Microsoft today pushed out two fixes to close three vulnerabilities, including two “critical” server-side flaws that do not require any user interaction to be exploited.
The critical bugs, undisclosed until today, are located in the transmission control protocol/internet protocol (TCP/IP) kernel driver. Users’ PCs can be exploited if they are sent maliciously crafted multicast or ICMP (internet control message protocol) packets.
Schultze said both protocols — multicast and ICMP — usually are not turned on by default, but administrators should nevertheless take the bugs seriously.
“We haven’t seen a good remote code execution [flaw] in a while,” he said. “It will ignite some enthusiasm with some of the hackers. So many of the vulnerabilities lately have been what I call client-side, meaning the end-user has to visit a website or something.”
Amol Sarwate, director of Qualys‘ vulnerability research lab, said both protocols are normally enabled. He said ICMP is turned on by default in Windows XP and Vista, and multicast is enabled by default in Vista, but not XP.
The second bulletin corrects an “important” privilege-escalation vulnerability in the Microsoft Windows Local Security Authority Subsystem Service (LSASS). It does not impact Vista.
Andrew Storms, director of security operations for nCircle, said the flaw is not “too dangerous because it is a local-only vulnerability that requires valid login credentials for execution.”
But when combined with other holes, it becomes more severe, said Schultze.
One notable vulnerability that went unfixed was a flaw in the Microsoft Web Proxy Automatic Discovery (WPAD) feature, disclosed a week prior to December’s Patch Tuesday release. The flaw could be exploited to propagate a man-in-the-middle attack.