Microsoft has released a Security Bulletin that has
important consequences for the latest versions of Windows—Windows XP and
Windows Server 2003. Administrators should also take note of changes to some
older Security Bulletins.
Microsoft Security Bulletin MS04-015 details a vulnerability in the Help and Support Center
that can allow a remote attacker to run arbitrary code on an unpatched
computer. Some other changes that have been included in this Security
Bulletin’s patch may lead to problems. First, Microsoft has deleted a Windows
XP support feature that lets users update DVD drivers. More important, the
patch included in this Security Bulletin also alters the way the New Hardware
Wizard works. Microsoft reports that this will only generate an unnecessary
error message, but whether it has other effects remains to be seen.
This flaw affects the following operating systems:
XP (even with Service Pack 1 installed)
XP 64-bit (even with SP1)
XP 64-bit 2003
Server 2003 64-bit
Windows NT 4.0, Windows 2000, Windows 98, Windows 98 SE, and
Windows Me are not vulnerable to this threat.
Risk level—important to critical
I would rate this as a critical vulnerability (see the “Final
word” section for an explanation). Microsoft rates this only as “Important.”
The level of threat depends on the privilege level granted
to the account used to launch the attack. The Help and Support service has
experienced other problems in the past and, if the service was already
disabled, it will not be at risk. However, there is a caveat, and you should
read the information in the next section regarding this.
Fix—apply the patch
One workaround is to simply disable the Help and Support service.
But, if you’ve done so in the past, it’s important to read Microsoft Knowledge
Base Article 841996 before
installing this patch. Many administrators have disabled the Help and Support
service due to earlier problems. Apparently, if it is disabled, the patch won’t
install, although Windows Update and the Microsoft Baseline Security Analyzer
(MBSA) may report that it has been properly installed.
The problem, of course, lies in the possibility that someone
will later reenable the Help and Support service. If that happens, the service
will become vulnerable to this threat, and the administrator will have been led
to believe that the patch was installed.
At least this Microsoft Security Bulletin doesn’t contain the
20-plus vulnerabilities that last month’s did. However, I disagree with
Microsoft’s decision to rate this threat as merely “Important.” I don’t like
vulnerabilities that let remote attackers run arbitrary code and completely
take over systems, so I think this is more of a high or even critical threat.
Apparently, Microsoft rated this threat Important mostly
because the level of possible damage depends on the level of privileges set for
the account that is used to implement the attack. That’s all well and good if
people don’t have elevated privileges, but we all know that some applications
are so poorly written that they’ll run properly only for administrator accounts.
Also, in many organizations, it’s a routine (if seriously dangerous) practice
to freely give out accounts with administrative permissions. I’m not personally
vulnerable to this threat because I refuse to open e-mails in HTML—a simple
step that eliminates a surprising number of threats as well as greatly speeding
up e-mail handling.
Hidden in the Security Bulletin is a note reminding users
that MBSA version 1.1.1 and earlier are no longer being fully supported after
April 20, 2004, and those versions will not properly report the need for
updates in the future. If you rely on MBSA, you should immediately update to the latest version to ensure that you get the latest
update data. This isn’t a problem with the earlier versions, per se. Rather,
Microsoft has stopped updating the Mssecure.xml file to reflect new updates. In
any case, the latest version also covers a lot more products, and you should
probably be using it anyway.
Also watch for…
- A new
hole has been discovered in the already extremely vulnerable WiFi (802.11)
specs. This one could allow someone with a WiFi-enabled PDA to deny access
to a wireless network. The report
came from AusCERT, which is similar to U.S.-based CERT except that,
because of geography, it sees new threats about 12 hours earlier; and
because of decent management and policies, it reports them about a month
earlier. This WiFi issue is a trivial attack that can be carried out by
even a very low-powered device. The only real mitigating factor is that it
locks out access only to those devices and nodes within range of the
attacker—the stronger the transmitter, the more widespread the outage. It
doesn’t bring down the network itself. Since 802.11 uses the same
frequencies that many security cameras and other wireless devices use, it
isn’t exactly news that interference can cause wireless outages, but those
are random problems caused by using a frequency band that was already
crowded. This is the first vulnerability I know of that exists due to
interference caused by simply using a PDA with a wireless card. Implementing
this attack is simple, uses few resources, and won’t be mitigated by the
proposed MAC layer security enhancements. I can see one upside to this
vulnerability: When the lines are really long at a coffee shop or other fast-food
outlet where they have public WiFi access, a simple DoS attack might clear
people out for a few minutes, allowing you to buy your caffeine or high-fat
have been updates to some older Microsoft Security Bulletins. MS01-052 (“Invalid RDP Data Can Cause Terminal Service
Failure”) has been revised to version 3.0 to reflect the availability of
an update for Windows NT Terminal Server 4.0. Last month’s MS04-014 (“Vulnerability in the Microsoft Jet Database
Engine Could Allow Code Execution”) has also been revised to correct
errors in the initial release.
personal firewalls have a hidden vulnerability that can allow an attacker
to run arbitrary code. According to the Open Source Vulnerability Database
there are no workarounds known, so you must update with the Symantec patch
to eliminate this DNS KERNEL buffer overrun threat. Symantec reports that a number of other vulnerabilities involving
remote access and DoS events have been reported by the eEye security firm.
Patches are available via the Symantec LiveUpdate service.
the Opera browser has an address-spoofing vulnerability. The fix is to
obtain the latest Opera version.
is a hole in Outpost Firewall version 2.x that can lead to a DoS event.
This report can also be seen at Secunia, but I
wasn’t able to confirm it with the vendor.
number of holes have been fixed in Apache by way of patches for Slackware Linux 8.x and 9.x.
Sasser, Netsky, and Phatbot creators have all apparently been captured in
Germany. There hasn’t been much coverage of this in U.S. news outlets yet,
but you can find details in this CNET News.com report,
and there will probably be more stories posted by the time you read this.
At 18, the confessed Sasser creator is too young to get any jail time, but
others picked up by the German police are old enough to be locked away for
a few years. If the cops had simply waited a day or two, the Sasser creator might well have committed some other
offense, such as releasing a new Sasser version, and therefore may have been
eligible for some real punishment (such as being forced to endlessly apply
patches to Windows networks). Microsoft, or at least its reward offer, is
reported to have played a big part in finding these vandals. With any luck,
prosecutors will squeeze these guys until they give up any other crackers
who worked with them—if German law includes the sort of Draconian
conspiracy punishments that we have here.