Two critical Microsoft vulnerabilities have been disclosed
and they affect multiple versions of Windows and Internet Explorer.

Details

Microsoft Security Bulletin MS04-022,
“Vulnerability in Task Scheduler Could Allow Code Execution,” is a
critical vulnerability that could lead to a remote hacker being able to execute
code.

The problem lies in the way the Task Scheduler performs application
name validation. The relevant process contains a buffer overrun vulnerability
and there are a number of ways an attacker could choose an attack. That attacker
can gain the privileges of the current user and could potentially gain complete
control over the system.

The provided patch fixes the underlying buffer overrun
vulnerability by changing the way Task Scheduler validates the length of
messages before sending it to the buffer. This update can be removed, and
instructions for doing so are included in the bulletin. The patch will also be
included in Windows XP Service Pack 2 when it is released in August 2004.

Microsoft Baseline Security Analyzer (MBSA) 1.2 will report
if your installation of Windows 2000 or Windows XP requires this patch, but
there is no MBSA support for Windows NT 4.0. Systems Management Server (SMS)
uses MBSA, so the same applies to that product as well.

MS04-023,
“Vulnerability in HTML Help Could Allow Code Execution,” describes
another critical threat, along with an extra threat that is rated important.
Exploits for these threats have been seen in the wild. MBSA (and therefore also
SMS) will report if you need the patch.

The HTML Help vulnerability is rated critical on all
affected systems. Meanwhile, the “showhelp” vulnerability is caused
by faulty processing of a specially crafted URL and allows an attacker to run
arbitrary code in the Local Machine security zone, giving that attacker
complete control over the affected system. This is the threat that is rated
important.

Applicability

For MS04-022, Windows 2000, Windows XP, and some older
systems with IE 6 installed are affected.

Windows NT 4.0 does not normally include the vulnerable
component but it will be found on systems that have been updated by installing
Internet Explorer 6. For Windows 98, on Windows 98 SE and Millennium Edition,
this is not a critical vulnerability, even if Internet Explorer 6 SP1 has been
installed.

Although Windows NT 4.0 Workstation Service Pack 6a and
Windows 2000 Service Pack 2 have reached the end of their life cycles and
Microsoft extended this support to June 30, 2004, both of these Security
Bulletins include patches that were in the works for those versions, so
Microsoft released the update for those programs anyway.

The vulnerabilities described in MS04-023 affect Windows
2000, Windows Server 2003, Windows XP, and all Windows NT 4.0 versions if the
latter have IE 5.5 SP2 or IE 6 SP1 installed. Windows 98, 98 SE, and Millennium
Edition may also be affected, but in some instances they will have a lower risk
level.

In addition to the patches for the two vulnerabilities, the
MS04-023 patch also alters the settings for code that can be used as compiled
help files, limiting it to those with the .chm extension. Applications using
other help file extensions will not display any help content after this patch
is applied.

Risk level – Critical

The vulnerability described in MS04-022 would allow an
attacker to gain complete control over the vulnerable system.

The MS04-023 HTML Help vulnerability actually includes two
different problems, both of which can allow arbitrary remote code execution.
The showhelp vulnerability is only
rated important, but since the HTML Help vulnerability itself is critical for
all vulnerable systems, the cumulative risk level for this set of patches is
also critical.

Mitigating factors

For the Task Scheduler vulnerability the primary risk is to
terminal servers and workstations. Best practices that block most users from
the ability to run programs would protect servers from the Task Scheduler
vulnerability. Also, the attacker would only gain the privileges of the current
user. Best practices always suggest that users should use the minimum required
privilege, so that would reduce the risk to this flaw in many instances.

There are a number of mitigating factors affecting the showhelp vulnerability that reduce the
risk level to important, as explained in the bulletin. Although the HTML Help
vulnerability is rated critical, once again the attacker would only gain the
privileges of the current user, so running at the minimum required security
level would mitigate the threat.

Fix – Apply the provided patches

Microsoft has tested and provided a workaround for the Task
Scheduler vulnerability that will reduce the risk from this threat: Do not open
or save files with .job extensions that originate from untrusted sources.

At the time MS04-023 was published, the patches for Windows
98, 98SE and ME were not yet available, but Microsoft has announced that they will
soon be made available.

The risk from the showhelp
vulnerability can be mitigated by altering the default privileges granted in
the Local Machine security zone. Keep in mind that this is a partial
workaround, and not a fix for the underlying vulnerability.

Another workaround for both the showhelp and HTML Help threats is to unregister HTML Help. There
are directions for doing this in the Security Bulletin but it will completely
disable all help, including any HTML help features in other applications.

Viewing e-mail in plain text rather than as HTML files will,
where practical, reduce but not eliminate the threat from the e-mail attack
vector for both of these help-related vulnerabilities. Other attack vectors can
still be exploited.

Final word

The Task Scheduler threat is critical, as is the HTML Help
threat, but in both cases it’s important to note that, as with many
vulnerabilities, the actual risk depends on the user’s privilege level. It’s
just too bad that not all administrators are able to enforce best practices such
as authorizing only non-administrative level privileges for standard end users.
In some instances, administrators have little choice, since this can be due to
poor programming practices where applications are in use that only run properly
with administrative privileges. That can make things easier for developers but
forces admins into practices that are a serious security risk.


Also watch for …

  • Mozilla
    and Firefox Web browsers and the Thunderbird mail client contain a flaw that
    may allow a remote attacker to launch a program from a known location. The
    issue is triggered when rendering a specially-crafted Web page using the
    “shell:” command. This requires the attacker to trick a user
    into visiting the Web page.
  • A
    popup.show() vulnerability has been demonstrated
    to exist in Explorer. This can allow remote attackers to perform any
    action activated by a mouse-click. The problem affects all IE versions,
    including those patched by Windows XP SP2 RC2.
  • A DoS
    vulnerability involving large text files has been discovered
    in IE 6 and may affect other versions of IE as well.
  • An
    Adobe Acrobat Reader flaw
    can let remote users run arbitrary code. This is due to a buffer overrun
    in the filename parsing engine.