Secunia

Microsoft has acknowledged 14 vulnerabilities in the Windows operating system, where the most serious can be exploited by malicious people to compromise a vulnerable system.

1) A boundary error within LSASS (Local Security Authority Subsystem Service) can be exploited to cause a buffer overflow via a specially crafted message. Successful exploitation allows execution of arbitrary code with SYSTEM privileges.

The vulnerability can reportedly only be exploited remotely on Windows 2000 and Windows XP systems.

2) An error within LSASS (Local Security Authority Subsystem Service) when processing LDAP requests can be exploited by malicious people to reboot a vulnerable domain controller via a specially crafted LDAP message.

The vulnerability only affects Windows 2000 domain controllers.

3) A boundary error within the Microsoft Secure Sockets Layer (SSL) library when processing PCT (Private Communications Transport) handshake packets can be exploited to cause a buffer overflow. Successful exploitation allows execution of arbitrary code with SYSTEM privileges.

4) A boundary error within the Windows logon process (Winlogon) can be exploited by malicious users with permissions to modify domain objects to cause a buffer overflow. Successful exploitation allows execution of arbitrary code.

The vulnerability affects Windows NT 4.0, Windows 2000, and Windows XP systems that are members of a domain.

5) A boundary error within the rendering of Metafiles can be exploited to cause a buffer overflow via specially crafted files.

This may be related to:
SA10968

6) An input validation error within the "Help and Support Center" when handling HCP URLs can be exploited to execute arbitrary code on a vulnerable system via specially crafted HCP URLs. Successful exploitation requires that a user is tricked into visiting a malicious website or follow a specially crafted link.

7) An error within the Utility Manager when launching applications can be exploited by malicious, local users to gain SYSTEM privileges.

The vulnerability only affects Windows 2000 systems.

8) An error within the Windows task management may in certain circumstances allow creation of tasks, which will be executed with SYSTEM privileges. This can be exploited by malicious, local users to gain escalated privileges on a vulnerable system.

The vulnerability only affects Windows XP systems.

9) An error within a programming interface used for creating entries in the Local Descriptor Table (LDT) can be exploited to access protected memory. This may allow malicious, local users to gain escalated privileges on a vulnerable system.

10) Boundary errors within the H.323 protocol implementation can be exploited to cause a buffer overflow via specially crafted H.323 requests. Successful exploitation allows execution of arbitrary code but commonly requires NetMeeting to be running.

The vulnerability may affect the following applications and services:
* Telephony Application Programming Interface (TAPI)-based applications
* NetMeeting
* Internet Connection Firewall (ICF)
* Internet Connection Sharing
* Microsoft Routing and Remote Access service

NetMeeting is installed as part of Windows 2000, Windows XP, and Windows Server 2003. The vulnerability doesn't affect Windows NT 4.0 unless the standalone version of NetMeeting has been installed.

This may be related to:
SA10611

11) An error within the operating system component handling the Virtual DOS Machine (VDM) subsystem can be exploited to access protected kernel memory. This may allow malicious, local users to gain escalated privileges.

12) A boundary error within the Negotiate Security Software Provider (SSP) interface can be exploited to cause a buffer overflow via a specially crafted network message. Successful exploitation commonly results in a Denial of Service but may also allow execution of arbitrary code.

13) An error within the Microsoft Secure Sockets Layer (SSL) library when handling SSL messages can be exploited to cause a vulnerable system to stop accepting SSL connections or restart.

14) A "double free" error within the "ASN1BERDecZeroCharString()" function in the Microsoft ASN.1 Library ("msasn1.dll") can be exploited to corrupt memory via a specially crafted, encoded ASN.1 value. Successful exploitation commonly results in a Denial of Service but may also allow execution of arbitrary code.

Solution
Apply patches manually or via Windows Update.
Further details available in Customer Area

Provided and/or discovered by
1, 5, 9, 11) eEye Digital Security
2) Carlos Sarraute, Core Security Technologies.
3) Mark Dowd and Neel Mehta, ISS X-Force.
4) Ondrej Sevecek
6) Jouko Pynnönen
7) Brett Moore of Security-Assessment.com, Cesar Cerrudo, and Ben Pryor.
8) Erik Kamphuis, LogicaCMG.
12) Chen Qing, NSFOCUS Security Team.
13) John Lampe, Tenable Network Security.
14) Qualys and Mike Price of Foundstone Labs.

Changelog
Further details available in Customer Area

Original Advisory
Microsoft MS04-011:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

eEye Digital Security Advisories:
http://www.eeye.com/html/Research/Advisories/AD20040413C.html
http://www.eeye.com/html/Research/Advisories/AD20040413D.html
http://www.eeye.com/html/Research/Advisories/AD20040413E.html
http://www.eeye.com/html/Research/Advisories/AD20040413F.html

Jouko Pynnönen - Help and Support Center Vulnerability:
http://jouko.iki.fi/adv/hcp.html

Foundstone - ASN.1 Library Double Free Vulnerability:
http://www.foundstone.com/products/sa/fs-sa-04-13-04.pdf

ISS X-Force - PCT Message Handling Vulnerability:
http://xforce.iss.net/xforce/alerts/id/168

NSFocus - SSP Interface Buffer Overflow Vulnerability:
http://www.nsfocus.com/english/homepage/research/0401.htm

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area