On July 24, Microsoft released five new Security Bulletins: MS02-032 (update), MS02-036, MS02-037, MS02-038, and MS02-039. They include pertinent security information affecting multiple Microsoft products, led by several key fixes for SQL Server 2000. Let's take a closer look.
Security Bulletin details
MS02-032—Cumulative Patch for Windows Media Player
If you find this one more than a bit confusing, you're not alone. It will take the most explanation. You have to read the entire description because this actually applies to everyone with Windows Media Player.
MS02-032 includes a cumulative patch of vulnerabilities first described as "patched" in MS01-052. But not all of the fixes described in MS01-052 were actually included in the "cumulative" patch MS02-032, as initially released on June 26, 2002.
Microsoft reports that, if you applied the patches supplied with MS01-052 and the ones originally supplied with MS02-032, your system is not vulnerable to the original threats. But if you relied on the "cumulative" label on the initial release of MS02-032 and applied only that patch, all of the Media Player vulnerabilities covered by MS01-052 have not been fixed. The bottom line is that you now need to apply the new patches supplied with the latest release of MS02-032, which now includes all the updated files found in MS01-052.
But wait, there's a kicker. Even if you had applied both earlier patches, all this talk about what's patched and what isn't is moot. You still need the new MS02-032 patch because it also patches three new vulnerabilities, one of which is rated as critical.
The following three vulnerabilities are new and are addressed only by this newest patch for Media Player:
- Cache Path Disclosure—Critical. This could allow an attacker to run arbitrary code on client systems.
- Privilege Elevation—Critical, but only for Media Player 7.1 running on Windows 2000. This vulnerability can allow someone with physical access to a Windows 2000 system to increase his or her access to the highest level.
- Playback Script Execution—Low. This allows the attacker to run an arbitrary script but only under special circumstances, and there is a time-critical element, which makes this very unlikely to be exploited.
MS02-032 also has some other security enhancements not related to specific vulnerabilities.
MS02-036—Authentication Flaw in Microsoft Metadirectory Services
MMS is an enterprise tool used to manage and integrate various resources. The vulnerability is due to a flaw that can allow a user to log onto the system through the LADP client and gain access at the administrator level.
MS02-037—Server Response to SMTP Client EHLO Command Results in Buffer Overrun
There is a buffer overrun vulnerability in the way Internet Mail Connector (IMC) handles the SNMP extended Hello (EHLO) requests. IMC enables SNMP connections.
MS02-038—Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution
This bulletin addresses two new vulnerabilities. The first, CAN-2002-0644, is a buffer overrun in database consistency checkers. The second, CAN-2002-0645, is a SQL injection vulnerability in Replication Stored Procedures.
MS02-039—Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution
This one addresses three new vulnerabilities. Two are buffer overruns involving the Resolution Service and affect either the stack or the heap. The other is a denial of service attack that involves spoofing addresses to start an endless loop of keep-alive packet exchanges. These packets are used by the SQL Server to shut down inactive accounts.
Risk levels—some are critical
There are so many different vulnerabilities and they affect different users in so many ways that it wouldn't be profitable to try and detail every single combination here. These are just the highlights. You need to check out the technical details found in each Microsoft Security Bulletin to determine the exact risk level and applicability for each of these vulnerabilities. Here's a brief summary:
MS02-032 (MS01-056)—Critical. This can allow attacker to run arbitrary code.
MS02-036—Moderate. This can allow users to gain administrator-level access; no threat to client systems.
MS02-037—Moderate. This poses no threat to client systems.
MS02-038—Moderate to low for SQL Server 2000. There is no threat to client systems.
MS02-039—Critical. This can allow an attacker to take complete control of the server.
- Windows Media Player 6.4
- Windows Media Player 7
- Windows Media Player 7.1
- Windows Media Player for Windows XP
Microsoft Metadirectory Services 2.2
Microsoft Exchange Server 5.5
- Microsoft SQL Server 2000
- Microsoft Desktop Engine (MSDE) 2000
Microsoft SQL Server 2000
Various mitigating factors exist for these threats, but merely following good security practices is not enough to prevent exploitation of some of these vulnerabilities.
MS02-032—If you applied both the earlier patches discussed above, you are protected from some of the issues addressed by the current version of this bulletin, but not all, including one critical vulnerability.
MS02-036—Following good practices will block the access that would enable someone to exploit this vulnerability from the Internet. Given access, this vulnerability could only be exploited by an attacker with protocol-level expertise. This isn't a script-kiddie attack and requires a detailed knowledge of the specific installation.
MS02-037—If SNMP is not used and IMC is disabled in Exchange, the vulnerability isn't present; however, patching the flaw might be a good idea in case SNMP is enabled in the future. If reverse DNS lookup on EHLO is disabled, the system isn't vulnerable.
MS02-038—Following good practices will eliminate most risk.The buffer overrun flaw should not create a vulnerability if the administrator has followed good practices by restricting db_owner and db_ddladmin privileges to trusted users. The SQL Injection Vulnerability can be exploited only if the attacker can log on to the server interactively. Good security practices allow this only for trusted users.
MS02-039—The buffer overrun vulnerability can't attack the operating system if the administrator followed good practices and left the SQL Server running in the default Domain user mode. Also, if port 1434 is blocked at the firewall, the server won't be vulnerable.The SQL Server Resolution vulnerability can only cause a denial of service event.
After a few weeks of relative quiet, a new rash of Microsoft bulletins is upon us. You'll need to decide which ones purport to fix problems that are risky enough to warrant making the update. Although I've tried to hit the high points, this column would become unwieldy if I went into all the gory details on these bulletins. As always, if you have systems identified in the applicability section, you should check out the Microsoft bulletins themselves for all the details before you patch your systems.