Microsoft has issued a high-priority security update to fix a pair of “critical” flaws that expose Windows users to remote code execution attacks.
The software giant’s first batch of patches for 2008 includes a fix for at least two vulnerabilities in TCP/IP processing.
The bugs, rated critical for all supported versions of Windows XP and Windows Vista, could be exploited by remote attackers to “take complete control of an affected system,” Microsoft warned in its MS08-001 bulletin.
In worst-case scenarios, Microsoft said attackers could hijack Windows XP and Vista systems to install programs; view, change, or delete data; or create new accounts with full user rights.
The TCP/IP bulletin affects Windows Server 2003 Windows 2000 but the severity rating is downgraded for those operating systems.
The most serious of the two bugs, discovered and reported by researchers at IBM’s ISS X-Force, is a remote code execution vulnerability in the way the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries.
“An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network,” Microsoft warned. Although this makes the vulnerability wormable, several anti-exploitation mechansisms built into Windows Vista and the presence of a firewall turned on by default in Windows XP means there is little likelihood of a remote network worm affecting Windows users.
The second vulnerability in the MS08-001 bulletin is described as a denial-of-service issue in the way the Windows Kernel processes fragmented router advertisement ICMP queries.
It’s important to note that ICMP Router Discovery Protocol (RDP) is not enabled by default and is required in order to exploit this vulnerability.
However, on Windows 2003 Server and on Windows XP, Microsoft warned that RDP can be turned on by a setting in DHCP (Dynamic Host Configuration Protocol) or by a setting in the registry. Also, on Windows 2000, RDP can be turned on by a setting in the registry.
Microsoft said an anonymous attacker could exploit the vulnerability by sending specially crafted ICMP packets to a computer over the network, causing the computer to stop responding and automatically restart.
The company also shipped MS08-002, an “important” bulletin that patches a privilege elevation flaw in the in the Microsoft Windows Local Security Authority Subsystem Service (LSASS).
The LSASS bug, which was found by Thomas Garnier of SkyRecon, affects Windows 2000, Windows XP and Windows Server 2003. Windows Vista is not affected.