Microsoft late Feb. 7 issued two separate advisories with pre-patch workarounds for a privilege escalation vulnerability in Windows and a new code execution hole in older versions of the Internet Explorer browser.
The IE flaw could allow an attacker to use a rigged WMF (Windows Metafile) image to take complete control of an affected Windows machine, but Microsoft says the issue only affects IE 5.0 on Microsoft Windows 2000 Service Pack 4 and IE 5.5 on Windows Millennium.
The Redmond, Wash., company made it clear that the WMF issue is different from the vulnerability addressed the MS06-001 bulletin released earlier this year to thwart a series of zero-day attacks.
“Based on our investigation, this [new] vulnerability could allow an attacker to execute arbitrary code on the users system in the security context of the logged-on user,” the company said in the advisory.
Microsoft also warned that an attacker could launch attacks by convincing a user to open a specially crafted e-mail attachment or click a link in an e-mail message that takes the user to a malicious Web site. A malicious e-mail message targeting Outlook Express users could also launch a successful exploit, the company said.
In the absence of a patch, Microsoft urged users to download and install Internet Explorer 6 Service Pack 1, which is not vulnerable to the attack scenario.
A separate security advisory from Microsoft acknowledged a warning from a pair of Princeton University researchers that it is easy to pinpoint privilege escalation vulnerabilities in third-party applications running on Windows.
The researchers released proof-of-concept code to show how ACLs (access control lists) used in Windows applications could be exploited. Microsoft said the code attempts to exploit overly permissive access controls on third-party application services and could also be used to exploit default services of Windows XP Service Pack 1 and Windows Server 2003.
An ACL is a table that tells a computer operating system which access rights each user has to a particular system object. But, because of poor software coding practices, the researchers found that some basic Windows security mechanisms can be bypassed and used in malicious hacker attacks.
“These vulnerabilities could allow a malicious authenticated user to launch a privilege escalation attack. An attacker could change the default binary that is associated with the affected services. Then an attacker could stop and restart the services to run a malicious program or binary,” Microsofts advisory said.
In its advisory, Microsoft said customers running Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 are not vulnerable to these issues because of defense-in-depth security-related changes that were made to these service packs.
“Users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, but the risk to Windows Server 2003 users is reduced,” the company said.
In the absence of a comprehensive fix, the company has posted workarounds to change the default ACLs in the vulnerable versions of the operating system.
These include using the “sc.exe” command to set modified access controls for the identified services; using Group Policy to deploy modified access controls for the identified services; and modifying the Windows registry to change access controls for each of the identified services.
Details instructions for applying the workarounds are included in the advisory.
