eEye spies new Windows code-execution hole

eEye spies new Windows code-execution hole

Summary: The flaw "allows for remote execution of arbitrary code with minimal user interaction" and and affects Windows 2000, Windows XP and Windows 2003.

SHARE:
11

Researchers at eEye Digital Security have flagged a remote code-execution vulnerability in Microsoft's dominant Windows operating system.

The flaw "allows for remote execution of arbitrary code with minimal user interaction," eEye said in a barebones advisory.

The bug carries a "high severity" rating and affects Windows 2000, Windows XP and Windows 2003.

According to the company's upcoming advisories page, there are four unpatched issues in Microsoft software products. eEye's zero day tracker page lists another four unfixed flaws that have already been used in hacker attacks.

eEye's latest warning comes less than 24 hours after Microsoft shipped an emergency fix for the under-attack animated cursor (.ani) flaw and a week before Redmond is due to release its scheduled batch of Patch Tuesday fixes. 

Later today, Microsoft will announce the number of bulletins on tap for next Tuesday and the severity rating attached to each advisory. 

So far this year, Microsoft has released 17 advisories with patches for a total of 37 different vulnerabilities.  Microsoft usually includes silent fixes that are discovered internally and these are never publicly announced. 

This means that the actual patch count for the first four months of 2007 could be much higher.

[UPDATE: April 5, 2007 at 2:28 PM Eastern] Microsoft has confirmed receipt of eEye's discovery though a spokesman who issued the following statement:

I can tell you that Microsoft is aware of  a public report of a responsibly disclosed possible vulnerability in Microsoft Windows. The company is not aware of any public discussion of the report itself. The company is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time, and will continue to investigate the public reports to help provide additional guidance for customers as necessary.

This issue is still under investigation. Once completed, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.

Topics: Windows, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • YOWB - Year of Windows Bugs?

    NT
    WiredGuy
    • Year, it never stops does it? (NT)

      ...
      Scrat
  • Ryan, don't forget these

    How comes you managed to miss these high risk vulnerabilities?

    [url=http://www.securityfocus.com/archive/1/464719/30/0/threaded]Mozilla Firefox Insecure Element Stealth Injection Vulnerability[/url]

    and

    [url=http://www.securityfocus.com/archive/1/464740/30/0/threaded]Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug[/url]

    and

    [url=http://www.securityfocus.com/archive/1/464724/30/0/threaded]High Risk Vulnerability in OpenOffice[/url]

    I'm sure it was just an oversight...
    Scrat
    • Thanks for the heads up

      The Mozilla Stealth Injection Vulnerability is important.

      The firebug flaw.
      [i]Theoretically everything is possible, from modifying
      the user file system to launching processes, installing ROOTKITs, you name it.[/i]

      Theories are great but the only demonstration is for Windows systems. Will this affect VISTA with UAC or any OS with privileges (specifically the installing rootkits, you name it)?

      Definitely make sure your user data is backed up.

      OpenOffice:
      This flaw was already patched.
      OpenOffice 2.2 and 1.1.5 are immune.
      dragosani
      • Re: The firebug flaw

        [i]"...In this post I am going to disclose a vulnerability for Firebug which can be used by attackers to gain control of [b]every system where the extension is installed[/b]. Of course, the user needs to visit a malicious page first, which means that the attack surface is greatly reduced. However, given the fact that the largest user base of the Firefox browser are geeks and Firebug is a top extension at http://addons.mozilla.org, attackers can cause quite a lot of trouble.

        The vulnerability is of a type Cross-zone or Cross-context scripting, where a script from a web pages in injected inside the zone of the browser, also know as the chrome, or in the zone of the file: protocol. In both cases the result is quite devastating, although the second is a bit less critical then the first. Remote scripts in the browser are restricted by a sandbox. This means that everything that is prefixed with http: or https: is secure. Browser extensions make use of the chrome: protocol. This protocol is not restricted at all and everything is allowed. Therefor browser extensions are trusted. However if a remote script, tricks the browser into executing JavaScript expressions on chrome: then [b]this script can take control of the entire chrome and also the underplaying operating system because then command execution and read/write file access are allowed[/b]..."[/i] (my emphasis added)

        Excerpt taken from http://www.gnucitizen.org/blog/firebug-goes-evil

        This would worry me if I didn't use Opera, which avoids the insecure nature of extensions.
        Scrat
        • Re: Re: The firebug flaw - seems to be fixed!

          [b]Re: [WEB SECURITY] Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug[/b]

          [i]pdp (architect) wrote:
          > http://www.gnucitizen.org/blog/firebug-goes-evil
          >
          > There is critical vulnerability in Firefox/Firebug which allows
          > attackers to inject code inside the browser chrome.

          Good find.

          > I recommend to disable Firebug for now until the issue is fixed.

          Firebug 1.03 is now available and fixes this vulnerability.
          https://addons.mozilla.org/en-US/firefox/addon/1843

          Firebug is disabled by default and is probably best left that way. It can
          be easily enabled per-site when you're actively developing or hacking.

          -Dan Veditz[/i]

          -------------------------------------------------------------

          Nice work.

          Found [url=http://www.securityfocus.com/archive/1/464786/30/0/threaded]here[/url]
          Scrat
  • Silent fixes -- real or FUD?

    "Microsoft usually includes silent fixes that are discovered internally and these are never publicly announced. This means that the actual patch count for the first four months of 2007 could be much higher."

    Not that it wouldn't surprise me, but do you have any evidence of these "silent fixes"? Without evidence, it just sounds like FUD to me.
    PB_z
    • Silent fixes -- very real

      I wrote about this in 2006, including confirmation from Microsoft that official policy calls for undocumented (silent) fixes.

      See: http://www.eweek.com/article2/0,1895,1951186,00.asp
      Ryan Naraine
    • More documentation of silent fixes

      A Black Hat presentation (ppt):
      http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf
      Ryan Naraine
  • Details

    I see that the advisory is pretty vague as to what is being exploited. I haven't gotten a chance to search around too much, anyone got any more information on what is vulnerable and if its covered by patch Tuesday?
    Brandon Dixon
    • hardly

      Since they just learned of this potential flaw - it is highly unlikely that it will be covered with this month's round of patches. That's just my opinion - I could be wrong. Recall that Microsoft was made aware of the .ANI flaw in December of '06 though.

      -Mike
      SpikeyMike