Hello everyone and welcome to this month’s blog on the Microsoft patch releases. This is a very light month; Microsoft is releasing only two bulletins that cover a total of three vulnerabilities affecting multiple flavors of Windows.

The most severe of the three issues involves the handling of TCP/IP multicast packets. An attacker may be able to exploit this issue to remotely compromise a vulnerable computer. The remaining issues include a denial-of-service vulnerability involving ICMP and a local privilege-escalation vulnerability affecting LSASS.

Microsoft’s summary of the January releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx

1. MS08-001 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (KB941644)

CVE-2007-0069 (BID 27100) Microsoft Windows TCP/IP IGMP MLD Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)

This is a remote code-execution vulnerability affecting Windows kernel TCP/IP and is due to the way it stores the state of Internet Group Management Protocol (IGMPv3) and Multicast Listener Discovery (MLDv2) queries. A remote attacker can exploit this issue by sending specially crafted packets to the vulnerable computer. A successful attack will result in the execution of the attacker-supplied code, potentially facilitating a remote compromise of the affected computer.



Affects: Windows XP, Windows Server 2003, and Windows Vista

Windows Server 2003 does not have any multicast addresses active by default. However, installing an application that uses multicast addresses may make the system vulnerable.

Non-Affected: Windows 2000

CVE-2007-0066 (BID 27139) Microsoft Windows TCP/IP ICMP Remote Denial Of Service Vulnerability (MS Rating: Moderate / Symantec Urgency Rating 5.7/10)

This is a remote denial of service vulnerability in Windows TCP/IP and is due to the way it handles fragmented router advertisement Internet Control Message Protocol (ICMP) queries. This issue affects systems with Router Discovery Protocol (RDP) enabled; it is disabled by default. By sending a malicious packet to a vulnerable computer, an attacker can exploit this issue to cause that computer to stop responding and potentially crash.

Affects: Windows 2000, Windows XP, and Windows Server 2003

Non-Affected: Windows Vista



2. MS08-002 Vulnerability in LSASS Could Allow Local Elevation of Privilege (KB943485)

CVE-2007-5352 (BID 27099) Microsoft Windows LSASS LPC Request Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency Rating 6.6/10)

This is a local privilege-escalation vulnerability affecting Microsoft Windows Local Security Authority Subsystem Service (LSASS). A local attacker can exploit this issue by sending a malicious LPC message to the affected service and potentially gain complete control of the affected computer.

Affects: Windows 2000, Windows XP, and Windows Server 2003

Non-Affected: Windows Vista

More information on this and other vulnerabilities is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.