Security

Microsoft unveils a flurry of critical security alerts for Windows

Get the details on Microsoft Security Bulletins MS04-029 through MS04-038 and learn what you need to do to protect your Windows systems.

On October 12, 2004, Microsoft released a flurry of critical security alerts (Microsoft Security Bulletins MS04-032 through MS04-038) along with some less important threat bulletins (MS04-029 through MS04-031). Most of the security alerts affect Windows systems, but Macintosh computers are also vulnerable to some of the threats.

Details

MS04-032 "Security Update for Microsoft Windows" addresses the following flaws:

  • CAN-2004-0207, Windows management vulnerability, is an elevation of privilege threat.
  • CAN-2004-0208, virtual DOS machine vulnerability, is an elevation of privilege threat.
  • CAN-2004-0209, graphics rendering engine vulnerability, is the most serious of this group, being a remote code execution threat.
  • CAN-2004-0211, Windows kernel vulnerability, is a denial of service threat.

MS04-033 "Vulnerability in Microsoft Excel Could Allow Remote Code Execution" addresses CAN-2004-0846, an Excel vulnerability that is a remote code execution threat. This can also affect Macintosh systems.

MS04-034 "Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution" addresses CAN-2004-0575, which is a newly discovered vulnerability and hasn't been exploited yet.

MS04-035 "Vulnerability in SMTP Could Allow Remote Code Execution" addresses CAN-2004-0840.

MS04-036 "Vulnerability in NNTP (Network News Transfer Protocol) Could Allow Remote Code Execution" addresses CAN-2004-0574, which is a new, privately reported remote code execution vulnerability which hasn't been exploited in the wild as yet.

MS04-037 "Vulnerability in Windows Shell Could Allow Remote Code Execution" addresses the following flaws:

  • CAN-2004-0214, shell vulnerability, is a remote code execution threat.
  • CAN-2004-0572, program group converter vulnerability, is a remote code execution threat.

MS04-038, "Cumulative Security Update for Internet Explorer" addresses the following flaws:

  • CAN-2004-0842, CSS heap corruption vulnerability, is a remote code execution threat.
  • CAN-2004-0727, name redirection cross-domain vulnerability, is a remote code execution threat.
  • CAN-2004-0216, install engine vulnerability, is a remote code execution threat.
  • CAN-2004-0839, drag-and-drop vulnerability, is a remote code execution threat.
  • CAN-2004-0844, address bar name spoofing, is an information disclosure threat.
  • CAN-2004-0843 , plug-in navigation address bar name spoofing vulnerability, is also an information disclosure threat.
  • CAN-2004-0841, imaging tag file script vulnerability, is a remote code execution threat.
  • CAN-2004-0845, SSL-caching vulnerability, is an information disclosure threat.

Applicability

MS04-032

The elevation of privilege threats affect NT 4.0, Windows 2000, XP, and Windows Server 2003. XP with SP2 isn't vulnerable to the virtual DOS threat.

The graphics rendering vulnerability affects Windows 2000, XP, and Windows Server 2003. XP with SP2 isn't vulnerable to the graphics rendering threat.

The Windows kernel vulnerability only affects Windows Server 2003.

MS04-033

Office 2000 SP 3 and Excel 2000, Office XP SP2 and Excel 2002, Office 2001 for Macintosh and Excel 2001 for Macintosh, Office v.X for Macintosh and Excel v.X for Macintosh. Office XP SP3 is not vulnerable. Office 2003 and Office 2003 SP1 are not vulnerable; neither is Excel 2004 for Macintosh.

MS04-034

Windows XP and Windows Server 2003 are the only systems vulnerable to this threat.

MS04-035

This affects Windows XP (64-bit edition), Windows Server 2003 (64-bit edition), Windows Server 2003, and Exchange Server 2003.

MS04-036

This affects Exchange Server 2000 and 2003, NT Server 4.0, Windows 2000 Server and Windows Server 2003.

MS04-037

CAN-2004-0214 affects Windows 98, 98 SE, Me, NT 4.0, Windows 2000, and XP and XP SP1.

CAN-2004-0572 affects Windows 98, 98 SE, Me, NT 4.0, Windows 2000, XP and XP SP1, and Windows Server 2003.

MS04-038

CAN-2004-0842 affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0727 affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0216 affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0839 affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, IE 6 WS 2003, and IE 6 SP2.

CAN-2004-0844 affects IE 6 SP1 and IE 6 WS 2003.

CAN-2004-0843 affects IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0841 affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0845 affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

Risk level–Critical (overall for each of these bulletins)

MS04-032

For the four vulnerabilities, the overall threat level is critical. The graphics rendering vulnerability is rated critical for Windows 2000, XP, and Windows Server 2003.

MS04-033

This is a critical threat for Office 2000 SP 3 and Excel 2000, as well as Office XP SP2 and Excel 2002. The threat is rated important for Office 2001 for Macintosh and Excel 2001 for Macintosh, Office v.X for Macintosh and Excel v.X for Macintosh.

MS04-034

This is a critical remote code execution vulnerability for both XP and Windows Server 2003.

MS04-035

This is an important threat for Windows XP (64-bit edition), Windows Server 2003 (64-bit edition), and Windows Server 2003. For Exchange Server 2003 this is a critical threat.

MS04-036

This is a critical threat for Exchange Server 2000 and an important threat for Exchange Server 2003, NT Server 4.0, and Windows Server 2000 and 2003.

MS04-037

CAN-2004-0214 is a critical threat for NT 4.0, Windows 2000, and XP and XP SP1. It is a noncritical threat for Windows 98, 98 SE, Me.

CAN-2004-0572 is an important threat for Windows 98, 98 SE, Me, NT 4.0, Windows 2000, XP and XP SP1, and Windows Server 2003.

MS04-038

CAN-2004-0842 is a critical threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6 SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0727 is a critical threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6 SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0216 is a critical threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6 SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0839 is an important threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 SP2. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0844 is an important threat for IE 6 SP1 and IE 6 WS 2003.

CAN-2004-0843 is an important threat for IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6 SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0841 is an important threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6 SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0845 is a moderate threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

Mitigating factors

MS04-035

For most versions the SMTP engine is not installed by default.

MS04-036

NT Server 4.0, Windows 2000 Server, and Windows Server 2003 do not install the affected component by default.

Fix

See the specific security bulletins for details on patches.

Final word

At first glance this slew of new security notices looks really bad for Microsoft, but careful reading shows that most of the threats are relatively low level and many are fixes for vulnerabilities that were unknown outside Microsoft and a single reporting agent. In other words, the flaws existed but there was no significant threat because they were not being exploited.


Also watch for…

  • MS04-029 "Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service" is a threat (CAN-2004-0569) rated as Important for NT 4.0 but it doesn't apply to later Microsoft operating systems.
  • MS04-030 "Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service" (CAN-2004-0718) is rated important for Windows 2000, but only a moderate threat for XP and Windows Server 2003.
  • MS04-031 "Vulnerability in NetDDE Could Allow Remote Code Execution" (CAN-2004-0206) affects all modern versions of Windows. For Windows 98, 98SE, and Me, this is rated as not critical. For NT 4.0, Windows 2000, and XP it is rated important, but it is a moderate threat for Windows Server 2003.

Editor's Picks

Free Newsletters, In your Inbox