Microsoft has released a Security Bulletin that has important consequences for the latest versions of Windows—Windows XP and Windows Server 2003. Administrators should also take note of changes to some older Security Bulletins.
Microsoft Security Bulletin MS04-015 details a vulnerability in the Help and Support Center that can allow a remote attacker to run arbitrary code on an unpatched computer. Some other changes that have been included in this Security Bulletin's patch may lead to problems. First, Microsoft has deleted a Windows XP support feature that lets users update DVD drivers. More important, the patch included in this Security Bulletin also alters the way the New Hardware Wizard works. Microsoft reports that this will only generate an unnecessary error message, but whether it has other effects remains to be seen.
This flaw affects the following operating systems:
- Windows XP (even with Service Pack 1 installed)
- Windows XP 64-bit (even with SP1)
- Windows XP 64-bit 2003
- Windows Server 2003
- Windows Server 2003 64-bit
Windows NT 4.0, Windows 2000, Windows 98, Windows 98 SE, and Windows Me are not vulnerable to this threat.
Risk level—important to critical
I would rate this as a critical vulnerability (see the "Final word" section for an explanation). Microsoft rates this only as "Important."
The level of threat depends on the privilege level granted to the account used to launch the attack. The Help and Support service has experienced other problems in the past and, if the service was already disabled, it will not be at risk. However, there is a caveat, and you should read the information in the next section regarding this.
Fix—apply the patch
One workaround is to simply disable the Help and Support service. But, if you've done so in the past, it's important to read Microsoft Knowledge Base Article 841996 before installing this patch. Many administrators have disabled the Help and Support service due to earlier problems. Apparently, if it is disabled, the patch won't install, although Windows Update and the Microsoft Baseline Security Analyzer (MBSA) may report that it has been properly installed.
The problem, of course, lies in the possibility that someone will later reenable the Help and Support service. If that happens, the service will become vulnerable to this threat, and the administrator will have been led to believe that the patch was installed.
At least this Microsoft Security Bulletin doesn't contain the 20-plus vulnerabilities that last month's did. However, I disagree with Microsoft's decision to rate this threat as merely "Important." I don't like vulnerabilities that let remote attackers run arbitrary code and completely take over systems, so I think this is more of a high or even critical threat.
Apparently, Microsoft rated this threat Important mostly because the level of possible damage depends on the level of privileges set for the account that is used to implement the attack. That's all well and good if people don't have elevated privileges, but we all know that some applications are so poorly written that they'll run properly only for administrator accounts. Also, in many organizations, it's a routine (if seriously dangerous) practice to freely give out accounts with administrative permissions. I'm not personally vulnerable to this threat because I refuse to open e-mails in HTML—a simple step that eliminates a surprising number of threats as well as greatly speeding up e-mail handling.
Hidden in the Security Bulletin is a note reminding users that MBSA version 1.1.1 and earlier are no longer being fully supported after April 20, 2004, and those versions will not properly report the need for updates in the future. If you rely on MBSA, you should immediately update to the latest version to ensure that you get the latest update data. This isn't a problem with the earlier versions, per se. Rather, Microsoft has stopped updating the Mssecure.xml file to reflect new updates. In any case, the latest version also covers a lot more products, and you should probably be using it anyway.
Also watch for…
- A new hole has been discovered in the already extremely vulnerable WiFi (802.11) specs. This one could allow someone with a WiFi-enabled PDA to deny access to a wireless network. The report came from AusCERT, which is similar to U.S.-based CERT except that, because of geography, it sees new threats about 12 hours earlier; and because of decent management and policies, it reports them about a month earlier. This WiFi issue is a trivial attack that can be carried out by even a very low-powered device. The only real mitigating factor is that it locks out access only to those devices and nodes within range of the attacker—the stronger the transmitter, the more widespread the outage. It doesn't bring down the network itself. Since 802.11 uses the same frequencies that many security cameras and other wireless devices use, it isn't exactly news that interference can cause wireless outages, but those are random problems caused by using a frequency band that was already crowded. This is the first vulnerability I know of that exists due to interference caused by simply using a PDA with a wireless card. Implementing this attack is simple, uses few resources, and won't be mitigated by the proposed MAC layer security enhancements. I can see one upside to this vulnerability: When the lines are really long at a coffee shop or other fast-food outlet where they have public WiFi access, a simple DoS attack might clear people out for a few minutes, allowing you to buy your caffeine or high-fat fix.
- There have been updates to some older Microsoft Security Bulletins. MS01-052 ("Invalid RDP Data Can Cause Terminal Service Failure") has been revised to version 3.0 to reflect the availability of an update for Windows NT Terminal Server 4.0. Last month's MS04-014 ("Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution") has also been revised to correct errors in the initial release.
- Symantec personal firewalls have a hidden vulnerability that can allow an attacker to run arbitrary code. According to the Open Source Vulnerability Database report, there are no workarounds known, so you must update with the Symantec patch to eliminate this DNS KERNEL buffer overrun threat. Symantec reports that a number of other vulnerabilities involving remote access and DoS events have been reported by the eEye security firm. Patches are available via the Symantec LiveUpdate service.
- According to Secunia, the Opera browser has an address-spoofing vulnerability. The fix is to obtain the latest Opera version.
- There is a hole in Outpost Firewall version 2.x that can lead to a DoS event. This report can also be seen at Secunia, but I wasn't able to confirm it with the vendor.
- A number of holes have been fixed in Apache by way of patches for Slackware Linux 8.x and 9.x.
- The Sasser, Netsky, and Phatbot creators have all apparently been captured in Germany. There hasn't been much coverage of this in U.S. news outlets yet, but you can find details in this CNET News.com report, and there will probably be more stories posted by the time you read this. At 18, the confessed Sasser creator is too young to get any jail time, but others picked up by the German police are old enough to be locked away for a few years. If the cops had simply waited a day or two, the Sasser creator might well have committed some other offense, such as releasing a new Sasser version, and therefore may have been eligible for some real punishment (such as being forced to endlessly apply patches to Windows networks). Microsoft, or at least its reward offer, is reported to have played a big part in finding these vandals. With any luck, prosecutors will squeeze these guys until they give up any other crackers who worked with them—if German law includes the sort of Draconian conspiracy punishments that we have here.