A stocking full of coal
Ever wonder what Bill Gates gets for Christmas? This year, the Chinese security firm VenusTech delivered three new Windows exploits just in time for the holidays.
Microsoft Windows Kernel ANI File Parsing Crash and Dos Vulnerability
The first of these is actually a two-for-one special, affectionately dubbed the 'Microsoft Windows Kernel ANI File Parsing Crash and Dos Vulnerability'. Both flaws can be exploited via an email or webpage.
The exploit is rendered by a specially crafted ANI (Windows Animated Cursor) file and is known to impact Windows NT, all flavors of 2000, XP and XP SP1, and Windows 2003. Windows XP SP2 has been tested and found to be not vulnerable.
In one instance, the kernel crashes when encountering an ANI file with the frame number set to 0. In the second instance, the kernel exhausts all system resources and freezes when it encounters malformed ANI files with the rate number set to 0.
Microsoft Windows LoadImage API Integer Buffer Overflow
But what's the point in causing a system crash when you can run arbitrary code instead? To further stuff the Microsoft stocking, a boundary condition error dubbed the Microsoft Windows LoadImage API Integer Buffer overflow was also reported. This vulnerability exists in the LoadImage API of the USER32 Lib and imapacts Windows NT, all flavors of 2000, XP and XP SP1, and Windows 2003. It is not known whether Windows XP SP2 is affected.
When processing ANI, BMP, CUR, or ICO files, the LoadImage API adds 4 to the size field in these image files.
Setting the image size between 0xfffffffc-0xffffffff causes an integer buffer overflow to occur. As with the ANI File Parsing Crash and Dos Vulnerability, the LoadImage API Integer Buffer overflow exploit can be rendered via email or a webpage. However, the impact goes beyond merely crashing the system. The LoadImage API Integer Buffer overflow exploit makes it possible for a remote attacker to run arbitrary code on the afflicted system, with the same rights and abilities as the logged in user.
Microsoft Windows winhlp32.exe Heap Overflow Vulnerability
Adding even more coal to the pile, VenusTech also lumped in the 'Microsoft Windows winhlp32.exe Heap Overflow Vulnerability'. This design error impacts Windows NT, all flavors of 2000, XP, XP SP1, XP SP2 and Windows 2003.
The decoding error within the Windows .hlp header processing can be exploited to cause a heap-based buffer overflow, which then allows remote attackers to take control of the compromised system. As with the LoadImage and ANI parsing vulnerabilities previously described, the exploit can be rendered via a webpage or email.
Irresponsible Disclosure
It does not appear that VenusTech followed responsible disclosure standards for vendor notification, hence it is not known whether Microsoft will be issuing patches on January 11th, their next regularly scheduled patch date.
Coincidentally - or not - VenusTech is also the developer of a line of security products. One can only assume their own products were updated prior to their very public release of exploit code on the Internet. If so, it gives a whole new meaning to the term malicious marketing.
Microsoft Windows Kernel ANI File Parsing Crash and Dos Vulnerability
The first of these is actually a two-for-one special, affectionately dubbed the 'Microsoft Windows Kernel ANI File Parsing Crash and Dos Vulnerability'. Both flaws can be exploited via an email or webpage.
The exploit is rendered by a specially crafted ANI (Windows Animated Cursor) file and is known to impact Windows NT, all flavors of 2000, XP and XP SP1, and Windows 2003. Windows XP SP2 has been tested and found to be not vulnerable.
In one instance, the kernel crashes when encountering an ANI file with the frame number set to 0. In the second instance, the kernel exhausts all system resources and freezes when it encounters malformed ANI files with the rate number set to 0.
Microsoft Windows LoadImage API Integer Buffer Overflow
But what's the point in causing a system crash when you can run arbitrary code instead? To further stuff the Microsoft stocking, a boundary condition error dubbed the Microsoft Windows LoadImage API Integer Buffer overflow was also reported. This vulnerability exists in the LoadImage API of the USER32 Lib and imapacts Windows NT, all flavors of 2000, XP and XP SP1, and Windows 2003. It is not known whether Windows XP SP2 is affected.
When processing ANI, BMP, CUR, or ICO files, the LoadImage API adds 4 to the size field in these image files.
Setting the image size between 0xfffffffc-0xffffffff causes an integer buffer overflow to occur. As with the ANI File Parsing Crash and Dos Vulnerability, the LoadImage API Integer Buffer overflow exploit can be rendered via email or a webpage. However, the impact goes beyond merely crashing the system. The LoadImage API Integer Buffer overflow exploit makes it possible for a remote attacker to run arbitrary code on the afflicted system, with the same rights and abilities as the logged in user.
Microsoft Windows winhlp32.exe Heap Overflow Vulnerability
Adding even more coal to the pile, VenusTech also lumped in the 'Microsoft Windows winhlp32.exe Heap Overflow Vulnerability'. This design error impacts Windows NT, all flavors of 2000, XP, XP SP1, XP SP2 and Windows 2003.
The decoding error within the Windows .hlp header processing can be exploited to cause a heap-based buffer overflow, which then allows remote attackers to take control of the compromised system. As with the LoadImage and ANI parsing vulnerabilities previously described, the exploit can be rendered via a webpage or email.
Irresponsible Disclosure
It does not appear that VenusTech followed responsible disclosure standards for vendor notification, hence it is not known whether Microsoft will be issuing patches on January 11th, their next regularly scheduled patch date.
Coincidentally - or not - VenusTech is also the developer of a line of security products. One can only assume their own products were updated prior to their very public release of exploit code on the Internet. If so, it gives a whole new meaning to the term malicious marketing.
Source...