Microsoft patches Netmon security hole

Microsoft has issued a patch to prevent a potentially devastating vulnerability with its network management software that could allow an attacker to gain control of a victim's host system.

The buffer overflow vulnerability in Microsoft's Network Monitor (Netmon) utility could allow arbitrary hostile code to be executed on a remote computer with the privileged levels of access.

Netmon, which ships with Windows NT/2000, is designed to capture traffic on a local network or destined for a host, and then parse the information to translate it into a readable format in the user interface.

Separate DLL libraries within Netmon parse individual application protocols. One of these libraries which parses HTTP traffic, 'browser.dll', is vulnerable.

According to an advisory issued by security firm ISS, Netmon will crash or exit when malformed data is captured and parsed due to buffer overflow problems with its HTTP parser. This buffer overflow allows a remote attacker to gain privileged access and execute arbitrary code on any computer running Netmon that displays this captured data.

Paul Rogers, network security analyst at MIS Corporate Defence Solutions, said exploits of the problem are not readily available, but that they could well be developed.

"Network Monitor is quite a useful tool for looking at internal networks. If web servers are not properly firewalled they might be affected by this problem, but the largest percentage of systems affected by this problem will be on the Lan," said Rogers.

The vulnerability affects all versions of Windows NT 4.0 Server and Windows 2000 Server, which include a basic version of Netmon that allows an administrator to analyse data sent to or from their computer.

It also affects Microsoft Systems Management Server versions 1.2 and 2.0, which includes the full version of Netmon, which can gather data over a full network segment.

Microsoft has issued a series of patches for these products aimed at correcting the problem.

Separately, the software giant has released a patch to fix a buffer overflow problem involving the ActiveX Control included with Windows 2000. Depending on the data entered when invoking the ActiveX control, a malicious user could either launch a denial of service attack or execute arbitrary code on a remote system.

Links to Microsoft's patches for this problem are available here