Microsoft has patched a vulnerability
in the Web viewing component of Crystal Reports. This component is used in Visual
Studio .NET 2003, Outlook 2003 (when used with Business Contact Manager), and
Microsoft’s CRM solution.

Details

The source of the threat is a Directory Transversal
Vulnerability, CAN-2004-0204.
This can result in a denial of service event or a confidential information
disclosure.

MBSA (Microsoft Baseline Security Analyzer) can’t detect
this problem, but the Systems Management Server (SMS) will report if the update
is needed.

According to Microsoft Security Bulletin MS04-017,
“Vulnerability in Crystal Reports Web Viewer Could Allow Information
Disclosure and Denial of Service,” the vulnerable component is the
CrystalDecisions.Web.dll file earlier than version 9.1.9800.9.

Patches are available, and there are several possible workarounds.

Applicability

This flaw affects:

  • Visual
    Studio .NET 2003 (only if IIS was installed at the time VS.NET 2003 was
    installed).
  • Outlook
    2003 with Business Contact Manager (only if installed at a time when IIS
    was already installed).
  • Microsoft
    Business Solutions CRM 1.2.

For the first two pieces of software, any authenticated or
anonymous user accessing Crystal Reports Web Viewer can attack using this
vulnerability. For CRM 1.2, only authenticated users are capable of launching
an attack because they are the only ones who can access the Web Viewer. The
threats that are dependent on an IIS installation are due to the different
default installation triggered by the presence of IIS.

Microsoft reports that no other versions of these programs
are affected by this vulnerability.

Risk level—moderate to high

Microsoft rates this as only a moderate threat, but it bases
its evaluation in part on how many people are using the affected products.
Since the threat in MS04-017 applies to products that don’t ship with every
Windows computer, the company rates the threat as only moderate.

However, when I determine threat levels, I normally look at
the potential damage to those who are using the vulnerable programs. After all,
if your systems can be easily compromised by a flaw, it is little consolation
if few others are vulnerable. Therefore, I rate the threat level of this
vulnerability as high because a successful attacker could view or modify
database files, probably without leaving a trace. The actual level of threat
would depend in great part on how critical the information stored in the
database is; however, a good firewall configuration would greatly reduce the
risk.

This isn’t one of those really big threats, but it can cause
a lot of problems and requires your attention if you are managing the affected
products.

Mitigating factors

  1. Only
    systems with Internet Information Services (IIS) installed are vulnerable.
  1. Good
    firewall security practices should block this attack.
  1. Microsoft
    reports, “The attack is only effective against files where the IIS
    worker process that is hosting the CrystalDecisions.Web.dll file has
    delete permissions.” Whether this means that the exploit couldn’t
    also be used to view unauthorized files wasn’t made clear in the bulletin.

Fix—apply the provided patch

One workaround is that since this only affects systems with
IIS installed, disabling IIS would block any attack through this vector.
According to Microsoft, executing the net
stop w3svc
command is actually all that is required to disable IIS. This
would, of course, terminate Web content access. See the Security
Bulletin
for additional workarounds, as well as patches for the affected
products.

Final word

As usual, I will make every attempt to discover and post any
important changes in the discussion section of this article during the week
that it is published, but you should always check the current versions of the
Microsoft Security Bulletins for more details and also to make certain that
there have been no important updates to the information presented here.


Also watch for…

  • MS04-016,
    “Vulnerability in DirectPlay Could Allow Denial of Service,” is
    a moderate threat causing a denial of service event that affects networked
    DirectPlay game applications running on almost any Microsoft platform,
    with the exception of Windows NT 4.0.
  • A recently
    published Computer
    Security Institute/FBI statistical study
    (free, registration required)
    of 2003 IT security events shows 75 percent of surveyed firms suffering
    financial losses, but less than half were able to determine the size of
    the loss. Most losses were of proprietary information. Internet-based
    attacks were up, but insider attempts to breach security still accounted
    for a large percentage of security events.
  • The
    Korgo family of worms attacks the LSASS vulnerability in Microsoft Windows
    2000 and XP systems that haven’t applied the patch provided in Microsoft
    Security Bulletin MS04-011
    . Judging by the number of reported
    infections, that includes a lot of systems. Symantec
    reports
    that some versions of Korgo plant backdoors opening TCP port 113,
    3067, and other randomly selected ports.
  • A vulnerability in a number of IBM products lets local
    users hijack a session and gain access to applications or data. Affected
    are IBM Tivoli Access Manager for e-business 3.x, 4.x, and 5.x; Tivoli
    Configuration Manager 4.x; Tivoli Configuration Manager for Automatic
    Teller Machines 2.x; and Tivoli SecureWay Policy Director 3.x. The IBM
    advisory
    gives details and provides patches.
  • Symantec
    CEO John Thompson sees Microsoft as a “target-rich” environment
    for virus writers for years to come, downplaying wireless threats. He also
    said he isn’t worried about Microsoft’s entry into the antivirus market,
    stating the Redmond
    giant has too many irons in the fire to be taken seriously as an antivirus
    company. Thompson also says that Microsoft code isn’t inherently less
    secure than that of Linux or UNIX, explaining the number of Microsoft attacks by
    comparing virus writers to graffiti artists and an OS to their “canvas.”
    Thompson said, “If somebody writes graffiti, they’re not going to
    write it on a wall at the end of a dead-end alley. They’re going to write
    it on a train that travels right through the city center.” He went on
    to predict in a speech
    in England
    that Microsoft Office would likely be the next big target.
  • Secunia reports that fully
    qualified domain names (FQDN) exactly eight characters long can be used to
    access Windows 2000-based servers with expired passwords. See the Knowledge
    Base Article 830847
    for more information and a link to the hotbfix.
  • SpamGUARD
    is reported by the vendor to have various critical vulnerabilities that
    can permit an attacker to run arbitrary code on systems running SpamGUARD
    versions dated prior to March 16, 2004. Check with the vendor.
  • AppleFileServer
    versions prior to Mac OS X 10.3.4 have an unspecified SSH
    reporting error
    . A fix is available by upgrading to 10.3.4. Other Mac
    OS X vulnerabilities verified by Apple include:
    —An unspecified flaw in package installation
    —An unspecified flaw in LoginWindow
    —An unspecified flaw in NFS
    Since Apple hasn’t disclosed any information about the underlying threats
    or their potential impact, it’s impossible to estimate the level of threat
    posed by these vulnerabilities.
  • GreyMagic
    has reported a flaw
    in Opera 7.x
    versions that lets a shortcut icon (favicon) conceal
    address spoofing attempts in various browser displays. The fix is to
    update to the latest version of Opera.
  • MIT’s
    Kerberos V5 authentication protocol has a buffer
    overflow vulnerability in releases prior to 1.3.3 that can allow remote
    users to run arbitrary code on the affected systems. The advisory
    has more information and instructions for disabling the vulnerable library
    function until version 1.3.4 is released to fix the threat.
  • There
    is a BugTraq
    report of a CVS server vulnerability in NetBSD
    versions prior to May 21, 2004. Affected are NetBSD 1.6.2, 1.6.1, and
    1.6. NetBSD 1.5.x isn’t affected because it doesn’t ship with CVS.
  • If you’re
    feeling a bit harried lately, there’s good reason: Sophos has compiled a
    list and says there were 959 new viruses released in May 2004.