Microsoft has released a batch of updates that affect Internet Security and Acceleration (ISA) Server 2000, Outlook Web Access (OWA) for Exchange Server 2003, and Microsoft Data Access Components (MDAC).

ISA Server 2000 has a critical buffer overflow vulnerability in the H.323 filter that affects the Firewall Service and allows an attacker to run code in the security context of the firewall. This vulnerability is the first one that Microsoft has reported this year and therefore carries the designation MS04-001. Please note that products from other companies are also affected by the flaw in H.323. Lucent and HP are said to be investigating the problem, and Cisco has released some patches.

The next threat addressed by Microsoft is an elevation of privilege vulnerability in Outlook Web Access for Exchange Server 2003. This threat is designated MS04-002.

The other vulnerability addressed is a buffer overrun in the Microsoft Data Access Components (MDAC), and this flaw is covered in MS04-003. This bulletin replaces the older MS03-033 with a new update.

The H.323 vulnerability is known to affect:

  • ISA Server 2000
  • Small Business Server 2000, because this includes ISA Server 2000
  • Small Business Server 2003, because this also includes ISA Server 2000

Microsoft reports that Proxy Server 2.0, the precursor of ISA Server 2000, is not vulnerable to this threat. The company says that it hasn’t tested earlier versions and can’t report on whether they are vulnerable.

Additionally, VoIP applications, including those from HP, Cisco, and Lucent, may also experience problems related to this vulnerability, as explained here. According to reports, Cisco products that are affected include:

  • IOS 11.3T and later
  • CallManager 3.0 through 3.3

See the Cisco Web site for a complete list of affected systems

The only software affected by MS04-002 is Microsoft Exchange Server 2003. Exchange Server 2000 and Exchange Server 5.5 are not affected. Earlier versions of Exchange were not tested by Microsoft.

The MDAC threat affects:

  • MDAC 2.5 (Windows 2000)
  • MDAC 2.6 (SQL Server 2000)
  • MDAC 2.7 (Windows XP)
  • MDAC 2.8 (Windows Server 2003 and Windows Server 2003 64-Bit Edition)

Risk level—Moderate to critical
The H.323 threat to ISA Server 2000 SP1 is rated critical because a successful exploitation would allow a remote attacker to take over the vulnerable system and run any arbitrary code. Cisco rates the H323 VoIP threat as moderately critical for its systems.

The OWA threat is rated as moderate by Microsoft because exploitation will only allow someone to randomly access other users’ mailboxes. It can only be exploited by an authorized user who has a mailbox on the same server.

Exploiting the MDAC buffer overrun threat would allow the attacker to run arbitrary code, but it would not be easy to take advantage of this vulnerability, so Microsoft has only rated this as an important threat.

Mitigating factors
The H.323 vulnerability is only a threat if the firewall is enabled. When ISA servers are run in the cache mode, the firewall is disabled by default.

OWA is only exposed to the vulnerability in MS04-002 in some unusual circumstances, which include running with Kerberos authentication disabled. That causes the server to default to NTLM authentication (the old standard for Windows). This situation is likely to occur if SharePoint services are installed, but not otherwise. Security Bulletin MS04-002 includes directions to determine whether Kerberos is still enabled, which is the default setting.

The MDAC attack can only be initiated from a simulated SQL server running on the same IP subnet and can only take place after the target system broadcasts a request to enumerate all computers running SQL Server on that subnet. Also, although this vulnerability would allow the attacker to run code, this could only be done in the security context of the client program that broadcasts the request. The attacker has no control over when this may happen or which program initiates the broadcast. SQL Enterprise Manager is an example of a tool that would broadcast such requests.

For the H.323 flaw, apply the Microsoft update to correct the buffer overflow. As a workaround, you can disable the H.323 filter. If your services do not use H.323 traffic to communicate data, this will not affect operations and should be left disabled as a matter of policy. H.323 is enabled by default and is used mainly for IP telephony services. H.323 listens for traffic on TCP port 1720, so blocking this port at the firewall can also block this attack.

There is a Cisco update for some systems affected by the H.323 threat.

The MS04-002 bulletin includes a patch for the OWA vulnerability. A workaround for the OWA threat consists of simply disabling the reuse of HTTP connections. This is enabled by default because it provides a slight performance increase and disabling it may not be noticeable. Another workaround is to enable Kerberos authentication.

For the MDAC vulnerability you can simply apply the provided patch. A secure workaround is to disable Port UDP 1434, but this could complicate or block remote management of the server.

Final word
Even more interesting than what these bulletins did contain is what they did not contain. Most administrators and security specialists were expecting to see Microsoft bulletin that deals with a serious threat posed by well-known vulnerabilities in Internet Explorer, as described a couple months ago in this report.

Also watch for…

Those who run Microsoft Office, or just Microsoft Word, should know that there is a very easy way to crack the password protection for forms in Word. Since this is a basic design flaw and not something you can fix, I won’t detail the exploit here. Microsoft has commented that the password protection feature was never really intended to be a high-security measure (go figure). Check out this Q&A session (dated 2001) from Microsoft Australia. You can see a PowerPoint presentation on this and other Office vulnerabilities here.