Microsoft has released five new Security Bulletins for December 2004, and all of them are rated Important, not Critical. Several of them apply to Windows XP Service Pack 2.
MS04-041 Vulnerability in WordPad Could Allow Code Execution (885836) patches a table conversion vulnerability (CAN-2004-0571) and a font conversion vulnerability (CAN-2004-0901), both due to an unchecked buffer. These threats are related to a conversion utility that lets WordPad open Word documents. Since this isn't a macro threat, saving documents in .rtf format doesn’t prevent the attack, but it only relates to documents created in Word 6. The WordPad converter is included in most Windows operating systems but doesn’t open by default in most of them (and never opens if you have a properly configured system with Word installed).
MS04-042 Vulnerability in DHCP Could Allow Remote Code Execution and Denial Of Service (885249) covers a logging vulnerability (CAN-2004-0899) and a DHCP request vulnerability (CAN-2004-0900); both are due to unchecked buffers.
MS04-043 Vulnerability in HyperTerminal Could Allow Code Execution (873339) is also due to an unchecked buffer (CAN-2004-0568).
MS04-044 Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835) involves a Windows Kernel Vulnerability (CAN-2004-0893) that relates to the way applications are launched, and also includes a Local Security Authentication Server Vulnerability (CAN-2004-0894) with a token validation problem.
MS04-045 Vulnerability in WINS (Windows Internet Naming Service) Could Allow Remote Code Execution (870736) involves a Name Validation Vulnerability (CAN-2004-0567) and an Association Context Vulnerability (CAN-2004-1080); the latter is another buffer overrun threat.
Please note that the operating system and OS versions listed below are only those that are known to be vulnerable and are still supported. For example, Windows XP is vulnerable but not always listed because only XP SP1 and XP SP2 are supported.
This affects Windows 98, Me, NT 4.0, 2000, XP SP1, XP SP2, and Server 2003.
This only affects Windows NT Server 4.0 and NT Server 4.0 Terminal Server Edition. Microsoft Baseline Security Analyzer and Systems Management Server can detect whether the update is required.
This affects Windows NT 4.0, 2000, XP, and Server 2003. Microsoft Baseline Security Analyzer and Systems Management Server can detect whether the update is required.
This affects Windows NT 4.0, 2000, XP SP1, XP SP2, and Server 2003.
This affects Windows NT 4.0, Windows 2000 Server, and Windows Server 2003.
For each of these Security Bulletins, Microsoft Baseline Security Analyzer and Systems Management Server can detect whether the update is required.
Risk level – Moderate to Important (Microsoft ratings)
Microsoft gives these relatively low risk ratings because the company balances the chance of being successfully attacked against the potential damage. I feel they are more severe threats. Since some can allow remote code execution, I rate those as serious to extreme threats, because although the chances you are vulnerable are low, if you are attacked the results can be devastating.
MS04-041 (remote code execution)
- Windows 98 and Me – not critical
- Windows NT 4.0, 2000, and XP SP1 – important
- Windows XP SP2 and Server 2003 – moderate
These threats are newly discovered and haven't been exploited yet.
MS04-042 (denial of service and remote code execution)
Windows NT 4.0 – moderate (logging vulnerability) and important (DHCP vulnerability)
These threats are newly discovered and haven’t been exploited yet.
MS04-043 (remote code execution)
- Windows NT 4.0, 2000, and XP – important
- Windows Server 2003 – moderate
This is a newly discovered threat and exploits haven’t been seen yet.
MS04-044 (remote code execution)
Windows NT 4.0, 2000, XP SP1, XP SP2, and Windows Server 2003 – important
For some versions or some threats there is only moderate or no threat, but the same patch also fixes an important threat in each listed system so that doesn’t affect the decision to patch or not patch. This is a newly discovered threat and exploits haven’t been seen yet.
MS04-045 (remote code execution)
Windows NT 4.0, Windows Server 2000, and Windows Server 2003 - important
Some exploits have been seen for one of these vulnerabilities.
This is disabled by default in Windows XP SP2 and Windows Server 2003. For any application this can only be exploited if you open a malicious document. The main threat is to those using WordPad to open .wri, .rtf, or .doc files (and possibly other extensions), and these will automatically open in Word, not WordPad.
The vulnerable DHCP Server service is not installed by default and DHCP Client service is not vulnerable.
HyperTerminal is not installed by default on Windows Server 2003 and is not set as the default Telnet client on Windows XP or NT 4.0 Server. The only threat comes from .ht extension files and should not be opened if they arrive as e-mail attachments.
For the Windows Kernel Vulnerability (CAN-2004-0893), valid logon credentials are required to exploit the vulnerability, and XP SP2 and Windows Server 2003 systems would probably crash if attacked. For the LSASS Vulnerability (CAN-2004-0894), valid logon credentials are required and NT 4.0 Server is not vulnerable.
WINS is not installed by default except on Microsoft Small Business Server 2000 and SBS 2003, and on vulnerable systems an attack would probably trigger a crash.
Fix – Apply patch, some workarounds are available
Patches fixes the buffer problem and also disables the Word for Windows 6.0 Converter. There are some detailed workarounds provided in the Microsoft Security Bulletin.
Patches fix both buffer faults. There are several workarounds described in the Microsoft Security Bulletin.
Patches fix the buffer overrun threat. As a workaround simply remove the HyperTerminal application from the system or block .ht (HyperTerminal) session files in e-mail. To do this in Outlook and Outlook Express, see Microsoft Knowledge Base Article 837388 and Microsoft Knowledge Base Article 291387.
Use the patch. No workarounds are available for Windows Kernel Vulnerability (CAN-2004-0893) and LSASS Vulnerability (CAN-2004-0894).
Use the patch. As a workaround, remove WINS if not used (this is mostly a legacy threat) and block TCP 42 and UDP 42 in your firewall. This can cause some network problems, so the patch is preferable.
For those who haven't looked in a while, Microsoft has changed the way it presents these bulletins by adding summaries on a single page (here is the December 2004 page), which includes a color rating (shades of Homeland Security). This makes sense because the colors simply reflect the standard severity ratings.
The bulletins are also now linked to numbers that correspond to the related Knowledge Base Article explaining the details of the problem addressed by the Security Bulletin or explains ways to work around any known problems caused by installing the patches.
I like the new system for average administrators who can quickly see which, if any, bulletins they need to look at, both based on the severity rating and the clear list of affected software.