MS08-001 – The case of the Moderate, Important, and Critical network vulnerabilities

Security bulletin MS08-001 addresses vulnerabilities described by two separate CVE numbers, as you can see in the bulletin. This post provides an overview of the two issues, the affected platforms and notes on the severity. We’ll be following this post up with two further entries that look at each issue in more detail.

CVE-2007-0066 describes a vulnerability in parsing ICMP router advertisement packets. These packets are not processed by default on any supported version of Windows. If a computer is configured to process router discovery protocol packets and encounters this type of malformed packet, the Windows kernel will bugcheck (blue screen of death) and reboot. A separate blog post goes into more detail about the registry keys governing this behavior on each supported platform.

CVE-2007-0069, the more serious of the two vulnerabilities, involves the way the TCP/IP stack handles IGMP protocol packets. Mark researched the exploitability of this issue and you’ll find his research and more detail about the vulnerability in the next blog post.

For those of you readers who are more visual, here’s a picture describing the exposure of the vulnerabilities addressed in the security bulletin, by CVE:


Severity rating in detail

Looking at the severity ratings for the various versions of Windows, you’ll notice they range from Moderate (Windows 2000) up to Critical (Windows XP and Vista). While the bulletin covers the reasons for the severities well, I’m sure some confusion will still arise.

I’ll try to anticipate your questions and answer them here:

  • Why is Windows 2000 rated as Moderate while other platforms are Critical or Important?
    Windows 2000 is not vulnerable to the IGMP attack, so the code execution risk from this attack does not apply. Windows 2000 is only vulnerable to the denial-of-service attack involving ICMP messages.
  • Why is Server 2003 rated as Important?
    Server versions of Windows such as Windows Server 2003 are not vulnerable to the IGMP code execution vulnerability. WS03 does not enable UPnP (Universal Plug and Play) by default, and no other services use multicast. As a result, the WS03 machine will ignore IGMP messages received from the network. UPnP is a network service that relies on IP multicast, and is only enabled by default on Windows XP and Windows Vista.
  • When might Server 2003 be vulnerable?
    Windows Server 2003 would only be vulnerable if an application or service on the machine is using IP multicast, for example if UPnP is manually enabled or a 3rd-party multicast application/service is being used.
  • Why does Vista have more affected protocols than XP/Server 2003?
    Vista, being the most recent version of Windows, has the most current protocol support. It includes support for IPv6 by default, including the MLDv2 protocol (Multicast Listener Discovery v 2). This protocol is the IPv6 equivalent of IGMPv3 for IPv4. MLDv2 is not supported prior to Vista, so earlier operating systems are not vulnerable to the MLDv2-specific attack.

The next post looks at the ICMP vulnerability in some more details and covers important mitigations.

Update: The graphic and text were updated to reflect accurate CVE ID numbers.

 – Security Vulnerability Research & Defense bloggers

*This posting is provided “AS IS” with no warranties, and confers no rights.*