# Microsoft Windows Multiple Vulnerabilities (Highly critical)



## jgvernonco (Sep 13, 2003)

Microsoft Windows Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA12804

VERIFY ADVISORY:
http://secunia.com/advisories/12804/

CRITICAL:
Highly critical

IMPACT:
Privilege escalation, DoS, System access

WHERE:
From remote

OPERATING SYSTEM:
Microsoft Windows Server 2003 Standard Edition
http://secunia.com/product/1173/
Microsoft Windows Server 2003 Enterprise Edition
http://secunia.com/product/1174/
Microsoft Windows Server 2003 Datacenter Edition
http://secunia.com/product/1175/
Microsoft Windows NT 4.0 Server, Terminal Server Edition
http://secunia.com/product/19/
Microsoft Windows NT 4.0 Server
http://secunia.com/product/18/
Microsoft Windows Millenium
http://secunia.com/product/14/
Microsoft Windows 98 Second Edition
http://secunia.com/product/13/
Microsoft Windows 98
http://secunia.com/product/12/
Microsoft Windows 2000 Server
http://secunia.com/product/20/
Microsoft Windows 2000 Professional
http://secunia.com/product/1/
Microsoft Windows 2000 Datacenter Server
http://secunia.com/product/1177/
Microsoft Windows 2000 Advanced Server
http://secunia.com/product/21/
Microsoft Windows Server 2003 Web Edition
http://secunia.com/product/1176/
Microsoft Windows XP Home Edition
http://secunia.com/product/16/
Microsoft Windows XP Professional
http://secunia.com/product/22/

DESCRIPTION:
Multiple vulnerabilities have been reported in Microsoft Windows,
which can be exploited to cause a DoS (Denial of Service), gain
escalated privileges, or compromise a vulnerable system.

1) Missing restrictions on several Window Management API functions
can be exploited via a malicious program to change the properties of
other programs running with higher privileges.

This may allow malicious, local users to change the properties of a
privileged process in a way that allows escalation of the user's
privileges.

2) An error in the way memory is referenced in the component used for
handling the VDM (Virtual DOS Machine) subsystem can be exploited to
access protected kernel memory.

This may allow a malicious, local users to gain SYSTEM privileges via
a specially crafted program.

3) A boundary error in the Graphics Rendering Engine when handling
WMF (Windows Metafile) and EMF (Enhanced Metafile) images can be
exploited to cause a buffer overflow via a specially crafted image.

This can be exploited by malicious people to compromise a user's
system, but requires that a user is tricked into opening a malicious
image or visit a malicious web site.

This vulnerability may be related to:
SA10968

4) An error in the Windows Kernel related to the way some values in
CPU data structures are reset can be exploited by malicious, local
users to cause a DoS via a specially crafted program.

SOLUTION:
Apply patches.

Microsoft Windows NT Server 4.0 (requires SP6a):
http://www.microsoft.com/downloads/details.aspx?FamilyId=533AE5CD-74CE-470A-8916-8E358084497C

Microsoft Windows NT Server 4.0 Terminal Server Edition (requires
SP6):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3B871A96-5F64-4432-920F-FA5760DF683A

Microsoft Windows 2000 (requires SP3 or SP4):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4A614222-BA0B-4927-856D-D443BBBE1A42

Microsoft Windows XP (prior to SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=715E985B-7929-4BD5-9564-5CFE7D528398

Microsoft Windows XP 64-Bit Edition (requires SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=99184841-70A8-47C7-9993-44A60E999A40

Microsoft Windows XP 64-Bit Edition Version 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9C

Microsoft Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=206E9842-997D-45E4-9252-61F3CE5EA66C

Microsoft Windows Server 2003 64-Bit Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9C

PROVIDED AND/OR DISCOVERED BY:
1) Brett Moore, Security-Assessment.com.
2) eEye Digital Security
3) Patrick Porlan and Mark Russinovich
4) hlt

ORIGINAL ADVISORY:
MS04-032 (KB840987):
http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx

OTHER REFERENCES:
SA10968:
http://secunia.com/advisories/10968/


----------

