Microsoft

Lock IT Down: Microsoft releases seven new security bulletins

Discover seven security threats to your systems and how to avert them


In a single day, Microsoft recently released seven Security Bulletins: MS03-041, MS03-042, MS03-043, MS03-044, MS03-045, MS03-046, and MS03-047). With the exception of MS03-045 and MS03-047, all of these are rated Critical by Microsoft. We're going to take a closer look at each of the five critical vulnerabilities.

Details
MS03-041, Vulnerability in Authenticode Verification Could Allow Remote Code Execution, warns of a flaw that can allow a remote attacker to run arbitrary code on many Windows systems. Authenticode normally causes a user to be prompted before downloading any ActiveX code from untrusted Web sites. The vulnerability occurs only in some low-memory conditions, which can cause the code to download and execute automatically without user intervention.

Although this involves Internet Explorer, the actual fault lies in Authenticode (a separate piece of software the typically runs with IE) and not in IE itself, so the vulnerability can affect any application using Authenticode, regardless of whether you use IE as your browser.

MS03-042, Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution, documents another flaw that is related to ActiveX and that also allows a remote attacker to run arbitrary code on the vulnerable system. This is a buffer overrun problem in Tshoot.ocx. Microsoft reports, "The Microsoft Local Troubleshooter ActiveX control is installed as a default part of the operating system on Windows 2000."

MS03-043, Buffer Overrun in Messenger Service Could Allow Code Execution, involves the Messenger Service's failure to properly check the length of a message before passing it to a buffer. This could allow a remote attacker to run arbitrary code on the vulnerable system.

MS03-044, Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise, documents an unchecked buffer in one file associated with the Help and Support Center function (HCP protocol). This could allow a remote attacker to run arbitrary code on the vulnerable system.

MS03-046, Vulnerability in Exchange Server Could Allow Arbitrary Code Execution, poses two threats. The first is a denial of service vulnerability that can be exploited through the SMTP port on an Exchange server. The second is a buffer overrun vulnerability that can allow a remote attacker to run arbitrary code on the vulnerable system.

Applicability
MS03-041 and MS03-043:
Windows NT Workstation and NT Server 4.0, Service Pack 6a
Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4
Windows XP Gold, Service Pack 1
Windows XP 64-bit Edition
Windows XP 64-bit Edition Version 2003
Windows Server 2003
Windows Server 2003 64-Bit Edition

Windows Millennium Edition is not affected by the vulnerability in MS03-041 or MS03-043.

MS03-042: This affects Windows 2000 only. Tested and unaffected by this vulnerability (according to Microsoft) are:
Windows NT 4.0
Windows NT Server 4.0, Terminal Server Edition
Windows Me
Windows XP
Windows Server 2003

Microsoft does not support older operating systems, and the company reports that untested versions may or may not be affected by this vulnerability.

MS03-044: According to Microsoft, all tested Windows versions are affected. This is the list of operating systems Microsoft tested and is therefore also the list of what the company says it still supports:
Windows Me
Windows NT Workstation 4.0, Service Pack 6a
Windows NT Server 4.0, Service Pack 6a
Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4
Windows XP Gold, Service Pack 1
Windows XP 64-Bit Edition
Windows XP 64-Bit Edition Version 2003
Windows Server 2003
Windows Server 2003 64-Bit Edition

MS03-046: This affects only Microsoft Exchange Server, specifically Microsoft Exchange Server 5.5, Service Pack 4 and Exchange 2000 Server, Service Pack 3. Exchange Server 2003 is not vulnerable to this flaw.

Risk levels
  • MS03-041 is rated Critical for Windows NT 4.0, Windows Server NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. For Windows Server 2003, this is rated a Moderate threat.
  • MS03-042 is rated Critical for Windows 2000 installations.
  • MS03-043 is rated Critical for Windows NT 4.0, Windows Server NT 4.0, Terminal Server Edition, Windows 2000, and Windows XP. For Windows Server 2003, this is rated Moderate because the Messenger Service is disabled by default.
  • MS03-044 is rated a Critical vulnerability only for Windows XP and Windows Server 2003. It is rated a Low vulnerability for all other Windows systems.
  • MS03-046 is a Critical threat for Exchange 2000 Server, but is rated only Important for Exchange Server 5.5.

Mitigating factors
  • MS03-041—Windows Server 2003 runs Internet Explorer in the enhanced security configuration by default, and if this hasn't been changed, the attack will be blocked on these systems.
  • MS03-043—Many firewalls already block NetBIOS ports 137,138, and 139. That prevents messages going to Messenger Service. The minimal firewall built into Windows XP, the Internet Connection Firewall, also blocks NetBIOS by default.
  • MS03-044—The vulnerable code for this flaw is present in all the currently supported Windows operating systems, but only Windows XP and Windows Server 2003 are particularly vulnerable because the HCP protocol is not supported in the other listed versions. IE version 6 is less vulnerable, as are those systems with the patch from Microsoft Security Bulletin MS03-040 installed.

Fix
  • MS03-041—Patches are available for all known affected versions as listed above.
  • MS03-042—Patches are available for Windows 2000, Service Packs 2, 3, and 4.
  • MS03-043—Microsoft recommends that everyone affected immediately disable the Messenger Service and then evaluate the need to patch based on whether they use the Messenger Service. Patches are available for all affected versions as listed above.
  • MS03-044—Patches are available for the supported versions listed above.
  • MS03-046—Patches are available for Microsoft Exchange Server 5.5, Service Pack 4 and for Exchange 2000 Server, Service Pack 3.

Workarounds
  • MS03-041—Block ActiveX or restrict the browser to trusted Web sites.
  • MS03-042—Alter the way ActiveX plug-ins run in the Internet and intranet zones or restrict the browser to trusted Web sites.
  • MS03-043—Enable the Internet Connection Firewall that ships with Windows XP and Windows Server 2003. On all systems, you can disable the Messenger Service. Either workaround should completely block this attack vector.
  • MS03-044—Remove HCP from the HKEY_CLASSES_ROOT directory in the Registry. (Instructions on how to do this are in the Workarounds section of the bulletin.)
  • MS03-046—Accept only authenticated SMTP sessions or use a firewall to block port 25. Additional workarounds are provided in MS03-046.

Final word
These bulletins use a new format especially for the patch information. The level of detail is expansive, with some bulletins extending to 20 pages when copied to Microsoft Word. You'll also notice that these bulletins don't mention Windows 98. It is no longer supported when Microsoft tests for these vulnerabilities or releases patches. Support now begins with Windows Me, Windows NT 4.0, and Windows 2000.

Also watch out for…
Here are details on the two noncritical bulletins from Microsoft:
  • MS03-045, Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution, is rated an Important threat by Microsoft, but only for Windows 2000. It's rated Low for the other vulnerable systems. This is a buffer overrun vulnerability that can result in an elevation-of-privilege threat in the following operating systems: Windows NT Workstation 4.0, Service Pack 6a, Windows NT Server 4.0, Service Pack 6a, Windows NT Server 4.0, Terminal Server Edition, Service Pack 6, Windows 2000, Service Pack 2, 3, and 4, Windows XP Gold, Service Pack 1, Windows XP 64-Bit Edition, Windows XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition. Windows Me is not affected, but other Windows 9x versions are no longer supported and weren't tested for this vulnerability. Patches are available for all the listed versions, and this vulnerability cannot be exploited remotely. Microsoft also details a workaround in the bulletin.
  • MS03-047, Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack, is a Moderate threat that exists in the same operating system versions as MS03-045. Patches are available, and the bulletin details some workarounds that will block the known attack vectors.


In addition to the mitigating factors listed, those vulnerabilities linked to HTML e-mails and Web sites share the usual "mitigation" notes telling users that if they don't visit bad sites or open malicious e-mails, they won't be in danger from those flaws.

Editor's Picks

Free Newsletters, In your Inbox