MS08-001 details

A critical vulnerability affecting Windows XP SP2, 2000 SP4, Server 2003 and Vista was patched this tuesday. From the bulletin:

This critical security update resolves two privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS08-001 is broken down to CVE-2007-0066 and CVE-2007-0069, the former does not affect Windows Vista and the latter does not affect Windows 2000 SP4. The vulnerabilities were found by IBM X-Force, the Frequency X blog has additional information. But the recently started Microsoft Security Vulnerability Research & Defense blog does a better job disseminating the details. Quoting:

At the end, we probably should note that you might be wondering if we are releasing too much technical detail about this vulnerability, which somehow could help miscreants develop an attack. Please be assured that these details cannot be used to create an attack and that the security of customers is our primary concern.

Microsoft has gotten better with advisories and the MSVRD blog is a great initiative. Sharing in-depth technical information about vulnerabilities in your products is commendable.