Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Windows OS Bug in Processing WM_TIMER Messages May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1005799 |
|
CVE Reference: CAN-2002-1230
(Links to External Site)
|
Date: Dec 12 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): NT 4.0, 2000, and XP
|
Description: A vulnerability was reported in the Microsoft Windows operating system in the processing of WM_TIMER messages. In certain cases, a local user can execute code with elevated privileges (e.g., Local System).
Microsoft changed their analysis of a previously reported security issue and concurred that there is indeed a flaw in the handling
of WM_TIMER Windows messages. A local user's process on the interactive desktop can reportedly use a WM_TIMER message to cause
another process to (improperly) execute a callback function at an arbitrary address specified by the sender of the message. If
a higher privilege process is running in the interactive desktop, a local user could gain elevated privileges on the system.
Microsoft
reports that, by default, several processes running in the interactive desktop have LocalSystem privileges. A local user could
exploit this to gain full control over the system.
[Editor's note: This issue was reported several months ago. However, there
was debate in the security community as to whether this was a flaw or not. Also, Microsoft reported that there was no vulnerability
in the system.]
|
Impact: A local user could execute arbitrary code with elevated privileges on the system.
|
Solution: Microsoft has released the following patches:
For Windows NT 4.0:
- All except Japanese NEC and Chinese - Hong Kong:
http://microsoft.com/downloads/details.aspx?F
amilyId=E5606A46-364E-4585-9EDB-63654007E685&displaylang=en
- Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=C8D3E4F6-DD37-4AB5-8CAF-316F69D01C4C
&displaylang=ja
- Chinese - Hong Kong
http://microsoft.com/downloads/details.aspx?FamilyId=3D6451E5-96C8-45D5-965A-8617B39A89CD&displaylang=zh-tw
For
Windows NT 4.0, Terminal Server Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=5A203864-F6DF-41EB-A8DB-13EFFCD84081&displaylang=en
For
Windows 2000:
- All except Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&displaylang=en
-
Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=68601571-CF9C-4BD0-B285-26C0A3DF6FCA&displaylang=ja
For
Windows XP:
- 32-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=4D97D23B-6773-4EA4-AF2E-C97FA52E04BE&displaylang=en
-
64-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=4D97D23B-6773-4EA4-AF2E-C97FA52E04BE&displaylang=en
The
Windows NT 4.0 patch can be installed on SP6a and the Terminal Server Edition patch can be installed on systems running Windows
NT 4.0, Terminal Server Edition SP6. The Windows 2000 patch can be installed on Windows 2000 SP1, SP2, or SP. The patch for Windows
XP can be installed on Windows XP Gold or SP1.
Microsoft plans to include this fix in Windows 2000 SP4 and Windows XP SP2.
Microsoft
plans to issue Knowledge Base article 328310 regarding this issue to be available shortly on the Microsoft Online Support web site
at:
http://support.microsoft.com/?scid=fh;en-us;kbhowto
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-071.asp (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (NT), Windows (2000), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 12 Dec 2002 03:39:01 -0500
Subject: MS02-071 WM_TIMER Bug
|
"Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310)"
Microsoft released Security Bulletin MS02-071 warning that a flaw in the processing of
Windows WM_TIMER messages could, in certain situations, allow a local user to gain
elevated privileges on the system.
The following versions are affected:
* Windows NT 4.0
* Windows NT 4.0, Terminal Server Edition
* Windows 2000
* Windows XP
Microsoft changed their analysis of a previously reported security issue and concurred
that there was indeed a flaw. One process on the interactive desktop can reportedly use a
WM_TIMER message to cause another process to (improperly) execute a callback function at
an arbitrary address specified by the sender of the message. If a higher privilege
process is running in the interactive desktop, a local user could gain elevated privileges
on the system.
Microsoft reports that, by default, several processes running in the interactive desktop
have LocalSystem privileges. A local user could exploit this to gain full control over
the system.
Microsoft issued the following statement regarding their change of position:
"When we initially examined the situation, we concluded that the problem here lay solely
in the fact that highly-privileged and lower-privileged processes were both present in the
interactive desktop. We pointed out that, by design, all processes on the interactive
desktop are peers, and stated that we believed the real solution was to not mix processes
of varying privileges.
However, upon deeper investigation, we determined that the real answer is somewhat more
complicated. It's possible for a highly privilege process to coexist safely with less
privileged processes on the interactive desktop, provided that it's been properly designed
to vet all requests before acting on them. However, the flaw in WM_TIMER would undermine
these safeguards even if they were present. As a result, although we still recommend that
developers use extreme care before writing a process that has high privileges and runs in
the interactive desktop, we believe that in this case the real culprit is the flaw in
WM_TIMER."
Maximum Severity Rating: Important
CVE Number: CAN-2002-1230
Microsoft has released the following patches:
For Windows NT 4.0:
- All except Japanese NEC and Chinese - Hong Kong:
http://microsoft.com/downloads/details.aspx?FamilyId=E5606A46-364E-4585-9EDB-63654007E685&display
lang=en
- Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=C8D3E4F6-DD37-4AB5-8CAF-316F69D01C4C&display
lang=ja
- Chinese - Hong Kong
http://microsoft.com/downloads/details.aspx?FamilyId=3D6451E5-96C8-45D5-965A-8617B39A89CD&display
lang=zh-tw
For Windows NT 4.0, Terminal Server Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=5A203864-F6DF-41EB-A8DB-13EFFCD84081&display
lang=en
For Windows 2000:
- All except Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=C663A0EA-F6CB-4EE1-8AFA-0C068F84A1D5&display
lang=en
- Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=68601571-CF9C-4BD0-B285-26C0A3DF6FCA&display
lang=ja
For Windows XP:
- 32-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=4D97D23B-6773-4EA4-AF2E-C97FA52E04BE&display
lang=en
- 64-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=4D97D23B-6773-4EA4-AF2E-C97FA52E04BE&display
lang=en
The Windows NT 4.0 patch can be installed on SP6a and the Terminal Server Edition patch
can be installed on systems running Windows NT 4.0, Terminal Server Edition SP6. The
Windows 2000 patch can be installed on Windows 2000 SP1, SP2, or SP. The patch for
Windows XP can be installed on Windows XP Gold or SP1.
Microsoft plans to include this fix in Windows 2000 SP4 and Windows XP SP2.
Microsoft plans to issue Knowledge Base article 328310 regarding this issue to be
available shortly on the Microsoft Online Support web site at:
http://support.microsoft.com/?scid=fh;en-us;kbhowto
|
|
Go to the Top of This SecurityTracker Archive Page
|
