MS-ISAC ADVISORY NUMBER:
2009-021
DATE(S) ISSUED:
4/14/2009
SUBJECT:
Multiple Vulnerabilities in Windows HTTP Services
Multiple vulnerabilities have been discovered in the Windows HTTP Services (WinHTTP) that would allow a remote attacker to take complete control of a vulnerable system. WinHTTP is a component of Windows that enables client applications to send requests to web servers. This vulnerability can be exploited when a user or application visits a malicious web page. Successful exploitation may result in an attacker gaining complete control of the affected system. An attacker could then install programs; view, change, or delete files; or create new accounts with user rights.
SYSTEMS AFFECTED:
- Windows 2000 SP4
- Windows XP SP2, SP3
- Windows XP Professional x64 Edition, SP2
- Windows Server 2003 SP1, SP2
- Windows Server 2003 x64 Edition, SP2
- Windows Server 2003 SP1 Itanium-based systems, SP2
- Windows Vista Edition, SP1
- Windows Vista x64 Edition, SP1
- Windows Server 2008 32-bit Systems
- Windows Server 2008 x64-based Systems
- Windows Server 2008 Itanium-based Systems
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home users: High
DESCRIPTION:
Three vulnerabilities have been identified in Windows HTTP Services (WinHTTP).
These vulnerabilities could be exploited when a user or application visits
a malicious web-site.
Windows HTTP Services Integer Underflow Vulnerability
A remote code execution vulnerability exists in the way that Windows
HTTP Services handle specific values that are returned by a remote web
server. It is important to note that the Universal Plug and Play (UPnP)
service uses the WinHTTP libraries. When this service is enabled, malicious
users on the local subnet may respond to SSDP requests and lead the UPnP
service to connect using WinHTTP to a malicious host that could then exploit
this vulnerability.
Windows HTTP Services Certificate Name Mismatch Vulnerability
A vulnerability exists in Windows HTTP Services as a result of the incomplete
validation of the distinguished name in a digital certificate.
Windows HTTP Services Credential Reflection Vulnerability
A remote code execution vulnerability exists in the way that Windows
HTTP Services handles NTLM credentials when a user connects to an attacker's
web server. This vulnerability allows an attacker to capture the user's
credentials and replay those credentials in order to execute code on the
user's system.
Successfully exploiting any of these vulnerabilities could allow an attacker to take complete control of the system, perform man-in-the-middle attacks or impersonate trusted servers. An attacker could then install programs; view, change, or delete files; or create new accounts with user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not download or open files from un-trusted websites.
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0086
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0089
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0550
This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.
-