Microsoft

Microsoft releases critical updates for IE, Workstation service

Nearly all versions of Internet Explorer need to be updated to fix critical flaws released in Security Bulletin MS03-048. Plus, there's bulletin MS03-049, which reveals a new flaw in the Workstation service of two versions of Windows.


Microsoft Security Bulletin MS03-048, “Cumulative Security Update for Internet Explorer,” is a cumulative update for Internet Explorer and covers some newly discovered vulnerabilities. This update replaces the earlier cumulative update released with MS03-040 and covers all earlier updates for IE 5.01, IE 5.5, and IE 6.0. Another new bulletin, MS03-049, addresses a flaw in the Workstation service.

Details
This bulletin and the included patches cover three new cross-domain vulnerabilities, which can cause a malicious script to execute in the My Computer zone. The Mitre identifiers for these are: CAN-2003-0814 (ExecCommand); CAN-2003-0815 (Function Pointer); and CAN-2003-0816 (Script URL). An XML zone management threat that could expose data on the local system to a remote attacker has been assigned CAN-2003-0817. A DHTML drag-and-drop vulnerability that can cause a file to be downloaded to the local computer without giving any warning message has been assigned CAN-2003-0823.

Also, Microsoft Security Bulletin MS03-049, “Buffer Overrun in the Workstation Service Could Allow Code Execution,” can let a remote attacker gain control over a system. Essentially, a malicious network message sent to the Workstation service can cause the service to crash in a way that will let the attacker run arbitrary code on the computer. This has been assigned the Mitre designation CAN-2003-0812.

Applicability
For MS03-048, all supported versions of IE as well as Outlook and Outlook Express are affected. Here's the detailed list of the affected versions:
  • Internet Explorer 6
  • Internet Explorer 6 Service Pack 1 and Service Pack 1, 64-Bit Edition
  • Internet Explorer 6 Service Pack 1 for Windows Server 2003 and Server 2003, 64-Bit Edition
  • Internet Explorer 5.5 Service Pack 2
  • Internet Explorer 5.01 Service Pack 2, SP 3, SP 4
  • Earlier versions of IE are no longer supported, but may contain the same vulnerabilities.

MS03-048 also specifically affects the following operating systems:
  • Windows 98 and Windows 98 Second Edition
  • Windows Me
  • Windows NT 4.0 Workstation and Windows NT 4.0 Server (both Service Pack 6a)
  • Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
  • Windows 2000 Service Pack 2, SP 3, SP 4
  • Windows XP and Windows XP Service Pack 1
  • Windows XP 64-Bit Edition and Windows XP 64-Bit Edition Version 2003
  • Windows Server 2003 and Windows Server 2003, 64-Bit Edition

The Workstation Service flaw in MS03-049 affects only Windows 2000 and Windows XP.

Risk level—mostly critical
MS03-048 carries an overall Critical rating for IE 5.01 versions, as well as for IE 6 and IE 6 SP 1 before Window Server 2003. Overall, the risk is Moderate for the latest versions of IE 6. The XML object vulnerability is rated Moderate for IE 5.5 SP 2 and IE 6, and IE 6 SP 1 before Windows Server 2003. The risk is Low for later versions of IE 6. MS03-049 is rated Critical for both Windows 2000 and Windows XP.

Mitigating factors
For MS03-048, Windows Server 2003 runs IE in Enhanced Security Configuration by default, and IE 6 is less vulnerable. The update provided with MS03-040 reduces the risk, if it was installed.

For MS03-049, blocking inbound UDP ports 138, 139, 445 and TCP ports 138, 139, and 445 at the firewall will prevent an outsider from sending messages to the Workstation. This is the default setting in the Windows XP Internet Connection Firewall (ICF) as well as many other firewalls.

Fix
For MS03-048, download the appropriate update, which will disable the window.showHelp() control unless the updated HTML Help control from Knowledge Base article 811630 is installed. This is true of all IE cumulative updates released this year. Also, a workaround that mitigates these threats is detailed in the bulletin. This works by requiring IE to prompt before running ActiveX controls, an action that can make many sites very difficult to use. You can also restrict the Web sites that can be visited to trusted sites only.

For MS03-049, install the provided updates. As a workaround, you can disable the Workstation service. Where practical, this will block the attack vector completely. However, disabling the Workstation service will prevent access to network printers and any shared files, along with other commonly used features.

See Microsoft Knowledge Base Article 309798, “Configure TCP/IP Filtering in Windows 2000,” for an additional method of controlling inbound access to a system.

Also watch out for…
  • Bugzilla itself apparently has some bugs that can allow unauthorized data access and privilege execution. You should update to version 2.16.4 or later to prevent users from running arbitrary SQL code at certain times.
  • "Weakness in Passphrase Choice in WPA Interface," a paper by ICSA (TruSecure) researcher Robert Moskowitz, raises some questions about WPA, the new wireless security standard that is designed to replace the Wired Equivalency Protocol (WEP). In particular, this paper criticizes the way preshared keys are implemented in some applications; the weakness isn’t so much in the way the standard could be implemented, but in the minimum configurations that are relatively weak.
  • The November issue of InfoSecurity Magazine has an interesting article warning about an increasing level of combo malware threats that simultaneously attack systems at the application level and the operating system level. An example would be the Blaster and SoBig worms, which attempted to plant back doors in systems.
  • Securityfocus.com has a report (Bugtraq ID # 8231) about a “CGI.pm Start_Form Cross-Site Scripting Vulnerability” that was originally published in July but which has recently been updated. This affects Debian, Mandrake, Red Hat, SCO, Sun, and other Linux packages. Major vendors have released fixes. CGI versions after CGI.pm 2.94 are not affected.



Editor's Picks