Date: 15 April 2004
References: AU-2004.007 ESB-2004.0261 ESB-2004.0270
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0278 -- US-CERT Technical Cyber Security Alert TA04-104A
Multiple Vulnerabilities in Microsoft Products
15 April 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows Operating Systems
Microsoft Windows MHTML Protocol Handler
Microsoft Jet Database Engine
Publisher: US-CERT
Operating System: Windows Server 2003
Windows XP
Windows 2000
Windows NT
Windows 98/98SE
Windows ME
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access Required: Remote
CVE Names: CAN-2003-0533 CAN-2003-0663 CAN-2003-0719
CAN-2003-0806 CAN-2003-0906 CAN-2003-0907
CAN-2003-0908 CAN-2003-0909 CAN-2003-0910
CAN-2004-0117 CAN-2004-0118 CAN-2004-0119
CAN-2004-0120 CAN-2004-0123 CAN-2003-0813
CAN-2004-0116 CAN-2003-0807 CAN-2004-0124
CAN-2004-0380 CAN-2004-0197
Ref: AA-2004.01
ESB-2004.0270
ESB-2004.0261
AL-2004.10
AU-2004.007
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple Vulnerabilities in Microsoft Products
Original release date: April 13, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows Operating Systems
* Microsoft Windows Remote Procedure Call (RPC) and Distributed
Component Object Model (DCOM) subsystems
* Microsoft Windows MHTML Protocol Handler
* Microsoft Jet Database Engine
Overview
Microsoft Corporation has released a series of security bulletins
affecting most users of the Microsoft Windows operating system. Users
of systems running Microsoft Windows are strongly encouraged to visit
the "Windows Security Updates for April 2004" site at
<https://www.microsoft.com/security/security_bulletins/200404_windows.
asp>
and take actions appropriate to their system configurations.
I. Description
Microsoft has released four security bulletins listing a number of
vulnerabilities which affect a variety of Microsoft Windows software
packages. The following section summarizes the issues identified in
their bulletins.
Summary of Microsoft Bulletins for April 2004
Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)
This bulletin addresses 14 vulnerabilities affecting the systems
listed below. There are several new vulnerabilities address by this
bulletin, and several updates to previously reported vulnerabilities.
Impact
Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected
* Windows NT Workstation 4.0
* Windows NT Server 4.0
* Windows NT Server 4.0, Terminal Server Edition
* Windows 2000
* Windows XP
* Windows Server 2003
Vulnerability identifiers
The following table outlines these issues and is based on Microsoft's
Security Bulletin:
Vulnerability Title |US-CERT ID |CVE ID | Impact of Vulnerability
--------------------+-----------+-------------+------------------------
LSASS Vulnerability |VU#753212 |CAN-2003-0533| Remote Code Execution
LDAP Vulnerability |VU#639428 |CAN-2003-0663| Denial of Service
PCT Vulnerability |VU#586540 |CAN-2003-0719| Remote Code Execution
Winlogon Vulnerabili|VU#471260 |CAN-2003-0806| Remote Code Execution
Metafile Vulnerabili|VU#547028 |CAN-2003-0906| Remote Code Execution
Help and Support Cen|VU#260588 |CAN-2003-0907| Remote Code Execution
Utility Manager Vuln|VU#526084 |CAN-2003-0908| Privilege Elevation
Windows Management V|VU#206468 |CAN-2003-0909| Privilege Elevation
Local Descriptor Tab|VU#122076 |CAN-2003-0910| Privilege Elevation
H.323 Vulnerability |VU#353956 |CAN-2004-0117| Remote Code Execution
Virtual DOS Machine |VU#783748 |CAN-2004-0118| Privilege Elevation
Negotiate SSP Vulner|VU#638548 |CAN-2004-0119| Remote Code Execution
SSL Vulnerability |VU#150236 |CAN-2004-0120| Denial of Service
ASN.1 "Double Free" |VU#255924 |CAN-2004-0123 Remote Code Execution
Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM
(828741)
This bulletin addresses several new vulnerabilities affecting the
systems listed below. These vulnerabilities are in Microsoft Windows
Remote Procedure Call (RPC) and Distributed Component Object Model
(DCOM).
Impact
Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected
* Windows NT Workstation 4.0
* Windows NT Server 4.0
* Windows NT Server 4.0, Terminal Server Edition
* Windows 2000
* Windows XP
* Windows Server 2003
Vulnerability identifiers
The following table outlines these issues and is based on Microsoft's
Security Bulletin:
Vulnerability Title |US-CERT ID |CVE ID | Impact of Vulnerability
--------------------+-----------+-------------+------------------------
RPC Runtime Library |VU#547820 |CAN-2003-0813| Remote Code Execution
RPCSS Service Vulner|VU#417052 |CAN-2004-0116| Denial of Service
RPC over HTTP Vulner|VU#698564 |CAN-2003-0807| Denial of Service
Object Identity Vuln|VU#212892 |CAN-2004-0124| Information Disclosure
Security Bulletin MS04-013:Cumulative Security Update for Outlook Express
(837009)
This bulletin addresses a vulnerability affecting the systems listed
below. The vulnerability affects the Microsoft Windows MHTML Protocol
handler and any applications that use it, including Microsoft Outlook
and Internet Explorer. This vulnerability has been assigned VU#323070
and CAN-2004-0380.
Note: MS04-013 includes patches remediating the vulnerability
described in TA04-099A.
Impact
Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected
* Windows NT Workstation 4.0
* Windows NT Server 4.0
* Windows NT Server 4.0, Terminal Server Edition
* Windows 2000
* Windows XP
* Windows Server 2003
* Windows 98
* Windows 98 Second Edition (SE)
* Windows Millennium Edition (Windows Me)
Note: This issue affects systems with Outlook Express installed.
Outlook Express is installed by default on most (if not all) current
versions of Microsoft Windows.
Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database
Engine Could Allow Code Execution (837001)
This bulletin addresses a vulnerability affecting the systems listed
below. There is a buffer overflow vulnerability in Microsoft's Jet
Database Engine (Jet). An attacker could take control of a vulnerable
system, including installing programs; viewing, changing, or deleting
data; or creating new accounts that have full privileges. This
vulnerability has been assigned VU#740716 and CAN-2004-0197.
Impact
Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected
* Windows NT Workstation 4.0
* Windows NT Server 4.0
* Windows NT Server 4.0, Terminal Server Edition
* Windows 2000
* Windows XP
* Windows Server 2003
Update to TA04-099A
Microsoft has released a patch that addresses the cross-domain
vulnerability discussed in TA04-099A: "Vulnerability in Internet
Explorer ITS Protocol Handler". US-CERT is tracking this issue as
VU#323070. This reference number corresponds to CVE candidate
CAN-2004-0380.
The patches and further information about the vulnerability are
available in Microsoft Security Bulletin MS04-013. MS04-013 is titled
"Cumulative Security Update for Outlook Express". Since most (if not
all) current Windows systems have Outlook Express installed by
default, and the MHTML protocol handler is part of the Outlook Express
software package, most (if not all) Windows systems should be
considered vulnerable.
TA04-099A and VU#323070 focused on the ITS protocol handlers; however,
the latent vulnerability appears to be in the MHTML handler shipped as
part of Outlook Express. These documents have been updated.
II. Impact
Several of the issues identified by Microsoft have been described as
"Critical" in nature.Each bulletin contains at least one vulnerability
which may allow remote attackers to execute arbitrary code on affected
systems. The privileges gained would depend on the security context of
the software and vulnerability exploited.
III. Solution
Apply an appropriate set of updates from Microsoft
Please see the following site for more information about appropriate
remediation.
Windows Security Updates for April 2004 -
<http://www.microsoft.com/security/security_bulletins/200404_windows
.asp>
Appendix A. Vendor Information
This appendix contains information provided by vendors for this
technical alert. As vendors report new information to US-CERT, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
Microsoft Corporation
Windows Security Updates for April 2004
+ Microsoft Security Bulletin MS04-011 -
Security Update for Microsoft Windows (835732)
+ Microsoft Security Bulletin MS04-012 -
Cumulative Update for Microsoft RPC/DCOM (828741)
+ Microsoft Security Bulletin MS04-013 -
Cumulative Security Update for Outlook Express (837009)
+ Microsoft Security Bulletin MS04-014 -
Vulnerability in the Microsoft Jet Database Engine Could
Allow Code Execution (837001)
Appendix B. References
* Technical Cyber Security Alert TA04-099A: Cross-Domain
Vulnerability in Outlook Express MHTML Protocol Handler -
<http://www.us-cert.gov/cas/techalerts/TA04-099A.html>
* US-CERT Cyber Security Alert SA04-104A: Summary of Windows
Security Updates for April 2004 -
<http://www.us-cert.gov/cas/alerts/SA04-104A.html>
* Windows Security Updates for April 2004 -
<http://www.microsoft.com/security/security_bulletins/200404_windo
ws.asp>
* Microsoft Security Bulletin MS04-011 - Security Update for
Microsoft Windows (835732) -
<http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>
* Microsoft Security Bulletin MS04-012 - Cumulative Update for
Microsoft RPC/DCOM (828741) -
<http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx>
* Microsoft Security Bulletin MS04-013 - Cumulative Security Update
for Outlook Express (837009) -
<http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx>
* Microsoft Security Bulletin MS04-014 - Vulnerability in the
Microsoft Jet Database Engine Could Allow Code Execution (837001)
-
<http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx>
* Microsoft Security Response Center Security Bulletin Severity
Rating System (Revised, November 2002) -
<http://www.microsoft.com/technet/security/bulletin/rating.mspx>
* Vulnerability Note VU#323070: Outlook Express MHTML protocol
handler does not properly validate location of alternate data -
<http://www.kb.cert.org/vuls/id/323070>
* Vulnerability Note VU#547820: Microsoft Windows DCOM/RPC
vulnerability - <http://www.kb.cert.org/vuls/id/547820>
* Vulnerability Note VU#740716: Microsoft Jet Database Engine
database request handling buffer overflow -
<http://www.kb.cert.org/vuls/id/740716>
_________________________________________________________________
Feedback about this technical alert should be sent to "US-CERT
Technical Alert" at <mailto:cert@cert.org>. Please include the Subject
line "TA04-104A Feedback VU#667571".
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
Revision History
April 13, 2004: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAfJtjXlvNRxAkFWARAmmUAJ4jbj7Mm8I5NdasPeDIliOCUTJutQCfaeoC
uIhq7G9V+u7Cg0B78NzRMGk=
=UEBC
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQH4XjCh9+71yA2DNAQKL2gP8CwIAqFZMEQJ0xoHieWpnz6KLCM1rfoPy
mizcPwO3Is16w4mxgXFsRAjkw0d76tn78EvV2vpKLnzqIsmdsfljteSdhS+mKPCo
RQmkIwpASK6nxDsjSbmt9zRrMbxE+0QIpnEudPdzdf6Y7FMjIfpoNhe5WnHj2Dvq
YWBs6T6yPYM=
=dtWv
-----END PGP SIGNATURE-----
|