Technical Description

A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers to cause a denial of service or take complete control of an affected system. This issue is caused by a buiffer overflow error in the Message Queuing Service when processing user-supplied strings, which could be exploited by remote unauthenticated attackers to crash or compromise a vulnerable Windows 2000 system, or by authenticated attackers to execute arbitrary code with SYSTEM privileges on an affected Windows XP system.

Note : The Message Queuing component is not installed by default.

Affected Products

Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows 2000 Professional Service Pack 4
Microsoft Windows XP Service Pack 2

Solution

Apply patch for Microsoft Windows 2000 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=bda9d0b4-f7cb-4d9d-b030-043d7437734b

Apply patch for Microsoft Windows XP :
http://www.microsoft.com/downloads/details.aspx?FamilyId=09d4e6ae-5d19-4f11-bb7e-60cee8263bc8

References

http://www.vupen.com/english/advisories/2007/4181
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx

Credits

Vulnerability reported by Zero Day Initiative and Venustech (ADLABS).

ChangeLog

2007-12-11 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.