno, T Lavitz of the Dregs, Sir George Martin, Supertramp, Phil Collins, Stevie Wonder, Daryl Hall, Steve Winwood, Scritti Politti, Babyface, Peter-John Vettese, Depeche Mode, D:Ream, Front 242, U2, A-Ha, Enya, The Cure, Astral Projection, Fluke, Kitaro, Vangelis, Elton John, James Horner, Toto, Donald Fagen, Michael McDonald, Chick Corea, Level 42, Queen, Yes, Michael Boddicker, Julian Lennon, Jean-Michel Jarre, Sneaker Pimps, Greg Phillanganes, Stabbing Westward and Herbie Hancock to name a few.

Can you imagine that? And all this for FREE! Thanks to you guys who made that software synthesizer for Linux!

Wanna have it? Here's where to start.

You see, sometimes the best Christmas presents can be free! Happy Christmas and thank you very much, Open Source world!

Re:Linux Flaws

[m50d]

hlp files (or rather the engine which handles them) are part of windows. Microsoft has said as much in statements in court under oath. Subversion has never been installed on my (linux) computer, so you can't count it as part of linux. If a program is installed by default on most of the "big seven" distros, or just the majority of linux installs (but how would you ever check?) I suppose you could count it as part of linux, but that's probably rather unfair since those distros are far more functional by default than windows is. Finally, slashdot does tend to post flaws in major OSS. Whenever I've had to do a security upgrade, I've always found the story on /..

The SP2 HLP file flaw cannot be remotely exploited

[WhoDaresWins]

The one vulnerability that does affect SP2 cannot be remotely exploited. So clicking on a link to a .hlp file on web page or email does nothing much. You have to explicitly save the file and then execute it. Check it out yourself here -
http://www.xfocus.net/flashsky/icoExp/ (Do it at your own risk)

That's so much user interaction that its a low risk issue. If you can convince the user to do that then you might as well send him an exe file and tell him to save and execute that. How about sending a gun with instructions - "point at foot and press trigger" ... Not everyone knows or has tools to make .HLP files. So yes that one exploit is worrysome but not much. Just block .HLP files on the mail server for the dumb users who will shoot themselves in the foot no matter what. Also its not like there are tons of sites out there having .HLP files linked in web pages. And even if they are, the user needs to make significant interaction to get exploited. So end result, you are pretty okay on SP2 with sensible users.

Re:here's a comment/question to blow ya all away

[lachlan76]

It can't affect the OSX system, if that's what you mean, unless you have a setup for sharing files between them and are running as root on OSX. Which you shouldn't be doing anyway.

As for Windows inside the sandbox, that's as unsecure as Windows on a real PC.