INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A remote code execution vulnerability exists on Windows systems running IIS with the internet printing service enabled. This issue could allow a remote, authenticated attacker to execute arbitrary code on an affected system. |
| PLATFORM: | Windows 2000 (all editions) Windows XP (all editions) Windows Server 2003 (all editions) Windows Vista (all editions) Windows Server 2008 (all editions) |
| DAMAGE: | Remote code execution. |
| SOLUTION: | Upgrade to the appropriate version. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. This issue could allow a remote, authenticated attacker to execute arbitrary code on an affected system. |
| CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
6.8 5.3 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-007.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS08-062.mspx |
| CVE: | CVE-2008-1446 |
REVISION HISTORY:
10/29/2008 - revised T-007 to reflect changes Microsoft has made in MS08-062 where
they revised entries inthe section, FAQ and in the Microsoft Baseline
Security Analyzer (MBSA) and Systems Management Server (SMS) detection
and deployment tables in the section, Detection and Deployment Tools
and Guidance, to notify customers that the update packages for Windows
Server 2008 for Itanium-based Sysetms and all supported editions of
Windows Vista have now been made available on Windows Update, Microsoft
Update, Windows Software Update Services (WSUS), Systems Management
Server, and System Cneter Configuration Manager.
[***** Start Microsoft Security Bulletin (MS08-062) *****]
Version: 2.1
This update resolves a privately reported vulnerability in the Windows Internet Printing Service that could allow remote code execution in the context of the current user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses this vulnerability by changing the way that memory is allocated within the Internet Printing Protocol (IPP) service. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
Known Issues. None
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Operating System | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by this Update |
Remote Code Execution |
Important |
None |
|
Remote Code Execution |
Important |
None |
|
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Important |
None |
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Important |
None |
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Important |
None |
Remote Code Execution |
Important |
None |
|
None |
None |
None |
|
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 |
None |
None |
None |
Remote Code Execution |
Important |
None |
|
Remote Code Execution |
Important |
None |
|
None |
None |
None |
*Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.
 |
Severity Ratings and Vulnerability Identifiers |
|
|
Integer Overflow in IPP Service Vulnerability - CVE-2008-1446 |
* Windows 2000 (all editions)
* Windows XP (all editions)
* Windows Server 2003 (all editions)
* Windows Vista (all editions)
* Windows Server 2008 (all editions)
Microsoft thanks the following for working with us to help protect customers:
| • | CERT/CC for reporting the Integer Overflow in IPP Service Vulnerability - CVE-2008-1446 |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
| • | V1.0 (October 14, 2008): Bulletin published. |
| • | V2.0 (October 15, 2008): Removed the severity rating for Windows Server 2008 for Itanium-based Systems. Added entries to Frequently Asked Questions (FAQ) Related to This Security Update to explain the reason for the rating change and to clarify that the update for Windows Server 2008 for Itanium-based Systems is available through the Microsoft Download Center. Also, changed the Microsoft Baseline Security Analyzer and Systems Management Server deployment summaries to "no" for Windows Server 2008 for Itanium-based Systems in the Detection and Deployment Tools and Guidance section. There were no changes to the security update binaries. |
| • | V2.1 (October 16, 2008): Added entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update, to clarify that the Windows Internet Printing service runs in the context of the Spooler service, which runs under system privileges. Also, removed references to user rights in the Executive Summary and FAQ for Integer Overflow in IPP Service Vulnerability - CVE-2008-1446 sections. |
| • | V2.2 (October 29, 2008): Revised entries in the section, Frequently Asked Questions (FAQ) Related to This Security Update, and in the Microsoft Baseline Security Analyzer (MBSA) and Systems Management Server (SMS) detection and deployment tables in the section, Detection and Deployment Tools and Guidance, to notify customers that the update packages for Windows Server 2008 for Itanium-based Systems and all supported editions of Windows Vista have now been made available on Windows Update, Microsoft Update, Windows Software Update Services (WSUS), Systems Management Server, and System Center Configuration Manager. |
[***** End Microsoft Security Bulletin (MS08-062) *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/