Author: Li Transfer: ezIT
Editor's note: Windows XP has been considered "Space" in the past, and XP vulnerabilities can now be more and more, and the virus that uses vulnerabilities to implement attacks, such as the shock wave of the boiling, this year, this year, this year is thriving this year . Now Microsoft will release security announcements online every month, providing some patches for free, I suggest you play patch to the operating system in time to block a variety of security vulnerabilities. Let's take a look at what serious security vulnerabilities in WinXP ...
Article guidance:
First, the task planning program vulnerability
Second, HTML Help Remote Execution Code Vulnerability
Third, LSASS vulnerability
Fourth, the chair file vulnerability
5. RPC Running Delivery Vulnerability
6. ASN.1 vulnerability may allow execution code
7. Workstation service buffer overflow vulnerability
Eight, help and support center vulnerability
9. Vulnerabilities in Authenticode verification
Ten, buffer overflow vulnerabilities in Windows Messenger service
Eleven, unchecked buffer vulnerabilities in DirectX
Twelve, buffer overflow vulnerabilities in DCOM RPC interface
Thirteen, the vulnerability of unchecked buffers in Windows Shell
Fourteen, "Compressed Folder" function vulnerability
Fifteen, Microsoft Virtual Machine Vulnerability
Sixteen, plug-and-play service (UPnP) caused buffer overflow vulnerability
Seventeen, hotkey function vulnerability
I. Task Plan Program Vulnerability (Release Date: 2004-07-13)
[Vulnerability Description]: Windows Task Scheduler exists in handling application software file name verification, hackers can use this vulnerability remotely to obtain system privileges and perform any instructions. A hacker can use a variety of ways, such as building a malicious web page, induce the user to trigger this vulnerability, successfully utilizing a hacker that can use this vulnerability to fully control the affected system.
[Solution]: Microsoft released a security announcement (MS04-022) and corresponding patches, and the user installed WinXP and WinXP Service Pack 1 immediately to the following address http://www.microsoft.com/china/technet/ Security / Bulletin / MS04-022.mspx Download Patch, then update, the security patch will also be included in Windows XP Service Pack 2.
Second, HTML Help Remote Execute Code Vulnerability (Release Date: 2004-07-13)
[Vulnerability Description]: Windows allows applications to display and process help files using a standard method (such as HTML Help API). Windows HTML HELP has problems, and remote hackers can take this vulnerability, perform any code on the system in the system, including the installer, and the change to view the application, etc. A hacker can build a malicious page, induce the user to trigger this vulnerability, in addition, special build ShowHelp URL can also result in remote arbitrary code on the local computer.
[Solution]: Microsoft released a security bulletin (MS04-023) and corresponding patches, and the user installed WinXP and WinXP Service Pack 1 immediately to the following address http://www.microsoft.com/china/technet/ Security / Bulletin / MS04-023.mspx Download Patch, then update, the patch of this problem will also be included in Windows XP Service Pack 2.
If you can't install patch or upgrade immediately, it is recommended to click Start, run "Regsvr32 / U% Windir% / System32 / ITSS.DLL" to log down the HTML Help protocol to reduce threats. If you are using Outlook 2002 or higher, or Outlook Express 6 SP1 or higher, read email with plain text format to avoid attacks that you are subject to HTML email malicious code. Third, LSASS Vulnerability (Release Date: 2004-4-13): Swayworm Worm Virus
[Vulnerability Description]: LSASS (local security verification subsystem service) mainly handles authentication of the client and server, there is a buffer overflow vulnerability in LSASS, which is to completely control the remote attacker to the infected system, including the installer, View, change or delete data, or create a new account with full permissions. On WinXP / 2000, any anonymous users that can transmit special messages to you may try to take advantage of this vulnerability. In May 2004, the vulnerability of this vulnerability was used to spread online. If you have blocked the vulnerability, the volatile wave lost the attack target.
[Solution]: On April 13 this year, Microsoft released the vulnerability patch in the MS04-011 announcement, download address http://www.microsoft.com/china/technet/security/bulletin/ms04-011.mspx This patch is recommended.
If you cannot install a patch, you should use your personal firewall, such as the Internet connection firewall in WinXP / 2003, blocking the illegal inbound communication of the following ports at the firewall:
UDP ports 135, 137, 138, 445; TCP ports 135, 139, 445, 593; port numbers greater than 1024;
Any other special configured RPC port (these ports are used to start connecting to RPC)
The above practices will help protect the system behind the firewall, which is from attacks that use this vulnerability. Microsoft recommends blocking all non-requesting inbound communications from Internet to help prevent attacks that may be used in other ports.
Fourth, Miginal File Vulnerability (Release Date: 2004-4-13)
[Vulnerability Description]: There is a buffer overflow vulnerability in the Windows Module File (WMF) and Enhanced Module file (EMF) image format, and hackers can remotely perform code on the affected system. As long as you run the software that displays the WMF or EMF image, it may be attacked, and the hacker that successfully utilizes this vulnerability can fully control the affected system.
Hackers may have a malicious Web site that uses this vulnerability and then sends you to view the site; you may also create an HTML email that is entrained with a special image to send you to see the HTML email, when you use Outlook 2002 Or Outlook Express 6 triggers this vulnerability when you open; or embed the special image into the Office document, then induce you to view the document; you may also add a special image to your local file system, or add it to the network sharing, induce you Use the Windows Explorer preview directory in WinXP to trigger a vulnerability in these ways.
[Solution]: If you use Outlook 2002 or higher, or Outlook Express 6 SP1 or higher, please read emails in plain text format, so as to avoid attacks from HTML email malicious code, I suggest you download And install the patch, download address http://www.microsoft.com/china/technet/security/bulletin/ms04-011.mspx 5, RPC Running time library vulnerability (release date: 2004-4-13)
[Vulnerability Description]: RPC provides a communication mechanism between processes that allow programs running on the A system to access services on the B system. The RPC Running time library has a contention when processing a special message, and the vulnerability can be used remotely to perform code, so that the affected system is fully controlled. Hackers can use this vulnerability by creating a series of special webmails, and send these messages to you, then these messages can make your system execute code so that hackers log in to the system by interactive, or use other programs The parameters pass to the inclusive assembly.
[Solution]: I suggest you download and install the patch of the problem, download address http://www.microsoft.com/china/technet/security/bulletin/ms04-012.mspx
If you cannot install a patch, you should use the personal firewall included with WinXP / 2003, such as the Internet Connect the firewall, block the unshled station traffic on the following ports at the firewall:
UDP ports 135, 137, 138, and 445; TCP ports 135, 139, 445, and 593; port numbers greater than 1024; any other specially configured RPC port;
COM Internet Service (CIS) or RPC over HTTP (if installed) for listening to ports 80 and 443
6. ASN.1 vulnerability may allow execution code (release date: 2004-2-10)
[Vulnerability Description]: ASN.1 (Abstract Syntax Notation 1) is a data standard used by many applications and devices in the IT industry, and the security vulnerabilities existing in Microsoft asn.1 library can make the code can be affected by the affected system. Middle execution. This vulnerability is caused by the unchecked buffer in Microsoft ASN.1 Library, which may cause buffer overflow. If hacker successfully utilizes this buffer overflow vulnerability, you can perform code in system privilege on the affected system, and then hackers can perform any operations on the system, including installation, view, change, or delete data, or Create a new account with full permissions.
[Solution]: Microsoft released security patches for this, download address http://www.microsoft.com/china/technet/security/bulletin/ms04-007.asp requirements installed in WinXP or WinXP Service Pack 1 (SP1) The patch will also be included in Windows XP Service Pack 2.
Seven, WorkStation Service Buffer Overflow Vulnerability (Release Date: 2003-11-12)
[Vulnerability Description]: There is an unchecked buffer security vulnerability in the WorkStation service that allows remote code in the affected system. If this vulnerability is used, hackers can get system authority for affected systems, or make WorkStation services work properly, hackers can perform any operations on the system, including installation, view, change, or delete data, or create owned A new account for full permissions. [Solution]: Use the Internet connection firewall with WinXP, enable advanced TCP / IP filtering on WinXP / 2000-based systems, use firewall blocking UDP ports 138, 139, 445, and TCP ports 138, 139, 445, these ports Used to accept remote procedure calls (RPC) connections on remote computers, blocking these ports in the firewall position, help protect the system behind the firewall from attack; disable the WorkStation service to prevent possible attacks: Click Start " / Set / Control Panel, click on "Administrative Tool" / service, double-click "Workstation", click the Stop button on the General tab, select "Disabled" in "Start Type", then click "OK ".
8. Help and support center vulnerability (release date: 2003-10-15)
[Vulnerability Description]: There is a security vulnerability in the "Help and Support Center" feature included with WinXP, which is caused by this vulnerability. The file associated with the HCP protocol contains an unchecked buffer. Hackers can use this vulnerability to build such a URL: When the user is clicked, it performs the code selected by the attacker in the "Local Computer" security context. This URL can be sent to the user email, or manage it on the web page. When you click the URL, hackers can read, delete, or run files on your machine.
[Solution]: To Microsoft's website to download the security patches for installing the problem, or install the WinXP SP1 released by Microsoft, and the WinXP SP1 has been installed to block the vulnerability. In addition, you can also remove the HKEY_CLASES_ROOT / HCP item in the registry to undo the registration of the HCP protocol. Note: To modify the registry to back up before you find that the problem can be restored. The genuine WinXP or WinXP SPACK 1 (SP1) can be installed in this security patch.
9. Vulnerability in Authenticode Verification (Release Date: 2003-10-15) [Vulnerability Description]: There is a defect in Authenticode, in some case where memory is low, it can allow ActiveX controls to download and install, and will not Prompt users agree. To take advantage of this vulnerability, hackers can send special forms of HTML email to users, if you view this HTML email, you may install and perform unauthorized AcitiveX controls in your system. Alternatively, hackers set a malicious web site, putting on the web page that uses this vulnerability, if you visit the site, you may install and execute the AcitiveX control in your system.
[Solution]: Download the security patch to install the problem, download the address http://www.microsoft.com/china/security/bulletins/ms03-041.asp, if you do not install the patch, you should change the settings of the Internet security zone To prohibit downloading ActiveX components, the steps of this vulnerability, steps: In Internet Explorer, select "Tool" / Internet Option, click the Security tab, select the "Internet" icon, and then click "Custom Level "Button, under the" Download Signed ActiveX Control ", click Disable (as shown below), and finally click OK. After the above operation, you can add trusted sites to the "Trusted" site of Internet Explorer to continue using the trusted Web site as usual, while avoiding this attack in the non-credit site, concrete steps: In Internet Explorer In the "Tools" / Internet option, click "Trusted Site" in the Security tab, then click Site, if you want to add a site that does not require the encryption channel, clear all in this area. Site Require Server Verification (HTTPS :) "check box, in the box labeled" Add this Web site to the area "box, type trusted site URL (for example http://windowsupdate.microsoft.com), then single After touch the "Add" button, click All sites, click OK.
Note: If you use Outlook 2002 or Outlook Express 6.0 or higher, you can use your plain text format to read emails using your html email attack media.
Ten, buffer overflow vulnerabilities in Windows Messenger service (release date: 2003-10-17)
[Vulnerability Description]: The Messenger service in Microsoft Windows exists a buffer overflow vulnerability. Before saving message data to the buffer, since not properly checking the message length, the attacker may be used to remotely perform any code. The hacker may cause the Messenger service to crash by sending a malicious message to the Windows system, or perform any instructions with local system privileges, which will make the hacker fully control the attacked system.
[Solution]: Microsoft provides patches that fix this vulnerability, WinXP users use the "Windows Update" feature to download the latest patch, or download patch through Microsoft's security announcement (http://www.microsoft.com/technet / Security/bulletin/ms03-043.asp.
If you do not install a patch, you should do not trustworthy hosts on your personal firewall to access NetBIOS and RPC ports 135, 137, 138, 139 (TCP / UDP); disable Messenger services. Open the "Start" / Setting / Control Panel, double-click Administrative Tools / Services, find and double-click "Messenger", select "Disabled" in "Start Type", click "Stop", then click "OK".
Eleven, unchecked buffer vulnerabilities in DirectX (release date: 2003-7-23)
[Vulnerability Description]: DirectX is composed of a set of low-level application programming interfaces (APIs), and the Windows program uses this set of interface to get multimedia support. In DirectX, DirectShow technology performs client audio and video providing, processing, and output. In DirectShow used to check the function of the MIDI (.mid) file parameter, there are two buffers overflows with the same effect, and hackers can use these defects to execute code in the security context. Hackers use this vulnerability by following the following methods: Creating a MIDI file, then place it on a website or network sharing location, or send it through an HTML email, if the user opens the MIDI file, or HTML email, this vulnerability Will be utilized. Successful attacks can cause DirectShow or use DirectShow applications, or cause the user's computer to run an attacker's code in the secure context.
[Solution]: You can download the security patch installed to install the problem below, http://www.microsoft.com/china/security/bulletins/ms03-030.asp, this hotfix ensures that when the MIDI file is opened, DirectX will correctly verify parameters to eliminate this vulnerability.
12. Buffer overflow vulnerability in DCOM RPC interface (release date: 2003-7-16): "Shock wave" worm
[Vulnerability Description]: Remote Process Call (RPC) provides a process-related communication mechanism that can smoothly execute code on a remote system on a computer through this mechanism. Processing in the RPC has a vulnerability through the part of the TCP / IP message exchange, which is caused by the incorrect format of the format. This particular vulnerability affects an interface between the distributed component object model (DCOM) and the RPC, which listens for TCP / IP port 135.
Users who can send TCP requests for 135 ports can take advantage of this vulnerability because the RPC request for Windows is open by default. To launch such an attack, the hacker will send a message to the RPC service, resulting in a target computer to be subject to people, an attacker can perform any code on it, can perform operations freely, including the change web, re-format the hard disk Or add new users to the local administrator group.
Last year, "shock wave" worms and their variant viruses use this vulnerability, and the virus scans the random IP address range on the TCP 135 port to search for easy attack systems. It tried to use the DCOM RPC vulnerability to spread through the open RPC port.
[Solution]: Microsoft released a secure patch for this, which modifies the DCOM interface, enabling it to check the information to it, which blocks the vulnerability to prevent the "shock wave" virus. It is recommended to download and install this patch (http://www.microsoft.com/china/technet/security/bulletin/ms03-026.asp). If you can't install patch, you should do this:
1. Block 135 on the firewall. The 135 port is used to initiate an RPC connection with the remote computer. In the firewall block 135 port, system prevention within the firewall can help the attack by this vulnerability.
2, Internet connection firewall. Using the Internet Connection Firewall in WinXP / 2003, the inbound RPC communication information from the Internet is blocked by default.
3, disabling DCOM If your machine is part of the network, the COM object on the computer will be able to communicate with COM objects on another computer via the DCOM network protocol, you can disable DCOM on your machine to help This vulnerability.
13. Vulnerabilities in Windows Shell (Publish Date: 2003-7-16) [Vulnerability Description]: Windows Shell is responsible for providing the basic framework of the Windows user interface (such as Windows Desktop) to help define user calculations Session (including organizational files and folders), and methods that provide launching applications, etc. There is an unchecked buffer in a feature used by the Windows Shell, which can extract custom attribute information from some folders. Hackers can use this defect to launch an attack, run the code on your system, resulting in security vulnerabilities. The attacker who successfully utilizes this vulnerability can fully control the affected system, including the installer; view, change, or delete data; or create a new account with full permissions.
Hackers use this vulnerability by following the following methods: Create a Desktop.ini file, in which the file contains a malicious custom property, then place this file in a network sharing location, or send this file via HTML email. If you browse the shared folder that stores this file, the vulnerability will be utilized. In addition, HTML email may contain some code that automatically navigates the user to a shared folder containing malicious files. Once the attack is successful, the Windows Shell will fail, or the hacker's code will run in the security context of the user machine.
[Solution]: User installed with WinXP and WinXP Service Pack 1 immediately to the following address http://www.cert.org.cn/Articles/hole/common/2004071421822.SHTML Download the patch, then update, this patch is also Will be included in Windows XP Service Pack 2.
Fourteen, "Compressed Folder" Function Vulnerability (Release Date: 2002-10-2)
[Vulnerability Description]: WinXP's "Compressed Folder" feature allows you to treat ZIP files as normal folder processing, create zip files, add a document to zip files or decompress the ZIP file. There are two vulnerabilities in the "Compressed Folder" function, where the most serious one can run the code according to the choice of the attacker.
When decompressing the ZIP file, there is an unchecked buffer in the program to store the decompressed file. A safety hazard is hereby born because it is most likely to cause the browser to crash when trying to open a file in a zip file (included in a zip file), or cause the attacker's code to be run. The decompression function will place a file in a non-user specified directory, that is, this file is placed in a position that should not be placed, neither the user-specified directory, nor is its subdirectory. This allows an attacker to place files in a user system, such as placing a program in the Start directory. [Solution]: An attacker will pick up the user to receive, store, and open the ZIP files he provide, and seduce users to receive ZIP files to the user host. It is recommended that users do not receive email attachments from untrustworthies, and do not download files from untrustworthy interconnected sites.
Fifteen, Microsoft Virtual Machine Vulnerability (Release Date: 2002-3-18)
[Vulnerability Description]: Microsoft VM is a virtual machine in the Win32 operating environment, which runs above WinXP / 95/98 / ME / NT / 2000, and the Microsoft Virtual Machine has two vulnerabilities, which can cause information leakage, arbitrary operation. Attack code.
The first vulnerability is an HTTP agent redirection. This defect only affects the client using the proxy server. It is highly recommended to use SSL to encrypt sensitive information such as user name, password, credit card account. If there is such an encryption measures to protect, even if an attacker uses the defects described in this article to view the user session, Can't see sensitive information such as password, account, and protect normal web browsing. The second vulnerability is a virtual machine (MS Java Virtual Machine) checker. This defect only affects the Java Applet, does not affect the Java application, using this vulnerability to execute the attack requires special technology and skills, and the attacker must attract users to access the page that is controlled, which contains malicious code. [Solution]: Microsoft has released repairs for these vulnerabilities, please go to the following address http://www.microsoft.com/technet/security/bulletin/ms02-013.asp Download Microsoft VM Build 3805 version.
XVI, Plug and Play Service (UPnP) Buffer Overflow (Release Date: 2001-12-20)
[Vulnerability Description]: Network equipment uses UPnP (Universal Plug and Play Universal Plug and Play Protocol), you can find other devices connected in the same network, similar to plug-and-play programs, after installing new hardware, let PC to find hardware. UPNP has buffer overflow security vulnerabilities, when processing the location field in the Notify command, if the IP address, port, and file names are long, buffer overflows, resulting in some process of server programs, whose memory space The content is covered. Since the UPNP service runs in the system's context, the hacker can take the full control of other PCs, or launch a DOS attack. If he knows that a PC's IP address can be controlled via the Internet, even in the same network, even if the IP address of the PC is not known, the PC can also be controlled.
[Solution]: WinXP users should immediately install the patch, you can download the patch from Microsoft's website. If you do not download a secure patch, since WinXP opens the UPnP (General Plug and Play) function, you should turn off the UPnP service, block such a loophole: Click XP Control Panel / Management Tools / Services, Double-click "Universal Plug and Play Device Host service, select "Disabled" to close the UPnP service in the start type.
Seventeen, hotkey function vulnerability
[Vulnerability Description]: The hotkey function is one of WinXP system services. Once the user logs in WinXP, the hotkey function will start, so you can use the system default, or the hotkey you set itself. If your computer does not set a screen saver and password, you leave the computer for a while, go elsewhere, WinXP will be very smart to automatically log out, but this "logout" does not really log out, all of the background programs are still In operation (hotkey function is of course not closed), although other people can't enter your desktop, I can't see anything in your computer, but you can continue to use hotkeys.
At this time, if someone starts on your machine, start some network-related sensitive programs (or service) with a hotkey, use the hotkey to delete important files in the machine, or use the hotkey to dry other bad things, consequences are quite serious! Therefore, the vulnerability is now born.
