12.14.05
New Microsoft Update Resolves Takeover Vulnerabilities
Microsoft issued two security bulletins on December 13. Microsoft Security Bulletins MS05-054 and MS05-055 resolve several newly discovered vulnerabilities, which could, in a worst case scenario, allow an attacker to take complete control over a user’s system. The extent of damage depends on the administrative rights of the user. If a user with administrative privileges were logged on, an attacker would then gain the same privileges, and would be able to install programs, alter data, or create new accounts. A user with fewer privileges would be less affected by the vulnerabilities.
The first bulletin, MS05-054, resolves four separate, moderate and critical vulnerabilities. A file download dialog box manipulation vulnerability exists in the way IE displays download dialog boxes and takes user input. By exploiting this vulnerability, an attacker could create a custom dialog box to be placed in front of another dialog box. An attacker could create a “phishing” attack to lure users to a malicious Web site, through which the attack could be executed. As such, the attack depends largely on social engineering. Ultimately the attacker could gain the same user privileges as the victim. One of the best precautions against social engineering attacks of this nature is educating users to recognize potential social engineering attacks when they see one. Outside of that, changing settings to issue a prompt before any active code is run will help users be aware of potential attacks.
The second item details a moderate HTTP proxy vulnerability would allow an attacker to read Web addresses in clear text when sent from IE to a proxy server, even when there is a secure HTTPS connection. This attack cannot be targeted to a specific user, and requires an attacker to be on the same network as the victim. The client system must be configured to use an authenticating proxy server that is using Basic HTTPS authentication. An immediate workaround is to not use Basic authentication. Basic authentication uses simple Base64 encoding, which is functionally equivalent to clear text in terms of security, to send credentials to the proxy server.
The third item in the bulletin addresses a critical remote code execution vulnerability that involves how IE instantiates COM objects that are not meant to be instantiated. An attacker could potentially create a malicious Web page that would allow remote code execution to take control of a system. Like the first vulnerability, this vulnerability depends largely on social engineering to be successful, but could allow an attacker to gain the same rights as the local user. Changing settings to prompt for active code, or setting the security zone higher will mitigate the possibility of the attack occurring. The fourth item is also a critical remote code execution vulnerability involving IE mismatching Document Object Model (DOM) objects. Like the previous vulnerability, it requires social engineering and an attacker to create a malicious Web page to allow remote code execution to gain control over a target system.
Microsoft Bulletin MS05-055 details a newly discovered vulnerability, which like the previous ones, allows an attacker to take over a target system. This is a Windows kernel vulnerability, which could jeopardize authorization procedures to allow an authorized user to gain additional privileges. This bulletin especially highlights the risks that are present from internal users. The attack, which cannot be exploited anonymously or remotely, requires an attacker to have a valid logon. It takes advantage of how Windows processes items in the asynchronous procedure call (APC) queue list.
In addition to educating users about social engineering attacks and best practices, and setting systems to issue prompts before running active code, users should apply Microsoft’s updates to close the vulnerabilities. The MS05-054 update is available at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx; the MS05-055 update at http://www.microsoft.com/technet/security/Bulletin/MS05-055.mspx.