In addition to the critical security threats from Microsoft that
I covered in last
week’s column
, the Redmond software giant has also issued a flurry of
medium-level security threats that Windows administrators need to be aware of.

Details

MS04-018,
“Cumulative Security Update for Outlook Express,” is caused by a failure of
Outlook express to properly handle some specifically malformed e-mail headers. This
is a DoS threat and Microsoft reports having seen published exploits but hasn’t
received any reports from customers that have been compromised by the exploit. This
threat is covered by CAN-2004-0215

MS04-019,
“Vulnerability in Utility Manager Could Allow Code Execution,” is a local
elevation of privilege threat that can’t be exploited remotely. MSBA will
report if your system needs this update and Systems Management Server (SMS) can
help deploy it.

MS04-020,
“Vulnerability in POSIX Could Allow Code Execution,” is an unchecked buffer
vulnerability in the Portable Operating System Interface for UNIX. MSBA will
report if your system needs this update and SMS can help deploy it. This threat
is covered by CAN-2004-0210.

MS04-021,
“Security Update for IIS 4.0,” is a buffer overrun vulnerability in the
redirect function that can allow remote execution. MSBA will report if your
system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0205.

MS04-024,
“Vulnerability in Windows Shell Could Allow Remote Code Execution,” replaces MS03-027
for Windows XP (but not for the other affected operating systems). This threat is
covered by CAN-2004-0420.

Applicability

MS04-018 applies to all versions of Outlook Express from 5.5
through 6, including operating systems from NT 4.0 through Windows Server 2003.

MS04-019 affects all versions (and all Service Packs) of
Windows 2000.

MS04-020 affects all versions of Windows NT 4.0 and all
versions of Windows 2000 (and all its service packs).

MS04-021 affects Windows NT Workstation 4.0 Service Pack 6a
and Windows NT Server 4.0 SP6a (but only with IIS installed as part of the NT 4
Option Pack).

MS04-024 affects all versions of:

  • Windows
    NT 4.0
  • Windows
    2000
  • Windows
    XP
  • Windows
    Server 2003

Windows 98, 98 SE and ME may be affected by all of these
threats, but since none of these flaws are a critical threat to those operating
environments, updates are not provided by Microsoft (which limits support for discontinued
operating systems to critical-only updates).

Risk level – Important to moderate

MS04-021 and MS-024 are both remote code execution
vulnerabilities that allow a remote attacker to run arbitrary programs and take
complete control over the vulnerable systems. I would rate these as critical
rather than the moderate rating Microsoft has given them.

MS04-020 is a local elevation of privilege threat and can’t
be exploited remotely or without detailed information about the system and
access to it.

Although MS04-019 can allow someone to take complete control
over a system, it is rated a moderate threat because it can only be exploited
locally by a legitimate user. This is not a remotely executable threat or one
that could be executed by a complete stranger.

MS04-018 is considered only a moderate denial of service
threat because successful execution would cause only Outlook Express to fail,
not the operating system or other applications.

Fix – Apply the patches/updates provided

Please check the Microsoft bulletins before taking any
action on these vulnerabilities, because several of the bulletins have been
updated multiple times.

A partial workaround for MS04-018 is to disable the preview
pane (View, Layout, and uncheck View Preview Pane). This doesn’t completely
remove the threat, but it does make it easier to remove the offending message.

There is no workaround for MS04-024.

As mentioned above, Windows 98, 98 SE, and ME are no longer
supported except for critical threats, so no patches are available for those
operating systems. Also, Windows NT Workstation 4.0 has also just passed out of
normal support, but Microsoft already had a number of these patches prepared for
that operating system and has included fixes for it in these updates.

Warnings

MS04-019 (Utility Manager bulletin) – In addition to fixing
the vulnerability, applying this update will eliminate access to
context-sensitive help from the Utility Manager.

MS04-021 (IIS 4.0) – There is apparently a problem updating
with the ISAPI filters running (see knowledge base article 873401).
That’s what Microsoft says. Actually the problem is a complete crash-and-burn,
so I’d pay attention to this knowledge base article if I were applying this
patch. The IISLockdown tool installs URLScan and will protect against this
vulnerability. See the workarounds section of the Microsoft bulletin for
directions on configuring the tool. Also, the workaround using URLScan will
block all incoming requests larger than 16K. IIS can be disabled or stopped in
IIS Manager or removed, but this will also block other Internet services, such
as the IIS SMTP service.

MS04-024 (Windows Shell) – Active X features may be limited
by some of the recent IE patches and this patch refines some previous changes
in IE 6 Service
Pack 1
that may prevent other cross domain vulnerabilities. The update can
prevent attackers from moving code execution from the Internet Zone to the more
permissive Local Machine security zone.

Final word

As for the problem in Outlook Express, MS04-019, I don’t
believe this software belongs on any business system. In fact, I don’t even use
the full version of Outlook because it is tied to, or is the source of, so many
vulnerabilities. Thus, my personal best practices would have avoided this
problem entirely. None of my clients use Outlook Express and if any of them use
Outlook, it is against my advice.


Also watch for …

  • Secunia
    has released an advisory
    for an unspecified mod_ssl 2.x (mod-proxy) threat in Apache that the
    security vendor has rated as highly critical because of the widespread
    critical applications in which Apache is used. No further details were
    available but the vendor that reported the threat recommends immediate update
    to version
    2.8.19-1.3.31
    .
  • Beagle/Bagle
    is once again showing its teeth. Fast-spreading and virulent, the latest
    incarnation of Beagle/Bagle (the one known as Beagle.AG at Symantec) has
    its own SMTP mail engine and opens a backdoor at TCP 1080. Click here
    for a number of Beagle removal tools.
  • According
    to a CNET news.com report,
    the new Atak mass-mailing worm actually watches for antivirus software activity
    and, when it begins a scan, Atak shuts down so it won’t be discovered. It
    doesn’t carry a dangerous payload but Atak is part of the new generation
    of worms that are intended to spread spam. F-Secure’s lead virus
    specialist says that while many viruses and worms attempt to hide, this
    one is exceptionally good at it.
  • In the
    “it had to happen someday” category, you can now place bets (they are
    actually a kind of futures options) on an Irish sports betting site
    (tradesports.com) about when the next big worm or virus attack will take
    place. See this ZDNet
    UK story
    for more details and get your bets down early!
  • There
    is a Gentoo php update that is rated highly critical. It addresses two
    apparently unrelated vulnerabilities that can allow an attacker to
    completely compromise a system. See the full advisory here.
    Another moderately critical vulnerability in Opera for Gentoo Linux 1.x
    has been patched. The impact of this threat is phishing related. See this
    Gentoo-announce report
    and this Gentoo Linux
    Security Advisory
    for more details.