Microsoft Plug and Play contains a flaw in the handling of message buffers that may result in local or remote arbitrary code execution or denial-of-service conditions.
The following is from the Microsoft Plug and Play description:
Plug and Play (PnP) allows the operating system to detect new hardware when you install it on a system. For example, when you install a new mouse on your system, PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the new mouse.
According to Microsoft Security Advisory 899588:
Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users. However, because of a large application compatibility risk, we do not recommend customers enable this setting in production environments without first extensively testing the setting in their environment. For more information, search for RestrictAnonymous at the Microsoft Help and Support Web site.
While not the current target of this exploit code, it’s important to note that on Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts on Windows XP Service Pack 2 or Windows Server 2003. This is because of enhanced security built directly into the affected component. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 2 and Windows Server 2003 are not vulnerable remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.
While not the current target of this exploit code, it’s important to note that on Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts on Windows XP Service Pack 1. The existing exploit code is not designed to provide the authentication required to exploit this issue on these operating systems. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 1 systems are not vulnerable remotely by anonymous users.
This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.
Microsoft Security Advisory 906574 also notes the following limited scope of vulnerability for Windows XP SP1 in a non-default configuration:
Windows XP mitigates several security vulnerabilities by preventing users who do not have a valid logon credential from accessing the system remotely. An example of this is the vulnerability that is addressed in Microsoft Security Bulletin MS05-039. However, when you enable Simple File Sharing, the Guest account is also enabled and given permission to access the system through the network. Because the Guest account is a valid account when it is enabled, and is given permission to access the system through the network, an attacker could use the Guest account as if they had a valid user account.
There is no known attack that is seeking to exploit this scenario. The Advisory is being issued as a special precaution. There is no change to the update in Security Bulletin MS05-039. Customers who have applied this update are protected in this scenario.
A remote, unauthenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows 2000.
Apply An Update
This vulnerability was reported in Microsoft Security Advisory MS05-039. Microsoft credits Neel Mehta of ISS X-Force for reporting the issue and Jean-Baptiste Marchand of Herve Schauer Consultants for additional help with related issues.
This document was written by Ken MacInnis.
|Date First Published:||2005-08-09|
|Date Last Updated:||2005-11-15 19:29 UTC|