Users at risk of remote code execution

Jun 11, 2008 13:25 GMT  ·  By

Despite being relatively fresh on the market, Windows Vista Service Pack 1 (available since March 18) and Windows XP Service Pack 3 (dropped on May 6) have not enjoyed a smooth ride. Case in point: the June 2008 release of Microsoft Security Bulletins, containing three critical patches for vulnerabilities affecting both Vista SP1 and XP SP3. Microsoft has plugged security holes in various versions of Internet Explorer, but also in DirectX and the Bluetooth Stack.

Microsoft Security Bulletin MS08-033 (Critical) deals with two vulnerabilities in DirectX while Microsoft Security Bulletin MS08-030 (Critical) will fix one vulnerability in Bluetooth Stack. All three security holes were privately reported to the Redmond company, and could allow remote code execution in the eventuality of a successful attack.

The two DirectX vulnerabilities involve issues related to the MJPEG Decoder and SAMI Format Parsing. Both Critical problems, the SAMI Format Parsing vulnerability impacts only DirectX 7.0 and 8.1, while the MJPEG Decoder vulnerability affects DirectX 7.0, 8.1, 9.0, and DirectX 10. All platforms from Windows 2000 to Windows Vista, including Vista SP1 and XP SP3, can expose end users to attacks unless the patches are applied.

Microsoft informed that successful exploits of either of the two DirectX issues would permit an attacker to gain complete control over an affected system although, obviously, the MJPEG Decoder vulnerability is by far a greater liability than the SAMI Format Parsing hole. "A remote code execution vulnerability exists in the way that the Windows MJPEG Codec handles MJPEG streams in AVI or ASF files. A user would have to preview or play a specially crafted MJPEG file for the vulnerability to be exploited," Microsoft informed.

The vulnerability in Bluetooth Stack affects only Windows clients, specifically 32-bit Windows XP SP2 and SP3, as well as 64-bit Windows XP SP2, and both x86 and x64 editions of Windows Vista, including SP1. The Bluetooth vulnerability is marked critical for all of the operating systems mentioned above.

"A remote code execution vulnerability exists in the Bluetooth stack in Microsoft Windows because the Bluetooth stack does not correctly handle a large number of service description requests. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete date; or create new accounts with full user rights," Microsoft added.