MA-259.112010 : MyCERT Alert – Two Critical Vulnerabilities in Microsoft Windows
Date of publication: 2010-11-26
Two critical vulnerabilities have been identified in the Microsoft Windows that can be exploited by malicious local users, to gain escalated privileges as SYSTEM-level.
The vulnerabilities exist because of:
- Buffer overflow in win32k.sys
- There is buffer overflow vulnerability in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.
- Insufficient integrity checks of the Task Scheduler jobs.
- Access validation error in the Task Scheduler service that fails to prevent users from manipulating certain fields in schema XML files via the Component Object Model (COM) interface, which could allow malicious users to manipulate a valid XML file and bypass the CRC32 integrity checks to execute arbitrary code with SYSTEM privileges.
MyCERT is aware that '0-day' exploits are available in the wild at the time of the publication of this advisory.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition.
3.0 Affected Products
The detail list of the vulnerable products and versions are as below:
- Windows Vista SP1 / SP2
- Windows Vista x64 Edition SP1 / SP2
- Windows Server 2008 for 32-bit Systems SP1 / SP2
- Windows Server 2008 x64 Edition SP1 / SP2
- Windows Server 2008 for x64-based Systems (optionally with SP2)
- Windows Server 2008 for Itanium-based Systems (optionally with SP2)
- Windows Server 2008 R2
- Windows 7
As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround:
- Grant only trusted users access to affected systems.
- Change the Permission Entry for EUDC
- As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
- Right-click EUDC and choose permissions
- Choose the user whose account you are modifying and select Advanced
- Select Add and then type in the user's name and click OK
- Click the Deny checkbox for Delete and Create Subkey
- Click all the OKs and Apply buttons to exit
* The registry keys being changed by this mitigation should not impact a user's ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations.
MyCERT would like to advise the users of Microsoft Windows to be vigilant of the latest security announcements by Microsoft and ensure that their operating systems are automatically updated. The article on how to enable the auto update feature in Microsoft is available at the following URL:
Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:
MyCERT can be reached through the following channels for further assistance:
E-mail : email@example.com
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT