Windows

Microsoft's DEC 2004 Security Bulletins affect wide range of software

See what administrators and security professionals need to know about Microsoft Security Bulletins MS04-041 through MS04-045.

Microsoft has released five new Security Bulletins for December 2004, and all of them are rated Important, not Critical. Several of them apply to Windows XP Service Pack 2.

Details

MS04-041 Vulnerability in WordPad Could Allow Code Execution (885836) patches a table conversion vulnerability (CAN-2004-0571) and a font conversion vulnerability (CAN-2004-0901), both due to an unchecked buffer. These threats are related to a conversion utility that lets WordPad open Word documents. Since this isn't a macro threat, saving documents in .rtf format doesn’t prevent the attack, but it only relates to documents created in Word 6. The WordPad converter is included in most Windows operating systems but doesn’t open by default in most of them (and never opens if you have a properly configured system with Word installed).

MS04-042 Vulnerability in DHCP Could Allow Remote Code Execution and Denial Of Service (885249) covers a logging vulnerability (CAN-2004-0899) and a DHCP request vulnerability (CAN-2004-0900); both are due to unchecked buffers.

MS04-043 Vulnerability in HyperTerminal Could Allow Code Execution (873339) is also due to an unchecked buffer (CAN-2004-0568).

MS04-044 Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835) involves a Windows Kernel Vulnerability (CAN-2004-0893) that relates to the way applications are launched, and also includes a Local Security Authentication Server Vulnerability (CAN-2004-0894) with a token validation problem.

MS04-045 Vulnerability in WINS (Windows Internet Naming Service) Could Allow Remote Code Execution (870736) involves a Name Validation Vulnerability (CAN-2004-0567) and an Association Context Vulnerability (CAN-2004-1080); the latter is another buffer overrun threat.

Applicability

Please note that the operating system and OS versions listed below are only those that are known to be vulnerable and are still supported. For example, Windows XP is vulnerable but not always listed because only XP SP1 and XP SP2 are supported.

MS04-041

This affects Windows 98, Me, NT 4.0, 2000, XP SP1, XP SP2, and Server 2003.

MS04-042

This only affects Windows NT Server 4.0 and NT Server 4.0 Terminal Server Edition. Microsoft Baseline Security Analyzer and Systems Management Server can detect whether the update is required.

MS04-043

This affects Windows NT 4.0, 2000, XP, and Server 2003. Microsoft Baseline Security Analyzer and Systems Management Server can detect whether the update is required.

MS04-044

This affects Windows NT 4.0, 2000, XP SP1, XP SP2, and Server 2003.

MS04-045

This affects Windows NT 4.0, Windows 2000 Server, and Windows Server 2003.

For each of these Security Bulletins, Microsoft Baseline Security Analyzer and Systems Management Server can detect whether the update is required.

Risk level – Moderate to Important (Microsoft ratings)


Microsoft gives these relatively low risk ratings because the company balances the chance of being successfully attacked against the potential damage. I feel they are more severe threats. Since some can allow remote code execution, I rate those as serious to extreme threats, because although the chances you are vulnerable are low, if you are attacked the results can be devastating.

MS04-041 (remote code execution)

  • Windows 98 and Me – not critical
  • Windows NT 4.0, 2000, and XP SP1 – important
  • Windows XP SP2 and Server 2003 – moderate

These threats are newly discovered and haven't been exploited yet.

MS04-042 (denial of service and remote code execution)

Windows NT 4.0 – moderate (logging vulnerability) and important (DHCP vulnerability)

These threats are newly discovered and haven’t been exploited yet.

MS04-043 (remote code execution)

  • Windows NT 4.0, 2000, and XP – important
  • Windows Server 2003 – moderate

This is a newly discovered threat and exploits haven’t been seen yet.

MS04-044 (remote code execution)

Windows NT 4.0, 2000, XP SP1, XP SP2, and Windows Server 2003 – important

For some versions or some threats there is only moderate or no threat, but the same patch also fixes an important threat in each listed system so that doesn’t affect the decision to patch or not patch. This is a newly discovered threat and exploits haven’t been seen yet.

MS04-045 (remote code execution)

Windows NT 4.0, Windows Server 2000, and Windows Server 2003 - important

Some exploits have been seen for one of these vulnerabilities.

Mitigating factors


MS04-041

This is disabled by default in Windows XP SP2 and Windows Server 2003. For any application this can only be exploited if you open a malicious document. The main threat is to those using WordPad to open .wri, .rtf, or .doc files (and possibly other extensions), and these will automatically open in Word, not WordPad.

MS04-042

The vulnerable DHCP Server service is not installed by default and DHCP Client service is not vulnerable.

MS04-043

HyperTerminal is not installed by default on Windows Server 2003 and is not set as the default Telnet client on Windows XP or NT 4.0 Server. The only threat comes from .ht extension files and should not be opened if they arrive as e-mail attachments.

MS04-044

For the Windows Kernel Vulnerability (CAN-2004-0893), valid logon credentials are required to exploit the vulnerability, and XP SP2 and Windows Server 2003 systems would probably crash if attacked. For the LSASS Vulnerability (CAN-2004-0894), valid logon credentials are required and NT 4.0 Server is not vulnerable.

MS04-045

WINS is not installed by default except on Microsoft Small Business Server 2000 and SBS 2003, and on vulnerable systems an attack would probably trigger a crash.

Fix – Apply patch, some workarounds are available


MS04-041

Patches fixes the buffer problem and also disables the Word for Windows 6.0 Converter. There are some detailed workarounds provided in the Microsoft Security Bulletin.

MS04-042

Patches fix both buffer faults. There are several workarounds described in the Microsoft Security Bulletin.

MS04-043

Patches fix the buffer overrun threat. As a workaround simply remove the HyperTerminal application from the system or block .ht (HyperTerminal) session files in e-mail. To do this in Outlook and Outlook Express, see Microsoft Knowledge Base Article 837388 and Microsoft Knowledge Base Article 291387.

MS04-044

Use the patch. No workarounds are available for Windows Kernel Vulnerability (CAN-2004-0893) and LSASS Vulnerability (CAN-2004-0894).

MS04-045

Use the patch. As a workaround, remove WINS if not used (this is mostly a legacy threat) and block TCP 42 and UDP 42 in your firewall. This can cause some network problems, so the patch is preferable.

Final word

For those who haven't looked in a while, Microsoft has changed the way it presents these bulletins by adding summaries on a single page (here is the December 2004 page), which includes a color rating (shades of Homeland Security). This makes sense because the colors simply reflect the standard severity ratings.

The bulletins are also now linked to numbers that correspond to the related Knowledge Base Article explaining the details of the problem addressed by the Security Bulletin or explains ways to work around any known problems caused by installing the patches.

I like the new system for average administrators who can quickly see which, if any, bulletins they need to look at, both based on the severity rating and the clear list of affected software.

Editor's Picks