A boundary error vulnerability in Microsoft Internet Explorer that was thought to have been fixed by Service Pack 1 for Windows XP and Service Pack 4 for Windows 2000 turns out to still be present even after those service packs are correctly installed.

A boundary error problem, which can be triggered by an especially long server name, may allow remote attackers to run arbitrary code on affected systems. Secunia, which credits this report to Rodrigo Gutierrez, says this vulnerability has been proven to exist in Windows XP even though the problem was thought to have been fixed by the service packs mentioned above.

Gutierrez has actually published an exploit demonstration for this problem, which was described in a Microsoft Knowledge Base Article (322857). The vulnerability occurs when IE is used to map a network drive, and the name of the drive contains more than 300 characters. Gutierrez was also credited in that June 23, 2003, Knowledge Base Article (he reports having initially told Microsoft about it in 2002).

From the meager information in the article, it isn’t clear whether the problem was fixed in SP1 for WinXP and SP4 for Win2K as far as the 300-plus mixed case or lowercase characters are concerned. The actual problem confirmed by Gutierrez specifically refers to long names that contain no lowercase characters (he uses a string of “AAA…A” to demonstrate the exploit).

Additionally, although article 322857 and the released service packs covered WinXP and Win2K systems, any Windows operating system after 3.1 that shipped with or was updated to run IE 5.01 or later is also apparently vulnerable. The Secunia report on this threat contains an update confirming that Windows NT 4.0 is affected. Windows Server 2003 apparently isn’t vulnerable.

It appears that this vulnerability affects all Windows operating systems that have IE 5.01, IE 5.5, or IE 6 installed, with the only exception being Windows Server 2003.

Risk level—moderate to critical
Secunia rates this vulnerability as highly critical, but I would rate it somewhere between moderate and critical.

Mitigating factors
Users would have to visit a malicious site or connect to a malicious file server. You can’t create such a long filename under Windows, but the initial report explains how an attacker can easily do this using a Linux/UNIX Samba server.

Since at least a portion of the vulnerability remains after the first Microsoft fix was installed, there is currently no patch that will block this problem. As a workaround, you should use firewall settings to restrict access to systems on your LAN that could be compromised by one of these attacks.

As a workaround, Gutierrez recommends that you alter your network connections settings by disabling Client for Microsoft Networks (presumably, you can disable the Workstation service in Windows NT 4.0 to accomplish the same thing).

Final word
Just when you thought it was safe to allow your Web browser to look at remote servers, it turns out that a simple buffer overrun problem we thought was fixed almost a year ago is still alive and well. Please note that I specifically did not provide a link to the original report simply because it contains a detailed exploit for this vulnerability, and I don’t want to make it any easier to locate than it already is.

Also watch for…

  • Some users who have applied the patches in the massive MS04-011 Security Bulletin are reporting problems ranging from failure of sound cards to an inability to boot Windows 2000 systems with the patch installed. Others are reporting that some antivirus software is failing after applying the patches, which address 14 major and minor IE bugs. As such, there have been some updates to MS04-011. One update (835732) explains some of the problems known to be caused by installing the patch:
    –Windows 2000 system locks up (841382).
    –Adobe Illustrator EMF image files can’t be viewed (840997).
    –Error message “STOP 0x00000079” is displayed on Windows NT 4.0 systems (841384).
    –A maximum of 7.8 GB system partition problem exists on NT 4.0 (224526).
  • TechNewsWorld is reporting that a VeriSign security official is expressing concerns over suspicious activity that is thought to presage a major new denial of service attack. The impact may be lessened by the release of recent new Microsoft patches. The suspicious increase in traffic on port 433 is the main clue that something may be in the works similar to a Blaster or Slammer attack.
  • On a more general note, a BBC report says that three-quarters of UK companies have been hit by security breaches over the past year, with the costs associated with fixing problems running into the billions of pounds. Large companies experience a breach nearly every week, and even small companies are hit 10 or more times per year. A similar DTI Information Security Breaches Survey showed that the number of incidents doubled since 2002 (and those had doubled since 2000).
  • Netsky and Bagle worms have passed the end of the alphabet and are into the double-letter designations, but both are still infecting enough unprotected systems that Symantec is rating some versions at a risk level of 3 on a scale of 1 to 5.
  • The UK-based Register security news site reports on a recent Infosecurity Europe 2004 statement by Microsoft’s UK head of security. The security head said the company’s previously stated intention to use selected outside testers to evaluate patches before releasing them is being reconsidered due to security concerns over releasing early versions of patches to outsiders.