Date: 15 December 2004
References: AU-2004.0013 AL-2004.039
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0776 -- Multiple Vulnerabilities in Microsoft Products
15 December 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WordPad
DHCP
HyperTerminal
Windows Kernel
LSASS
WINS
Publisher: Microsoft
Operating System: Windows Server 2003
Windows XP
Windows 2000
Windows NT
Windows ME
Windows 98SE
Windows 98
Windows 95
Impact: Execute Arbitrary Code/Commands
Denial of Service
Increased Privileges
Access: Remote/Unauthenticated
CVE Names: CAN-2004-0571 CAN-2004-0901 CAN-2004-0899
CAN-2004-0900 CAN-2004-0568 CAN-2004-0893
CAN-2004-0894
Ref: AL-2004.039
AU-2004.0013
Original Bulletin: http://www.microsoft.com/technet/security/bulletin/ms04-dec.mspx
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft is releasing five security bulletins for newly discovered
vulnerabilities in Microsoft Windows.
- 5 Microsoft Security Bulletin affecting Microsoft Windows with a
maximum severity of Important, MS04-041, MS04-042, MS04-043,
MS04-044, MS04-045.
The summary for this month's bulletins can be found at the following
page:
- http://www.microsoft.com/technet/security/bulletin/ms04-dec.mspx
In addition, Microsoft is releasing new updates for Microsoft Visual
FoxPro 8.0 and standalone updates for Microsoft .NET Framework in
regards to MS04-028.
Information on these re-released bulletins may be found at the
following pages:
- http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
Customers are advised to review the information in the bulletins,
test and deploy the updates immediately in their environments, if
applicable.
Microsoft will host a webcast to address customer questions on these
bulletins. For more information on this webcast please see below:
- Information about Microsoft's December Security Bulletins
- Wednesday, December 15, 2004 11:00 AM (GMT-08:00) Pacific Time (US
& Canada)
-
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=103
2264801&Culture=en-US
- The on-demand version of the webcast will be available 24 hours
after the live webcast at:
-
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=103
2264801&Culture=en-US
**********************************************************************
TECHNICAL DETAILS
MS04-041
Title: Vulnerability in WordPad Could Allow Code Execution (885836)
Affected Software:
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service
Pack 6
- Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
- Microsoft Windows XP Service Pack 1 and Microsoft Windows XP
Service Pack 2
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME) - Review the FAQ
section of this bulletin for details about these operating
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Restart required: No
Update can be uninstalled: Yes
More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-041.mspx
**********************************************************************
MS04-042
Title: Vulnerability in DHCP Could Allow Remote Code Execution and
Denial of Service (885249)
Affected Software:
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service
Pack 6
Non-Affected Software:
- Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
- Microsoft Windows XP Service Pack 1 and Microsoft Windows XP
Service Pack 2
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME)
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Restart required: Yes
Update can be uninstalled: Yes
More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-042.mspx
**********************************************************************
MS04-043
Title: Vulnerability in HyperTerminal Could Allow Code Execution
(873339)
Affected Software:
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service
Pack 6
- Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
- Microsoft Windows XP Service Pack 1 and Microsoft Windows XP
Service Pack 2
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
Non-Affected Software:
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME)
Affected Components:
- HyperTerminal
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Restart required: No
Update can be uninstalled: Yes
More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx
**********************************************************************
MS04-044
Title: Vulnerabilities in Windows Kernel and LSASS Could Allow
Elevation of Privilege (885835)
Affected Software:
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service
Pack 6
- Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
- Microsoft Windows XP Service Pack 1 and Microsoft Windows XP
Service Pack 2
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
Non-Affected Software:
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME)
Impact of Vulnerability: Elevation of Privilege
Maximum Severity Rating: Important
Restart required: Yes
Update can be uninstalled: Yes
More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
**********************************************************************
MS04-045
Title: Vulnerability in WINS Could Allow Remote Code Execution
(870763)
Affected Software:
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service
Pack 6
- Microsoft Windows 2000 Server Service Pack 3 and Microsoft Windows
2000 Server Service Pack 4
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
Non-Affected Software:
- Microsoft Windows 2000 Professional Service Pack 3 and Microsoft
Windows 2000 Professional Service Pack 4
- Microsoft Windows XP Service Pack 1 and Microsoft Windows XP
Service Pack 2
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (Me)
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Restart required: In some cases, this update does not require a
restart. The installer stops the required services, applies the
update, and then restarts the services. However, if the required
services cannot be stopped for any reason, or if required files are
in use, this update will require a restart. If this occurs, a message
appears that advises you to restart.
Update can be uninstalled: Yes
More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx
**********************************************************************
MS04-028
Title: Buffer Overrun in JPEG Processing (GDI+) Could Allow Code
Execution (833987)
Affected Software (re-release only):
- Microsoft Visual FoxPro 8.0
- Microsoft Visual FoxPro 8.0 Runtime Library
New Stand-alone updates available for:
- Microsoft .NET Framework version 1.0 Service Pack 2
- Microsoft .NET Framework version 1.1
Reason for Re-issue:
The bulletin has been updated to advise on the availability of
additional updates that help address this vulnerability:
- Standalone security updates for The Microsoft .NET Framework
version 1.0 Service Pack 2 and The Microsoft .NET Framework version
1.1 are now available. Based on customer feedback, Microsoft has
created standalone updates for customers who have not yet deployed
.NET Framework 1.0 Service Pack 3 or .NET Framework 1.1 Service Pack
1. However, Microsoft recommends that customers install the latest
version of the appropriate service pack in order to receive the best
protection from this vulnerability as well as other security related
issues. Customers can either install The Microsoft .NET Framework 1.0
Service Pack 3 or The Microsoft .NET Framework 1.1 Service Pack 1.
Customers that have already installed these service packs do not need
to apply these additional security updates.
- Security updates for Microsoft Visual FoxPro 8.0 are now
available. Developers should use the update for Microsoft Visual
FoxPro 8.0 to update their development environment. Customers using
third party applications that were developed using Microsoft Visual
FoxPro 8.0 that distribute a copy of the vulnerable gdiplus.dll file
should evaluate the need to deploy the security update for the
Microsoft Visual FoxPro 8.0 Runtime Library.
- Windows Messenger 5.0 distributes a copy of the vulnerable version
of the gdiplus.dll file. However, it is not vulnerable to any known
or likely attack vectors and therefore is not considered to be
vulnerable to this issue. However, customers that are concerned about
the presence of this file and possible future attack vectors that may
be found should upgrade to Windows Messenger 5.1. Windows Messenger
5.1 contains the latest version of the gdiplus.dll file and is the
recommended version of Windows Messenger. Windows Messenger 5.1 can
be downloaded from the following Web site.
The MS04-028 Enterprise Update Scanning Tool has been updated to
detect and deploy the stand along security updates for The Microsoft
.NET Framework version 1.0 Service Pack 2 and The Microsoft .NET
Framework version 1.1 as well as the Microsoft Visual FoxPro 8.0 and
the Microsoft Visual FoxPro 8.0 runtime. Since Windows Messenger is
not considered to be vulnerable to any known or likely attack
vectors, it has not been included in this update. For more
information about the MS04-028 Enterprise Update Scanning Tool, see
Microsoft Knowledge Base Article 886988.
More information on this re-issued bulletin is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
PLEASE VISIT http://www.microsoft.com/technet/security FOR THE MOST
CURRENT INFORMATION ON THESE ALERTS.
If you have any questions regarding the security updates or its
implementation after reading the above listed bulletin you should
contact Product Support Services in the United States at
1-866-PCSafety (1-866-727-2338). International customers should
contact their local subsidiary at the number located at
http://support.microsoft.com/security
Thank you,
Microsoft PSS Security Team
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQb80LJoTaijrcixLEQJb9QCfSCCs6XGyAO5h41IladfpMNKYUDcAnRtb
2mHm9njfIgSihUzHNmcwe/Bl
=JNwq
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQb/U8Sh9+71yA2DNAQKkKQP8Cix1wV5fsTz/8pKrnoeUxrTDEBsrSmKz
CVoLV79YwNoZr3iuGu9xARdVxEtH42noz2Ayxskz46iblYRojwyhVK8P6FuUvjjn
PXMPWp9azsPQ6I2em2BbqY598TW2OSteSMZj1HiyxPQsofMERkra/DVbf/T1iewY
B8VggDQxy0U=
=9eSb
-----END PGP SIGNATURE-----
|