A vulnerability has been discovered in theway the Windows Client/Server Runtime Server Subsystem (CSRSS)processes a type of system message referred to as the HardErrormessage, reportedly allowing a logged on user to execute arbitrary codein the CSRSS.EXE process and elevate their privileges to SYSTEM level.The vulnerable code is present in the new Vista operating system, aswell as Windows 2000, XP and 2003.

When certain events occur within the operating system, a HardErrormessage is sent to CSRSS containing the caption and text of a messagebox to be displayed in order to notify the user of a critical systemerror. The HardError message is handled by a function in WINSRV.DLLwhich returns pointers to the caption and text of the message box. Ifthe caption or text parameters are prefixed with certain characters,the function erroneously frees the buffer holding the text and returnsa pointer to freed memory. After the message box is closed by the user,the same...

I’d like to try and clarify the confusionthat has surrounded the publishing and reporting of three MicrosoftWord vulnerabilities in the last few days. The bad news is that thereare actually three different vulnerabilities in the wild. Inchronological order, this is the breakdown of these threevulnerabilities.

Vulnerability #1
BID 21451: Microsoft Word Unspecified Remote Code Execution Vulnerability (CVE-2006-5994).
This vulnerability was first reported by Microsoft on December 6 via their Security Advisory 929433. Symantec Security Response created a heuristic detection (Bloodhound.Exploit.106) for this vulnerability that yielded some interesting...

All aboard! Welcome to another ride on themonthly Microsoft patch train. We’ve got quite a few stops this monthand most are client-side vulnerabilities, meaning that an end user hasto take specific actions (typically by obtaining and then openinghostile content). Unless otherwise stated, the privilege granted to theattacker for all of the below vulnerabilities is the privilege level ofthe victim user. Most were publicly disclosed for the first time today,but the exceptions are noted. They are listed below in the order ofmost to least critical for the fabled “typical” network.

Vulnerability in SNMP Could Allow Remote Code Execution MS06-074 / KB926247

This vulnerability seems almost old-fashioned in the modern securitylandscape – a common buffer overflow in a service....

"A browser" – that’s all we were led tobelieve the next generation would need to create office applications orengineering applications. Now, the focus on security has begun todivert in that direction. Statistics from the first half of 2006 showedthat 69 percent of exploitable vulnerabilities were from Webapplications. Web application vulnerabilities usually get mixed up withserver vulnerabilities, although the two are distinctly different. Webdevelopers who design Web sites are not usually security gurus. Thedevelopers will often leave behind various security holes in the Webapplication because of bad coding practices and a lack of securityreviews.

On one hand, there are many security experts around the world whofuzz Web servers with variations in order find another zero-day. Theend result is that the gap between popular Web servers and exploitablevulnerabilities within them is increasing. It has been a long timesince we have seen a completely exploitable...