Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software Windows Bug IT

Four New Unpatched Windows Vulnerabilities 273

Posted by CowboyNeal from the most-wonderful-time-of-the-year dept.
peeon writes "Right before Christmas, four new Windows NT/2k/XP vulnerabilities were posted to the Bugtraq list. This story discusses two of the vulnerabilities in the LoadImage function (buffer overflow) and Windows Help program (heap overflow), but the Chinese company discovered two more exploits in the parsing of a specially crafted ANI file (causes DoS). A Bugtraq posting has more details."
This discussion has been archived. No new comments can be posted.

Four New Unpatched Windows Vulnerabilities More

Four New Unpatched Windows Vulnerabilities

Comments Filter:

  • Re:Timing of the post (Score:2, Informative)

    by MarkByers ( 770551 ) on Friday December 24, 2004 @09:29AM (#11175982) Homepage Journal
    XP SP2 is also vulnerable to at least one of the exploits. See..

    Advisory: [AD_LAB-04006]Microsoft Windows winhlp32.exe Heap Overflow Vulnerability

  • Patch available... (Score:0, Informative)

    by Anonymous Coward on Friday December 24, 2004 @09:35AM (#11176000)
    ...at least for the color scheme here:

    http://shit.slashdot.org/article.pl?sid=04/12/24/0 356204 [slashdot.org]

  • Give this as a gift for the holidays (Score:4, Informative)

    by Skalek ( 843223 ) on Friday December 24, 2004 @09:40AM (#11176016)
    Nothing is more annoying about the holidays then going to visit family and friends and then being sucked into fixing their damn computers While everyone is drinking and having a good time we are the schmucks trying to figure out how to remove that damn proces from windows 98!

    This year I wash my hands of it and am giving them a printout of a tutorial I found that has helped some friends. It is basic, but they do not bother me as much anymore:

    Simple and easy ways to keep your computer safe and secure on the Internet [bleepingcomputer.com]

  • what ever happened... (Score:3, Informative)

    by Lord Bitman ( 95493 ) on Friday December 24, 2004 @09:50AM (#11176047)
    remember that test someone did where garbage code was thrown at IE and firefox in order to see how they held up and find things like buffer overflows which could be potentially exploited?
    What ever happened with that? Were the bugs in firefox fixed? I remember that IE did well in that test, but I dont remember any specifics.
    Anyone know?

  • Instant Reboot on windows (Score:3, Informative)

    by EqualSlash ( 690076 ) on Friday December 24, 2004 @10:28AM (#11176187)

    Warning: If you are on Windows Don't download
    www.xfocus.net/flashsky/icoExp/KERNELBLUE.ani

    Instant Reboot. This is a very critical vulnerability. Reminds me of the old exploits that referenced "CON" [microsoft.com] in the file path inside a webpage to trigger a BSOD.

  • Re:what ever happened... (Score:3, Informative)

    by YU Nicks NE Way ( 129084 ) on Friday December 24, 2004 @11:08AM (#11176355)
    The parent [slashdot.org] is so wrong it is sickening.

    The fuzz tester wasn't written by a lab close to Microsoft.

    It isn't a "tiny" area: Browsers read files that contain HTML. No matter what, corrupt files should not crash a browser.

    The Linux kernel was rewritten after Mindcraft. There was a serious problem in the way signals were handled under high load.

    Mozilla has fixed the three bugs that Zalewski's original posting described. There are still issues in Firefox 1.0 that the tool discloses.

  • Re:Forced Upgrade. (Score:2, Informative)

    by Mystic0 ( 807930 ) on Friday December 24, 2004 @12:34PM (#11176743)
    Okay, so Service Pack 2 has some nice security enhancements. But it also has a lot of other stuff that some people may not want. Why do you think they decided to release such a large update in a large batch? Because it allows them to quietly force extra features on you. These tag alongs are allowed to slip by unnoticed in the midst of more important security updates. I would appreciate it if MS would take a more modular approach. For example, they could say, "Click here to download a security update for bug #58273". And, click here to download the Windows Firewall". But no, they just slap it into one big package, and you get the good and the bad.

  • Mozilla products appear safe (Score:4, Informative)

    by CTho9305 ( 264265 ) on Friday December 24, 2004 @12:51PM (#11176831) Homepage
    A quick search of the source code [mozilla.org] seems to show that the native OS LoadImage function is only used to set Mozilla icons (system tray, window icons, etc) and the splash screen (and the cck [mozilla.org]). Since none of these images come from untrusted sources*, it seems that the LoadImage hole is not exploitable via Mozilla.

    *without major user intervention, like installing an XPI or messing with the JAR files that make up Mozilla

  • Re:I don't get it.... (Score:5, Informative)

    by cnettel ( 836611 ) on Friday December 24, 2004 @01:25PM (#11177007)
    This doesn't have to apply to kernel stuff. A lot of Windows apps rely on for example the "common controls" API. It handles toolbars, tooltips, listviews and so on. Quite a lot of UI goodies. Most of those are implemented without any kernel side, they're normal user mode controls/"windows" with their own drawing.

    Now to the point: This DLL was updated quite a few times with Internet Explorer 3, 4 and 5. The versions in Windows 98, 2000 and XP are/were directly related to the matching (sub-)version of Internet Explorer. If you wrote an app for Win-95 and wanted to use one of those common controls, the recommended redistribution scenario was redistributing IE.

    If they simply ripped out anything that is officially part of the "IE codebase", it's completely true that quite a few apps would fail.

    This is of course even more true of some of other APIs with a more apparent connection to Internet Explorer, like WinInet for interacting with HTTP/FTP without doing sockets yourself (and using the IE cache and other stuff) or employing the IE HTML/XML parsing and possibly rendering hosted in another application. I chose common controls because they're very frequently used, and some quite significant updates were introduced through IE. These updates are still there in "Win98 lite" and whatever you would do to a Windows system to rip out IE, but retain a reasonable level of compatibility. Just because it's part of the OS and a frequently used API doesn't mean it's kernel mode. And very little IE related code is *in the kernel*.

    Now to the point: LoadImage is quite a low level function. Display drivers are allowed to use it on their own and modify its functionality. That makes it belong in kernel mode. Even if they moved back some more UI stuff from the kernel, stuff like this probably belongs there, if you buy the concept of placing display drivers in kernel mode at all.

  • Re:Unpatched? (Score:2, Informative)

    by peeon ( 743159 ) on Friday December 24, 2004 @01:30PM (#11177032)
    SP2 is vulnerable to the winhlp32.exe Heap Overflow Vulnerability, according to xfocus. Buqtraq posting [securityfocus.com] They dont know if LoadImage is vulnerable in SP2.

  • Apparently.... (Score:3, Informative)

    by Duhavid ( 677874 ) on Friday December 24, 2004 @01:52PM (#11177179)
    For calloc() and malloc(), the value returned is a pointer
    to the allocated memory, which is suitably aligned for any
    kind of variable, or NULL if the request fails.

  • Re:Timing of the post (Score:1, Informative)

    by Anonymous Coward on Friday December 24, 2004 @02:07PM (#11177272)
    Apparently. The demo exploit they've posted doesn't work on non-Chinese language installations of XP SP2.

  • Re:Is it really this hard... (Score:3, Informative)

    by Krunch ( 704330 ) on Friday December 24, 2004 @02:09PM (#11177283) Homepage
    Nice try but if malloc(3) [ucsd.edu] is not too buggy (if it is, you have other problems) it will only return NULL or a valid pointer. If it never supposed to return -1 (unless -1 is a valid pointer) or some value larger than MAX_MEMORY_ADDRESS (from where does this macro come anyway?).

  • Re:Forced Upgrade. (Score:2, Informative)

    by Foolhardy ( 664051 ) <`csmith32' `at' `gmail.com'> on Friday December 24, 2004 @02:58PM (#11177567)
    If you put it that way, Windows 2003 (NT5.2) is an upgraded version of XP (NT5.1) which is an upgraded version of 2000 (NT5.0) and 2000 is an upgraded version of NT4->NT3.51->NT3.5->NT3.1 and NT3.1 was written from scratch using ideas and a team from VMS.
    The only other base OS series from Microsoft is the 9x line, based on Win3.1.

    Many of the divisions between those OSes were manufactured by the marketing department; 2000 Server has exactly the same files as 2000 Professional, plus a couple of registry entries and extra server-side applications.

  • Re:Forced Upgrade. (Score:2, Informative)

    by Evangelion ( 2145 ) on Friday December 24, 2004 @04:10PM (#11177957) Homepage

    Umm, yeah it did. Before the OpenSSH hole, it was at zero.

    (Speaking as someone who was rooted while trying to install the patches to that version...)

Slashdot Top Deals

If you think the system is working, ask someone who's waiting for a prompt.

Close