Microsoft’s monthly patch release for April 2004 caught a number of security specialists by surprise due to the number and severity of the vulnerabilities fixed. The four new Microsoft Security Bulletins are:
- MS04-011 "Security Update for Microsoft Windows"
- MS04-012 “Cumulative Update for Microsoft RPC/DCOM"
- MS04-013 “Cumulative Security Update for Outlook Express”
- MS04-014 “Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution”
Additionally, Microsoft has made major revisions to four earlier Security Bulletins (one from each of the past four years)—MS00-082, MS01-041, MS02-011, and MS03-046—as detailed at the end of this article.
According to a CNET News.com report, Microsoft says that some of these fixes have been available for months but the company delayed the release of patches to ease the burden on harried administrators.
With the release of these patches, numerous companies are coming forward with distressing information about just how long many of these critical vulnerabilities were known. Symantec, for example, has been sitting on an Outlook Express MHTML vulnerability since November 25, 2003, waiting for Microsoft to release a patch that has been included in MS04-013.
eEyeDigital Security, which has been given credit for discovering six of the recently patched flaws, reports that some of these had been known for more than 200 days before being patched.
Please note that any of the Mitre CANdidate listings for individual vulnerabilities listed below can be accessed using this URL format: www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0807. Simply substitute the correct year and item number after CAN.
This “Security Update for Microsoft Windows” replaces some earlier bulletins and also covers some new threats. The patches provided address:
- LDAP Vulnerability (CAN-2003-0663) – A denial of service (DoS) threat
- PCT Vulnerability (CAN-2003-0719) – A buffer overrun may allow an attacker to take over a vulnerable system
- Winlogon Vulnerability (CAN-2003-0806) – A buffer overrun allows remote execution of arbitrary code
- Help and Support Vulnerability (CAN-2003-0907) – A remote code execution threat
- Utility Manager Vulnerability (CAN-2003-0908) – A privilege elevation threat
- Windows Management Vulnerability (CAN-2003-0909) – A privilege elevation threat
- Negotiate SSP Vulnerability (CAN-2004-0119) – A buffer overrun may allow an attacker to take over a vulnerable system
- SSL Vulnerability (CAN-2004-0120) – A DoS threat
- ASN.1 “Double Free” Vulnerability (CAN-2004-0123) – A DoS threat
- LSASS Vulnerability (CAN-2003-0533) – A buffer overrun allows remote execution of arbitrary code
- Metafile Vulnerability (CAN-2003-0906) – A buffer overrun allows remote execution of arbitrary code
- H.323 Vulnerability (CAN-2004-0117) – A remote code execution threat
- Local Descriptor Table Vulnerability (CAN-2003-0910) – A privilege elevation threat
- Virtual DOS Machine Vulnerability (CAN-2004-0118) – A privilege elevation threat
This “Cumulative Update for Microsoft RPC/DCOM” fixes vulnerabilities identified as:
- COM Internet Service and RPC over HTTP (CAN-2003-0807) – A DoS threat
- RPC Runtime Library (CAN-2003-0813) – A DoS threat caused by a race condition
- RPCSS Service (CAN-2004-0116) – A DoS threat
- Object Identity (CAN-2004-0124) – An information disclosure threat
This “Cumulative Security Update for Outlook Express” replaces MS03-014 and all previous Outlook Express updates.
This “Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution” is a remote code execution threat that results from a buffer overrun. An exploit would require that the attacker craft a special database query and send it to the Jet Database. The only vulnerability covered by MS04-014 is CAN-2004-0380.
Please note that, despite my best efforts, there are so many vulnerabilities covered by these patch releases that I was only able to note the major points that will apply for most readers. If these patches seem to apply to you, then please also look into the appropriate Microsoft Security Bulletin for the many pages of details associated with each of the vulnerabilities.
- Windows NT Workstation 4.0 Service Pack 6a
- Windows NT Server 4.0 SP 6a
- Windows NT Server 4.0 TSE SP 6
- Windows 2000 SP 2, SP 3, and SP 4
- Windows XP and Windows XP SP 1
- Windows XP 64-Bit Edition SP 1
- Windows XP 64-Bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-Bit
- Windows 98, Windows 98 SE, and Windows Me
This affects the same operating systems as MS04-011.
This affects the same operating systems as MS04-011 and the following versions of Outlook Express:
- Outlook Express 5.5 SP2
- Outlook Express 6
- Outlook Express 6 SP1
- Outlook Express 6 SP1 64-bit Edition
- Outlook Express 6 on Windows Server 2003
- Outlook Express 6 on Windows Server 2003 64-bit edition
This vulnerability only applies to the Microsoft Jet Database component for the same OS versions as MS04-011. It could have been installed at a later time on some Windows NT systems, so if you aren’t certain that it is installed, Microsoft recommends that you scan for Msjet40.dll and if you find it, then apply the patch in the MS04-014 Security Bulletin.
Risk level – Moderate to Critical
The highest rated threats are "Critical." For Windows 98 versions and Me, many of these threats do not apply and the highest rated threat is not critical. For all the other vulnerable operating systems, there is a complex chart in the MS04-011 Security Bulletin showing exactly what level of threat each of the vulnerabilities poses to various systems.
The highest rated threats are "Critical." For Windows 98 and Windows NT, these threats either don’t apply or are low risk. For Windows 2000, Windows XP, and Windows Server 2003 some of these threats rate critical.
This is a "Critical" threat because this vulnerability allows remote execution of arbitrary code; note that this applies only to Outlook Express, but not to the full version of Outlook, so many businesses may not need to apply this patch.
The highest rated threat is "Important." This can allow remote code execution. For Windows 98 and Windows Me, this is rated "Not Critical." For Windows NT this threat is rated "Moderate." For Windows 2000, Windows XP, and Windows Server 2003 the threat is rated "Important."
- LDAP Vulnerability (CAN-2003-0663) – Firewall best practices would block the attack and other mitigating factors exist.
- PCT Vulnerability (CAN-2003-0719) – This only affects systems with SSL enabled; firewall best practices would also help block the attack.
- Winlogon Vulnerability (CAN-2003-0806) – Windows Server 2003 is not vulnerable.
- Help and Support Vulnerability (CAN-2003-0907) – Users must visit a malicious Web site or open a malicious e-mail.
- Utility Manager Vulnerability (CAN-2003-0908) – This requires a valid local logon.
- Windows Management Vulnerability (CAN-2003-0909) – This requires a valid local logon.
- Negotiate SSP Vulnerability (CAN-2004-0119) – In most instances the attack would only result in a DoS event and wouldn't allow an attacker to take over the system.
- SSL Vulnerability (CAN-2004-0120) – This only affects systems that use SSL and even those should be protected by applying best practices to firewall configurations.
- ASN.1 “Double Free” Vulnerability (CAN-2004-0123) – This would be difficult to exploit.
- LSASS Vulnerability (CAN-2003-0533) – Firewall best practices would help block this attack.
- Metafile Vulnerability (CAN-2003-0906) – Users would have to be persuaded to open a malicious file.
- H.323 Vulnerability (CAN-2004-0117) – Most users aren’t vulnerable unless NetMeeting is running; those using ICF and no applications which use H.323 aren’t vulnerable.
- Local Descriptor Table Vulnerability (CAN-2003-0910) – This requires a valid local logon.
- Virtual DOS Machine Vulnerability (CAN-2004-0118) – This requires a valid local logon.
Firewall best practices will provide good protection against all of these vulnerabilities except CAN-2003-0807, for which the default installation would not be vulnerable anyway.
The threat covered by MS04-013 is mitigated somewhat if the cumulative patch in Microsoft Security Bulletin MS03-040 has already been applied.
If the application using Jet uses strong input validation then the vulnerability should be greatly reduced or completely eliminated.
Patches are provided for all these threats. You can find links in the appropriate bulletins. For MS04-013, there are several rather weak workarounds, including the most basic one of opening e-mail in text rather than HTML display mode. There are no workarounds for MS04-014.
For details on any of the workarounds for MS04-011 or MS04-012 that are listed below, see the appropriate Security Bulletin.
Workarounds for MS04-011 (provided by Microsoft)
- LDAP Vulnerability (CAN-2003-0663) – Block LDAP TCP ports 389, 636, 3268, and 3269.
- PCT Vulnerability (CAN-2003-0719) – Disable PCT in the Registry.
- Winlogon Vulnerability (CAN-2003-0806) – Reduce the number of administrator accounts.
- Help and Support Vulnerability (CAN-2003-0907) – Unregister the HCP Protocol; install Outlook E-mail security updates on Outlook SP1 or earlier systems; open e-mail in plain text.
- Utility Manager Vulnerability (CAN-2003-0908) – Disable Utility Manager.
- Windows Management Vulnerability (CAN-2003-0909) – Delete the Windows Management Interface Provider.
- Negotiate SSP Vulnerability (CAN-2004-0119) – Disable Integrated Windows Application; disable negotiate ssp.
- SSL Vulnerability (CAN-2004-0120) – Disable SSL and LDAPS access by blocking Ports 443 and 636.
- ASN.1 “Double Free” Vulnerability (CAN-2004-0123) – There's no workaround.
- LSASS Vulnerability (CAN-2003-0533) – Enable ICF and block a variety of ports; see the bulletin for details.
- H.323 Vulnerability (CAN-2004-0117) – Block TCP Ports 1720 and 1503 in both directions.
- Metafile Vulnerability (CAN-2003-0906) – Open e-mails in plain text.
- Local Descriptor Table Vulnerability (CAN-2003-0910) – There's no workaround.
- Virtual DOS Machine Vulnerability (CAN-2004-0118) – There's no workaround.
Workarounds for MS04-012 (provided by Microsoft)
For CAN-2004-0124 and CAN-2003-0813 only, activate ICF (the Internet Connection Firewall) and block:
- UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593.
- Unsolicited inbound packets on ports higher than 1024.
- COM Internet Services (CIS) or RPC over HTTP (Ports 80 and 443).
- Use IPSec to block ports where practical.
- Enable advanced TCP/IP filtering where available.
For CAN-2003-0813, disable DCOM on all systems. For CAN-2003-0807, do not enable the affected components, which are not enabled by default.
I’m of two minds about this massive patch release. On the one hand, it certainly saves a lot of time to be able to download and apply these patches in one fell swoop rather than piecemeal. For instance, MS04-011 contains at least 11 separate fixes rolled into a single set of patches. If these had been released as soon as available, then the same software would have been patched multiple times in any shop that applies critical patches on a timely basis.
On the other hand, Microsoft has apparently been sitting on a lot of these patches for some time because they were working on other patches and wanted to combine them all in one big release. That, of course, left machines vulnerable to holes that Microsoft knew about and had already produced a fix for, but hadn’t yet distributed the patch.
I would much prefer seeing more timely patches with a simple note that administrators should expect a later patch for the same software and might wish to consider applying workarounds temporarily.
Also watch for…
- By now everyone who cares to look at their inbox knows that CANSpam, last year’s SPAM legislation from the U.S. federal government, has had little of the claimed effect of actually reducing the volume of Spam, which has led many to label it a pro-SPAM bill. Fortunately, ZDNet reports that some states are stepping up to give it some real teeth. AOL helped Maryland draft new antispam laws that could put spammers in jail for 10 years if they hijack other computers to spread their messages, something the federal legislation didn't include. Other states are following suit.
- Re-released Microsoft Security Bulletins MS00-082, MS01-041, MS02-011, and MS03-046 were all updated to note the availability of an update for Exchange Server 5.0. MS02-011 also notes an update for Windows NT Server 4.0.