Researchers warn of multiple unpatched Windows holes

IDG News Service - Antivirus company Symantec Corp. warned its customers about a number of critical holes in Microsoft Corp.'s Windows operating system that surfaced late yesterday and that could make Windows systems vulnerable to compromise by remote attackers.
Symantec acted after security researchers published the details of the heap overflow vulnerabilities in messages posted to online security news groups Thursday, including the Bugtraq mailing list, and on xfocus.net. The flaws affect most supported versions of Windows, but Microsoft has not yet issued a patch for the newly disclosed holes. Windows users are vulnerable to Internet based attacks until patches are issued, Symantec said.
In overflow vulnerabilities, storage areas in a computer's memory are exceeded, allowing random data or malicious code to be placed on the computer when certain types of data are used to flood the memory buffer.
In one instance, researchers at Venustech Security Lab described a vulnerability in a component of Windows, winhlp32.exe, that processes Help files. Attackers could launch attacks using a Help file created to trigger the overflow vulnerability, though victims would have to be tricked into downloading and opening the malicious file on their computers for it to be compromised, Symantec said.
Also yesterday, Symantec warned about a second vulnerability in a Windows component called "LoadImage" that is used to load desktop icons, cursors or bitmap images. A flaw in the way LoadImage processes image files could allow malicious hackers to use specially crafted images to trigger an overflow and place their own code on vulnerable machines. Images that trigger the flaw could be sent in e-mail messages or downloaded from Web pages controlled by the hackers, Symantec said.
As with the Help file vulnerability, most supported versions of Windows are affected by the LoadImage flaw, including versions of Windows NT, Windows XP, Windows 2000 and Windows Server 2003, Symantec said.
According to the xfocus.net posting, Windows XP with Service Pack 2 is not subject to the Help file attack but is still susceptible to the winhlp32.exe problem.
While no active exploits targeting the vulnerabilities have been discovered, proof of concept code showing how both vulnerabilities work have been published on the Internet.
Symantec recommended that Windows users exercise caution when receiving and opening files from unknown sources. Organizations can defend their networks from attacks by limiting user privileges and deploying intrusion detection software to spot attacks, Symantec said.