Microsoft Windows Kernel CVE-2012-0001 SafeSEH Security Bypass Vulnerability

2012-01-1000:00:00

Symantec Security Response

www.symantec.com

0.188 Low

EPSS

Percentile

96.2%

JSON

Description

Microsoft Windows is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass the SafeSEH security mechanism. This may allow the attacker to execute arbitrary code by leveraging memory corruption vulnerabilities in Windows applications.

Technologies Affected

Avaya Aura Conferencing 6.0 Standard
Avaya CallPilot 4.0
Avaya CallPilot 5.0
Avaya Communication Server 1000 Telephony Manager 3.0
Avaya Communication Server 1000 Telephony Manager 4.0
Avaya Meeting Exchange - Client Registration Server
Avaya Meeting Exchange - Recording Server
Avaya Meeting Exchange - Streaming Server
Avaya Meeting Exchange - Web Conferencing Server
Avaya Meeting Exchange - Webportal
Avaya Meeting Exchange 5.0
Avaya Meeting Exchange 5.0 SP1
Avaya Meeting Exchange 5.0 SP2
Avaya Meeting Exchange 5.0.0.0.52
Avaya Meeting Exchange 5.1
Avaya Meeting Exchange 5.1 SP1
Avaya Meeting Exchange 5.2
Avaya Meeting Exchange 5.2 SP1
Avaya Meeting Exchange 5.2 SP2
Avaya Messaging Application Server 4
Avaya Messaging Application Server 5
Avaya Messaging Application Server 5.2
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows Server 2003 Datacenter x64 Edition SP2
Microsoft Windows Server 2003 Enterprise Edition Itanium SP2
Microsoft Windows Server 2003 Enterprise Edition Itanium Sp2 Itanium
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise x64 Edition SP2
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 R2 Datacenter Edition SP2
Microsoft Windows Server 2003 R2 Enterprise Edition SP2
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 Sp2 Compute Cluster
Microsoft Windows Server 2003 Sp2 Datacenter
Microsoft Windows Server 2003 Sp2 Enterprise
Microsoft Windows Server 2003 Sp2 Storage
Microsoft Windows Server 2003 Sp2 X64
Microsoft Windows Server 2003 Standard Edition SP2
Microsoft Windows Server 2003 Web Edition SP2
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows Server 2008 R2 Itanium
Microsoft Windows Server 2008 R2 Itanium SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 R2 x64 SP1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems R2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems R2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Vista SP1
Microsoft Windows Vista SP2
Microsoft Windows Vista SP2 Beta
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition SP1
Microsoft Windows Vista x64 Edition SP2

Recommendations

Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
To exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only.

Block external access at the network boundary, unless external parties require service.
If global access isn’t needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.

Vendor updates are available. Please see the references for more information.

CPENameOperatorVersion
microsoft windowseq7 for x64-based Systems SP1 
avaya communication servereq1000 Telephony Manager 4.0 
microsoft windowseq7 for 32-bit Systems 
microsoft windows servereq2003 Web Edition SP2 
microsoft windows servereq2003 Sp2 Enterprise 
microsoft windows servereq2008 for x64-based Systems R2 
microsoft windows servereq2003 Datacenter x64 Edition SP2 
avaya messaging application servereq5 
microsoft windowseq7 for 32-bit Systems SP1 
microsoft windows servereq2003 Sp2 Storage 

Name	Operator	Version
microsoft windows	eq	7 for x64-based Systems SP1
avaya communication server	eq	1000 Telephony Manager 4.0
microsoft windows	eq	7 for 32-bit Systems
microsoft windows server	eq	2003 Web Edition SP2
microsoft windows server	eq	2003 Sp2 Enterprise
microsoft windows server	eq	2008 for x64-based Systems R2
microsoft windows server	eq	2003 Datacenter x64 Edition SP2
avaya messaging application server	eq	5
microsoft windows	eq	7 for 32-bit Systems SP1
microsoft windows server	eq	2003 Sp2 Storage