Microsoft has patched a vulnerability
in the Web viewing component of Crystal Reports. This component is used in Visual
Studio .NET 2003, Outlook 2003 (when used with Business Contact Manager), and
Microsoft’s CRM solution.
The source of the threat is a Directory Transversal
This can result in a denial of service event or a confidential information
MBSA (Microsoft Baseline Security Analyzer) can’t detect
this problem, but the Systems Management Server (SMS) will report if the update
According to Microsoft Security Bulletin MS04-017,
“Vulnerability in Crystal Reports Web Viewer Could Allow Information
Disclosure and Denial of Service,” the vulnerable component is the
CrystalDecisions.Web.dll file earlier than version 9.1.9800.9.
Patches are available, and there are several possible workarounds.
This flaw affects:
Studio .NET 2003 (only if IIS was installed at the time VS.NET 2003 was
2003 with Business Contact Manager (only if installed at a time when IIS
was already installed).
Business Solutions CRM 1.2.
For the first two pieces of software, any authenticated or
anonymous user accessing Crystal Reports Web Viewer can attack using this
vulnerability. For CRM 1.2, only authenticated users are capable of launching
an attack because they are the only ones who can access the Web Viewer. The
threats that are dependent on an IIS installation are due to the different
default installation triggered by the presence of IIS.
Microsoft reports that no other versions of these programs
are affected by this vulnerability.
Risk level—moderate to high
Microsoft rates this as only a moderate threat, but it bases
its evaluation in part on how many people are using the affected products.
Since the threat in MS04-017 applies to products that don’t ship with every
Windows computer, the company rates the threat as only moderate.
However, when I determine threat levels, I normally look at
the potential damage to those who are using the vulnerable programs. After all,
if your systems can be easily compromised by a flaw, it is little consolation
if few others are vulnerable. Therefore, I rate the threat level of this
vulnerability as high because a successful attacker could view or modify
database files, probably without leaving a trace. The actual level of threat
would depend in great part on how critical the information stored in the
database is; however, a good firewall configuration would greatly reduce the
This isn’t one of those really big threats, but it can cause
a lot of problems and requires your attention if you are managing the affected
systems with Internet Information Services (IIS) installed are vulnerable.
firewall security practices should block this attack.
reports, “The attack is only effective against files where the IIS
worker process that is hosting the CrystalDecisions.Web.dll file has
delete permissions.” Whether this means that the exploit couldn’t
also be used to view unauthorized files wasn’t made clear in the bulletin.
Fix—apply the provided patch
One workaround is that since this only affects systems with
IIS installed, disabling IIS would block any attack through this vector.
According to Microsoft, executing the net
stop w3svc command is actually all that is required to disable IIS. This
would, of course, terminate Web content access. See the Security
Bulletin for additional workarounds, as well as patches for the affected
As usual, I will make every attempt to discover and post any
important changes in the discussion section of this article during the week
that it is published, but you should always check the current versions of the
Microsoft Security Bulletins for more details and also to make certain that
there have been no important updates to the information presented here.
Also watch for…
“Vulnerability in DirectPlay Could Allow Denial of Service,” is
a moderate threat causing a denial of service event that affects networked
DirectPlay game applications running on almost any Microsoft platform,
with the exception of Windows NT 4.0.
- A recently
Security Institute/FBI statistical study (free, registration required)
of 2003 IT security events shows 75 percent of surveyed firms suffering
financial losses, but less than half were able to determine the size of
the loss. Most losses were of proprietary information. Internet-based
attacks were up, but insider attempts to breach security still accounted
for a large percentage of security events.
Korgo family of worms attacks the LSASS vulnerability in Microsoft Windows
2000 and XP systems that haven’t applied the patch provided in Microsoft
Security Bulletin MS04-011. Judging by the number of reported
infections, that includes a lot of systems. Symantec
reports that some versions of Korgo plant backdoors opening TCP port 113,
3067, and other randomly selected ports.
- A vulnerability in a number of IBM products lets local
users hijack a session and gain access to applications or data. Affected
are IBM Tivoli Access Manager for e-business 3.x, 4.x, and 5.x; Tivoli
Configuration Manager 4.x; Tivoli Configuration Manager for Automatic
Teller Machines 2.x; and Tivoli SecureWay Policy Director 3.x. The IBM
advisory gives details and provides patches.
CEO John Thompson sees Microsoft as a “target-rich” environment
for virus writers for years to come, downplaying wireless threats. He also
said he isn’t worried about Microsoft’s entry into the antivirus market,
giant has too many irons in the fire to be taken seriously as an antivirus
company. Thompson also says that Microsoft code isn’t inherently less
secure than that of Linux or UNIX, explaining the number of Microsoft attacks by
comparing virus writers to graffiti artists and an OS to their “canvas.”
Thompson said, “If somebody writes graffiti, they’re not going to
write it on a wall at the end of a dead-end alley. They’re going to write
it on a train that travels right through the city center.” He went on
to predict in a speech
that Microsoft Office would likely be the next big target.
- Secunia reports that fully
qualified domain names (FQDN) exactly eight characters long can be used to
access Windows 2000-based servers with expired passwords. See the Knowledge
Base Article 830847 for more information and a link to the hotbfix.
is reported by the vendor to have various critical vulnerabilities that
can permit an attacker to run arbitrary code on systems running SpamGUARD
versions dated prior to March 16, 2004. Check with the vendor.
versions prior to Mac OS X 10.3.4 have an unspecified SSH
reporting error. A fix is available by upgrading to 10.3.4. Other Mac
OS X vulnerabilities verified by Apple include:
—An unspecified flaw in package installation
—An unspecified flaw in LoginWindow
—An unspecified flaw in NFS
Since Apple hasn’t disclosed any information about the underlying threats
or their potential impact, it’s impossible to estimate the level of threat
posed by these vulnerabilities.
has reported a flaw
in Opera 7.x versions that lets a shortcut icon (favicon) conceal
address spoofing attempts in various browser displays. The fix is to
update to the latest version of Opera.
Kerberos V5 authentication protocol has a buffer
overflow vulnerability in releases prior to 1.3.3 that can allow remote
users to run arbitrary code on the affected systems. The advisory
has more information and instructions for disabling the vulnerable library
function until version 1.3.4 is released to fix the threat.
is a BugTraq
report of a CVS server vulnerability in NetBSD
versions prior to May 21, 2004. Affected are NetBSD 1.6.2, 1.6.1, and
1.6. NetBSD 1.5.x isn’t affected because it doesn’t ship with CVS.
- If you’re
feeling a bit harried lately, there’s good reason: Sophos has compiled a
list and says there were 959 new viruses released in May 2004.