Windows Vista Kernel Can Be Subdued by Malicious TCP/IP Packets

In what can only be described as a very slow month for Microsoft, in terms of security bulletins releases, as well as a light start of 2008, the Redmond company has issued a patch for a critical vulnerability impacting Windows Vista. Microsoft Security Bulletin MS08-001, labeled with a maximum severity rating of Critical, is designed to plug two vulnerabilities in Windows TCP/IP that could allow for remote code execution. The remainder Security Bulletin MS08-002, rated only as Important, will resolve a vulnerability in LSASS that puts users at risk of elevated privileges.

"This is a very light month; Microsoft is releasing only two bulletins that cover a total of three vulnerabilities affecting multiple flavors of Windows. The most severe of the three issues involves the handling of TCP/IP multicast packets. An attacker may be able to exploit this issue to remotely compromise a vulnerable computer. The remaining issues include a denial-of-service vulnerability involving ICMP and a local privilege-escalation vulnerability affecting LSASS", explained Rob Keith, Symantec Security Response Engineer.

By exploiting the Windows Kernel TCP/IP/IGMPv3 and MLDv2 vulnerability, an attacker can potentially subdue the core of the Windows Vista operating system, by doing nothing more than sending malicious TCP/IP packets to the platform. A successful attack does not involve any user interaction at all, in order to exploit the vulnerability. However, according to Microsoft, all of the three vulnerabilities patched this month have privately been reported to the company. As of January 8th, 2008, when Microsoft issued patches for the three security holes, there have been no reports of exploits or the availability of public proof of concept code in the wild.

"A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3. In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights", Microsoft informed.