Two critical Microsoft vulnerabilities have been disclosed and they affect multiple versions of Windows and Internet Explorer.
Microsoft Security Bulletin MS04-022, "Vulnerability in Task Scheduler Could Allow Code Execution," is a critical vulnerability that could lead to a remote hacker being able to execute code.
The problem lies in the way the Task Scheduler performs application name validation. The relevant process contains a buffer overrun vulnerability and there are a number of ways an attacker could choose an attack. That attacker can gain the privileges of the current user and could potentially gain complete control over the system.
The provided patch fixes the underlying buffer overrun vulnerability by changing the way Task Scheduler validates the length of messages before sending it to the buffer. This update can be removed, and instructions for doing so are included in the bulletin. The patch will also be included in Windows XP Service Pack 2 when it is released in August 2004.
Microsoft Baseline Security Analyzer (MBSA) 1.2 will report if your installation of Windows 2000 or Windows XP requires this patch, but there is no MBSA support for Windows NT 4.0. Systems Management Server (SMS) uses MBSA, so the same applies to that product as well.
MS04-023, "Vulnerability in HTML Help Could Allow Code Execution," describes another critical threat, along with an extra threat that is rated important. Exploits for these threats have been seen in the wild. MBSA (and therefore also SMS) will report if you need the patch.
The HTML Help vulnerability is rated critical on all affected systems. Meanwhile, the "showhelp" vulnerability is caused by faulty processing of a specially crafted URL and allows an attacker to run arbitrary code in the Local Machine security zone, giving that attacker complete control over the affected system. This is the threat that is rated important.
For MS04-022, Windows 2000, Windows XP, and some older systems with IE 6 installed are affected.
Windows NT 4.0 does not normally include the vulnerable component but it will be found on systems that have been updated by installing Internet Explorer 6. For Windows 98, on Windows 98 SE and Millennium Edition, this is not a critical vulnerability, even if Internet Explorer 6 SP1 has been installed.
Although Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 have reached the end of their life cycles and Microsoft extended this support to June 30, 2004, both of these Security Bulletins include patches that were in the works for those versions, so Microsoft released the update for those programs anyway.
The vulnerabilities described in MS04-023 affect Windows 2000, Windows Server 2003, Windows XP, and all Windows NT 4.0 versions if the latter have IE 5.5 SP2 or IE 6 SP1 installed. Windows 98, 98 SE, and Millennium Edition may also be affected, but in some instances they will have a lower risk level.
In addition to the patches for the two vulnerabilities, the MS04-023 patch also alters the settings for code that can be used as compiled help files, limiting it to those with the .chm extension. Applications using other help file extensions will not display any help content after this patch is applied.
Risk level – Critical
The vulnerability described in MS04-022 would allow an attacker to gain complete control over the vulnerable system.
The MS04-023 HTML Help vulnerability actually includes two different problems, both of which can allow arbitrary remote code execution. The showhelp vulnerability is only rated important, but since the HTML Help vulnerability itself is critical for all vulnerable systems, the cumulative risk level for this set of patches is also critical.
For the Task Scheduler vulnerability the primary risk is to terminal servers and workstations. Best practices that block most users from the ability to run programs would protect servers from the Task Scheduler vulnerability. Also, the attacker would only gain the privileges of the current user. Best practices always suggest that users should use the minimum required privilege, so that would reduce the risk to this flaw in many instances.
There are a number of mitigating factors affecting the showhelp vulnerability that reduce the risk level to important, as explained in the bulletin. Although the HTML Help vulnerability is rated critical, once again the attacker would only gain the privileges of the current user, so running at the minimum required security level would mitigate the threat.
Fix – Apply the provided patches
Microsoft has tested and provided a workaround for the Task Scheduler vulnerability that will reduce the risk from this threat: Do not open or save files with .job extensions that originate from untrusted sources.
At the time MS04-023 was published, the patches for Windows 98, 98SE and ME were not yet available, but Microsoft has announced that they will soon be made available.
The risk from the showhelp vulnerability can be mitigated by altering the default privileges granted in the Local Machine security zone. Keep in mind that this is a partial workaround, and not a fix for the underlying vulnerability.
Another workaround for both the showhelp and HTML Help threats is to unregister HTML Help. There are directions for doing this in the Security Bulletin but it will completely disable all help, including any HTML help features in other applications.
Viewing e-mail in plain text rather than as HTML files will, where practical, reduce but not eliminate the threat from the e-mail attack vector for both of these help-related vulnerabilities. Other attack vectors can still be exploited.
The Task Scheduler threat is critical, as is the HTML Help threat, but in both cases it's important to note that, as with many vulnerabilities, the actual risk depends on the user's privilege level. It's just too bad that not all administrators are able to enforce best practices such as authorizing only non-administrative level privileges for standard end users. In some instances, administrators have little choice, since this can be due to poor programming practices where applications are in use that only run properly with administrative privileges. That can make things easier for developers but forces admins into practices that are a serious security risk.
Also watch for …
- Mozilla and Firefox Web browsers and the Thunderbird mail client contain a flaw that may allow a remote attacker to launch a program from a known location. The issue is triggered when rendering a specially-crafted Web page using the "shell:" command. This requires the attacker to trick a user into visiting the Web page.
- A popup.show() vulnerability has been demonstrated to exist in Explorer. This can allow remote attackers to perform any action activated by a mouse-click. The problem affects all IE versions, including those patched by Windows XP SP2 RC2.
- A DoS vulnerability involving large text files has been discovered in IE 6 and may affect other versions of IE as well.
- An Adobe Acrobat Reader flaw can let remote users run arbitrary code. This is due to a buffer overrun in the filename parsing engine.