Microsoft

Microsoft discloses new threats to Windows, IIS, and Outlook Express

Get the details on Microsoft Security Bulletins MS04-018, MS04-019, MS04-020, MS04-021, MS04-024.

In addition to the critical security threats from Microsoft that I covered in last week's column, the Redmond software giant has also issued a flurry of medium-level security threats that Windows administrators need to be aware of.

Details

MS04-018, "Cumulative Security Update for Outlook Express," is caused by a failure of Outlook express to properly handle some specifically malformed e-mail headers. This is a DoS threat and Microsoft reports having seen published exploits but hasn't received any reports from customers that have been compromised by the exploit. This threat is covered by CAN-2004-0215

MS04-019, "Vulnerability in Utility Manager Could Allow Code Execution," is a local elevation of privilege threat that can't be exploited remotely. MSBA will report if your system needs this update and Systems Management Server (SMS) can help deploy it.

MS04-020, "Vulnerability in POSIX Could Allow Code Execution," is an unchecked buffer vulnerability in the Portable Operating System Interface for UNIX. MSBA will report if your system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0210.

MS04-021, "Security Update for IIS 4.0," is a buffer overrun vulnerability in the redirect function that can allow remote execution. MSBA will report if your system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0205.

MS04-024, "Vulnerability in Windows Shell Could Allow Remote Code Execution," replaces MS03-027 for Windows XP (but not for the other affected operating systems). This threat is covered by CAN-2004-0420.

Applicability

MS04-018 applies to all versions of Outlook Express from 5.5 through 6, including operating systems from NT 4.0 through Windows Server 2003.

MS04-019 affects all versions (and all Service Packs) of Windows 2000.

MS04-020 affects all versions of Windows NT 4.0 and all versions of Windows 2000 (and all its service packs).

MS04-021 affects Windows NT Workstation 4.0 Service Pack 6a and Windows NT Server 4.0 SP6a (but only with IIS installed as part of the NT 4 Option Pack).

MS04-024 affects all versions of:

  • Windows NT 4.0
  • Windows 2000
  • Windows XP
  • Windows Server 2003

Windows 98, 98 SE and ME may be affected by all of these threats, but since none of these flaws are a critical threat to those operating environments, updates are not provided by Microsoft (which limits support for discontinued operating systems to critical-only updates).

Risk level – Important to moderate

MS04-021 and MS-024 are both remote code execution vulnerabilities that allow a remote attacker to run arbitrary programs and take complete control over the vulnerable systems. I would rate these as critical rather than the moderate rating Microsoft has given them.

MS04-020 is a local elevation of privilege threat and can't be exploited remotely or without detailed information about the system and access to it.

Although MS04-019 can allow someone to take complete control over a system, it is rated a moderate threat because it can only be exploited locally by a legitimate user. This is not a remotely executable threat or one that could be executed by a complete stranger.

MS04-018 is considered only a moderate denial of service threat because successful execution would cause only Outlook Express to fail, not the operating system or other applications.

Fix – Apply the patches/updates provided

Please check the Microsoft bulletins before taking any action on these vulnerabilities, because several of the bulletins have been updated multiple times.

A partial workaround for MS04-018 is to disable the preview pane (View, Layout, and uncheck View Preview Pane). This doesn't completely remove the threat, but it does make it easier to remove the offending message.

There is no workaround for MS04-024.

As mentioned above, Windows 98, 98 SE, and ME are no longer supported except for critical threats, so no patches are available for those operating systems. Also, Windows NT Workstation 4.0 has also just passed out of normal support, but Microsoft already had a number of these patches prepared for that operating system and has included fixes for it in these updates.

Warnings

MS04-019 (Utility Manager bulletin) – In addition to fixing the vulnerability, applying this update will eliminate access to context-sensitive help from the Utility Manager.

MS04-021 (IIS 4.0) – There is apparently a problem updating with the ISAPI filters running (see knowledge base article 873401). That's what Microsoft says. Actually the problem is a complete crash-and-burn, so I'd pay attention to this knowledge base article if I were applying this patch. The IISLockdown tool installs URLScan and will protect against this vulnerability. See the workarounds section of the Microsoft bulletin for directions on configuring the tool. Also, the workaround using URLScan will block all incoming requests larger than 16K. IIS can be disabled or stopped in IIS Manager or removed, but this will also block other Internet services, such as the IIS SMTP service.

MS04-024 (Windows Shell) – Active X features may be limited by some of the recent IE patches and this patch refines some previous changes in IE 6 Service Pack 1 that may prevent other cross domain vulnerabilities. The update can prevent attackers from moving code execution from the Internet Zone to the more permissive Local Machine security zone.

Final word

As for the problem in Outlook Express, MS04-019, I don't believe this software belongs on any business system. In fact, I don't even use the full version of Outlook because it is tied to, or is the source of, so many vulnerabilities. Thus, my personal best practices would have avoided this problem entirely. None of my clients use Outlook Express and if any of them use Outlook, it is against my advice.


Also watch for …

  • Secunia has released an advisory for an unspecified mod_ssl 2.x (mod-proxy) threat in Apache that the security vendor has rated as highly critical because of the widespread critical applications in which Apache is used. No further details were available but the vendor that reported the threat recommends immediate update to version 2.8.19-1.3.31.
  • Beagle/Bagle is once again showing its teeth. Fast-spreading and virulent, the latest incarnation of Beagle/Bagle (the one known as Beagle.AG at Symantec) has its own SMTP mail engine and opens a backdoor at TCP 1080. Click here for a number of Beagle removal tools.
  • According to a CNET news.com report, the new Atak mass-mailing worm actually watches for antivirus software activity and, when it begins a scan, Atak shuts down so it won't be discovered. It doesn't carry a dangerous payload but Atak is part of the new generation of worms that are intended to spread spam. F-Secure's lead virus specialist says that while many viruses and worms attempt to hide, this one is exceptionally good at it.
  • In the "it had to happen someday" category, you can now place bets (they are actually a kind of futures options) on an Irish sports betting site (tradesports.com) about when the next big worm or virus attack will take place. See this ZDNet UK story for more details and get your bets down early!
  • There is a Gentoo php update that is rated highly critical. It addresses two apparently unrelated vulnerabilities that can allow an attacker to completely compromise a system. See the full advisory here. Another moderately critical vulnerability in Opera for Gentoo Linux 1.x has been patched. The impact of this threat is phishing related. See this Gentoo-announce report and this Gentoo Linux Security Advisory for more details.

Editor's Picks