Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2012

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2011

MA-293.112011 : MyCERT Alert - Critical Vulnerability in Microsoft Windows

Date of publication: 2011-11-09

1.0 Introduction

A critical vulnerability (CVE-2011-2013) has been identified in the Windows TCP/IP stack. This vulnerability (MS11-083) if successfully exploited will potentially allow an attacker to run arbitrary code in kernel mode and take control of the affected system.

This vulnerability exists because of the TCP/IP stack used to process network packets for the operating system contains vulnerability when processing a continuous flow of specially crafted UDP packets, which results in an integer overflow. [1]

2.0 Impact

The vulnerability in the TCP/IP if successfully exploited will potentially allow an attacker to run arbitrary code in kernel mode and take control of the affected system. [2]

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2*

Windows Server 2008 for x64-based Systems Service Pack 2*

Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

*Server Core installation affected

4.0 Recommendation

4.1 Update has been released by Microsoft to patch this vulnerability. Users of this product might perform Windows Update to get the patch from the vendor. The article on how to enable the auto update feature in Microsoft is available at the following URL:

http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html

4.2 Microsoft is recommending states that blocking unused (closed) UDP ports at the perimeter firewall helps protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft has additional information on TCP and UDP port assignments their website: http://technet.microsoft.com/en-us/library/cc977599.aspx

MyCERT would like to advise the users of Microsoft Windows to be vigilant of the latest security announcements by Microsoft and ensure that their operating systems are automatically updated.

MyCERT can be reached through the following channels for further assistance:

E-mail : cyber999@cybersecurity.my or mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References