An attacker could exploit this vulnerability without user interaction by using the UPnP features in Microsoft Windows. UPnP uses Simple Service Discovery Protocol (SSDP) queries to determine the existence of UPnP devices on the local network. A malicious server could respond to SSDP queries and direct a host to connect using UPnP, which relies on the WinHTTP. An exploit of this method would require the attacker to have access to networks that are adjacent to a vulnerable host. Because the UPnP service runs with the limited privileges of the LocalService account, an exploit in this case can allow the attacker to gain only limited privileges.
WinHTTP is an API for servers and services on Windows systems and is used to make HTTP requests in scenarios that do not require user interaction. It is used in some Windows features, such as UPnP. Interactive client applications typically use the WinINet API, whereas Microsoft recommends that .Net programs use the System.net classes.
Third-party applications that depend on WinHTTP may also be vectors for attack. An attacker may be able to convince a user to use a third-party application to connect to a malicious HTTP server, triggering an exploit. The most severe impact results from an exploit of this type: if a user executes an application with elevated privileges, the attacker could execute code that could result in a complete system compromise.
Exploitation is only possible from the Intranet zone, and not the Internet zone, and only against systems that accept inbound SMB traffic. Therefore, to exploit this vulnerability, an attacker must have access to a system that is on the same internal network as a targeted system that accepts such traffic. If the attacker is on an internal system, incoming SMB traffic may be permitted. However, most corporate firewalls will be configured so as not to allow incoming SMB traffic.
Systems joined to a Windows Active Directory domain may be at greater risk of exploitation. Windows XP client systems not joined to a domain use the Guest account to process network logons, preventing user credentials from passing over the network. However, client systems joined to a domain will use user credentials as part of network logons, exposing them to a reflection attack.
Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on May 13, 2009, could indicate that exploitation is occurring in the wild.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the April 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for April 2009