Microsoft has released a Security Bulletin that has
important consequences for the latest versions of Windows—Windows XP and
Windows Server 2003. Administrators should also take note of changes to some
older Security Bulletins.

Details

Microsoft Security Bulletin MS04-015 details a vulnerability in the Help and Support Center
that can allow a remote attacker to run arbitrary code on an unpatched
computer. Some other changes that have been included in this Security
Bulletin’s patch may lead to problems. First, Microsoft has deleted a Windows
XP support feature that lets users update DVD drivers. More important, the
patch included in this Security Bulletin also alters the way the New Hardware
Wizard works. Microsoft reports that this will only generate an unnecessary
error message, but whether it has other effects remains to be seen.

Applicability

This flaw affects the following operating systems:

  • Windows
    XP (even with Service Pack 1 installed)
  • Windows
    XP 64-bit (even with SP1)
  • Windows
    XP 64-bit 2003
  • Windows
    Server 2003
  • Windows
    Server 2003 64-bit

Windows NT 4.0, Windows 2000, Windows 98, Windows 98 SE, and
Windows Me are not vulnerable to this threat.

Risk level—important to critical

I would rate this as a critical vulnerability (see the “Final
word” section for an explanation). Microsoft rates this only as “Important.”

Mitigating factors

The level of threat depends on the privilege level granted
to the account used to launch the attack. The Help and Support service has
experienced other problems in the past and, if the service was already
disabled, it will not be at risk. However, there is a caveat, and you should
read the information in the next section regarding this.

Fix—apply the patch

One workaround is to simply disable the Help and Support service.
But, if you’ve done so in the past, it’s important to read Microsoft Knowledge
Base Article 841996 before
installing this patch. Many administrators have disabled the Help and Support
service due to earlier problems. Apparently, if it is disabled, the patch won’t
install, although Windows Update and the Microsoft Baseline Security Analyzer
(MBSA) may report that it has been properly installed.

The problem, of course, lies in the possibility that someone
will later reenable the Help and Support service. If that happens, the service
will become vulnerable to this threat, and the administrator will have been led
to believe that the patch was installed.

Final word

At least this Microsoft Security Bulletin doesn’t contain the
20-plus vulnerabilities that last month’s did. However, I disagree with
Microsoft’s decision to rate this threat as merely “Important.” I don’t like
vulnerabilities that let remote attackers run arbitrary code and completely
take over systems, so I think this is more of a high or even critical threat.

Apparently, Microsoft rated this threat Important mostly
because the level of possible damage depends on the level of privileges set for
the account that is used to implement the attack. That’s all well and good if
people don’t have elevated privileges, but we all know that some applications
are so poorly written that they’ll run properly only for administrator accounts.
Also, in many organizations, it’s a routine (if seriously dangerous) practice
to freely give out accounts with administrative permissions. I’m not personally
vulnerable to this threat because I refuse to open e-mails in HTML—a simple
step that eliminates a surprising number of threats as well as greatly speeding
up e-mail handling.

Hidden in the Security Bulletin is a note reminding users
that MBSA version 1.1.1 and earlier are no longer being fully supported after
April 20, 2004, and those versions will not properly report the need for
updates in the future. If you rely on MBSA, you should immediately update to the latest version to ensure that you get the latest
update data. This isn’t a problem with the earlier versions, per se. Rather,
Microsoft has stopped updating the Mssecure.xml file to reflect new updates. In
any case, the latest version also covers a lot more products, and you should
probably be using it anyway.


Also watch for…

  • A new
    hole has been discovered in the already extremely vulnerable WiFi (802.11)
    specs. This one could allow someone with a WiFi-enabled PDA to deny access
    to a wireless network. The report
    came from AusCERT, which is similar to U.S.-based CERT except that,
    because of geography, it sees new threats about 12 hours earlier; and
    because of decent management and policies, it reports them about a month
    earlier. This WiFi issue is a trivial attack that can be carried out by
    even a very low-powered device. The only real mitigating factor is that it
    locks out access only to those devices and nodes within range of the
    attacker—the stronger the transmitter, the more widespread the outage. It
    doesn’t bring down the network itself. Since 802.11 uses the same
    frequencies that many security cameras and other wireless devices use, it
    isn’t exactly news that interference can cause wireless outages, but those
    are random problems caused by using a frequency band that was already
    crowded. This is the first vulnerability I know of that exists due to
    interference caused by simply using a PDA with a wireless card. Implementing
    this attack is simple, uses few resources, and won’t be mitigated by the
    proposed MAC layer security enhancements. I can see one upside to this
    vulnerability: When the lines are really long at a coffee shop or other fast-food
    outlet where they have public WiFi access, a simple DoS attack might clear
    people out for a few minutes, allowing you to buy your caffeine or high-fat
    fix.
  • There
    have been updates to some older Microsoft Security Bulletins. MS01-052 (“Invalid RDP Data Can Cause Terminal Service
    Failure”) has been revised to version 3.0 to reflect the availability of
    an update for Windows NT Terminal Server 4.0. Last month’s MS04-014 (“Vulnerability in the Microsoft Jet Database
    Engine Could Allow Code Execution”) has also been revised to correct
    errors in the initial release.
  • Symantec
    personal firewalls have a hidden vulnerability that can allow an attacker
    to run arbitrary code. According to the Open Source Vulnerability Database
    report,
    there are no workarounds known, so you must update with the Symantec patch
    to eliminate this DNS KERNEL buffer overrun threat. Symantec reports that a number of other vulnerabilities involving
    remote access and DoS events have been reported by the eEye security firm.
    Patches are available via the Symantec LiveUpdate service.
  • According
    to Secunia,
    the Opera browser has an address-spoofing vulnerability. The fix is to
    obtain the latest Opera version.
  • There
    is a hole in Outpost Firewall version 2.x that can lead to a DoS event.
    This report can also be seen at Secunia, but I
    wasn’t able to confirm it with the vendor.
  • A
    number of holes have been fixed in Apache by way of patches for Slackware Linux 8.x and 9.x.
  • The
    Sasser, Netsky, and Phatbot creators have all apparently been captured in
    Germany. There hasn’t been much coverage of this in U.S. news outlets yet,
    but you can find details in this CNET News.com report,
    and there will probably be more stories posted by the time you read this.
    At 18, the confessed Sasser creator is too young to get any jail time, but
    others picked up by the German police are old enough to be locked away for
    a few years. If the cops had simply waited a day or two, the Sasser creator might well have committed some other
    offense, such as releasing a new Sasser version, and therefore may have been
    eligible for some real punishment (such as being forced to endlessly apply
    patches to Windows networks). Microsoft, or at least its reward offer, is
    reported to have played a big part in finding these vandals. With any luck,
    prosecutors will squeeze these guys until they give up any other crackers
    who worked with them—if German law includes the sort of Draconian
    conspiracy punishments that we have here.