Date: 14 April 2004
References: ESB-2004.0278
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2004.01 AUSCERT Advisory
Recent Important Microsoft Vulnerabilities and Patches for
Windows (LSASS) and Outlook Express
14 April 2004
Last Revised: --
- ---------------------------------------------------------------------------
Product: Microsoft Windows XP
Microsoft Windows 2000
Outlook Express
Impact: Administrator Compromise
Execute Arbitrary Code/Commands
Access Required: Remote
CVE Names: CAN-2003-0533
CAN-2004-0380
Ref: ESB-2004.0261
AL-2004.10
AU-2004.007
ESB-2004.0266
1. Description
Microsoft has recently released security bulletins warning of several
vulnerabilities most notable of these being those affecting the Local
Security Authority Subsystem Service (LSASS) in Windows 2000 and
Windows XP, and MHTML URL processing in Outlook Express.
LSASS Vulnerability - CAN-2003-0533:
A buffer overrun vulnerability exists in LSASS that could allow remote
execution of arbitrary code (with SYSTEM privileges) on default
installations of Windows 2000 and XP[1]. An attacker who successfully
exploited this vulnerability could take complete control of the
affected system[2].
MHTML URL Vulnerability in Outlook Express - CAN-2004-0380:
A remote code execution vulnerability exists in the processing of
specially crafted MHTML URLs that could allow an attackers HTML code
to run in the Local Machine security zone in Internet Explorer. This
could allow an attacker to take complete control of an affected
system[3]. This vulnerability requires a user to be logged on and to
be reading e-mail or visiting Web sites for any malicious action to
occur[3].
Microsoft has expressly stated that even if you have removed Outlook
Express as the default e-mail reader, or do not use Outlook Express
to read e-mail or newsgroups, you are still at risk from this
vulnerability[3].
2. Platform
LSASS Vulnerability:
Windows 2000 and Windows XP are affected by this vulnerability.
Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 provide
additional protection that would require an administrator to log on
locally to an affected system to exploit this vulnerability[2].
MHTML URL Vulnerability in Outlook Express:
Outlook Express on all supported Windows systems[3].
3. Impact
LSASS Vulnerability:
There is some discussion within the security community that the nature
of this vulnerability lends itself to exploitation in an automated
fashion[4] such as a worm.
MHTML URL Vulnerability in Outlook Express:
This vulnerability has recently and widely been exploited in Australia
to trick online banking customers into visiting malicious web
sites[5][6].
3. Workarounds/Mitigation
For LSASS Vulnerability:
The patches to prevent exploitation of this vulnerability are available
from the Microsoft website, see [2] for information on obtaining the
appropriate patches for your system. Alternatively, administrators
may wish to enable Windows Automatic Updates in order to install these
and other security related patches.
Follow the workaround and mitigation steps given in Microsoft Security
Bulletin MS04-011[2]. Specifically, use are network-based or
host-based (personal) firewalls to block:
- UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593.
- All unsolicited inbound traffic on ports greater than 1024.
- Any other specifically configured RPC port.
For MHTML URL Vulnerability in Outlook Express
The patches to prevent exploitation of this vulnerability are available
from the Microsoft website[3]. Follow the workaround and mitigation
steps given in Microsoft Security Bulletin MS04-013. In summary,
these steps include[3]:
- Use the Microsoft Outlook E-mail Security Update, use Microsoft
Outlook Express 6 or later, or use Microsoft Outlook 2000 Service
Pack 2 or later[7].
- Configure user accounts to NOT have administrative privileges
- Strengthen the security settings for the Local Machine zone in
Internet Explorer[8].
- Send and view e-mail in plain text.
Further information can be found in the AusCERT publication "Protecting
Against Harmful Malicious Code"[9].
REFERENCES:
[1] Windows Local Security Authority Service Remote Buffer Overflow
AD20040413C
http://www.eeye.com/html/Research/Advisories/AD20040413C.html
[2] Microsoft Security Bulletin MS04-011 - Security Update for Microsoft
Windows (835732)
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
[3] Microsoft Security Bulletin MS04-013 - Cumulative Security Update for
Outlook Express (837009)
http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
[4] Internet Security Systems Security Alert - Multiple Vulnerabilities
in Microsoft Products
http://xforce.iss.net/xforce/alerts/id/169
[5] AL-2004.10 -- AusCERT ALERT -- Bogus Banking Email Allows Trojan
Infection for Outlook Users
http://www.auscert.org.au/3981
[6] AU-2004.007 -- AusCERT Update - Vulnerability in Internet Explorer
Allows Program Execution
http://www.auscert.org.au/3990
[7] Security Features for Outlook 2002 and Previous Versions
http://www.microsoft.com/office/previous/outlook/2002security.asp
[8] How to strengthen the security settings for the Local Machine zone in
Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;833633
[9] Protecting your computer from malicious code
http://www.auscert.org.au/3352
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/3192
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQH2z3ih9+71yA2DNAQEOPgP+L84HOkXqYPlOuvjajKL1OJdmAQwI8VJq
11ehO9Rq5bw6W9QIGdcDLbM42WIaQw9pS3ZPhhJSeVw5dirJhxW4vT105U6S47UO
KTvzTr9l27FerUBsl8h2haHPxTh13kw+uf+pveEYMK7lRzQpHo2nZ3j8H1U7u/wJ
RPPD9gxoBLA=
=Xrzu
-----END PGP SIGNATURE-----
|