Three security bulletins from Microsoft demand attention from administrators. One, MS04-009 (“Vulnerability in Microsoft Outlook Could Allow Code Execution”), was originally released with a rating of “Important,” but was quickly revised by Microsoft and reissued a few hours later with a rating of “Critical” because the vulnerability affected a lot more users than was originally suspected. If you initially dismissed or delayed action on this bulletin, you should take another look at it because it has important implications for Office XP and Outlook 2002.
Some versions of Outlook can parse a specially-crafted “mail to:” URL contained in an e-mail in such a way as to allow Internet Explorer to execute script code. An HTML e-mail could also be used as an attack vector; this would give the attacker access to some local user files or could let an attacker run arbitrary code on the vulnerable system.
This is a Denial of Service threat to users of Windows 2000 Server with Windows Media Server 4.1 installed.
This is an information disclosure threat that can be triggered only if the attacker hijacks a legitimate user name/account.
- Outlook 2002 Service Pack 2
- Office XP SP2 (Office XP is included because the affected version of Outlook is included in Office XP. Later Outlook and Office versions, including Office 2000 SP3 and Outlook SP3, are not affected.)
- Windows 2000 Server SP2
- Windows 2000 Server SP3
- Windows 2000 Server SP4
- MSN Messenger 6.0
- MSN Messenger 6.1
Risk level – Moderate to Critical
This was originally reported to affect only people who used the “Outlook Today” folder home page but the threat has been upgraded to a critical rating because it can allow attackers to run arbitrary code on a vulnerable system even if that folder isn’t used on the system.
This apparently only threatens the Windows Media Services itself and not the server. The DoS is a result of blocking any new TCP connections so no new media requests would be accepted after the attacker sends a specially-crafted string of TCP/IP packets to the server.
This is rated a moderate threat because it is relatively difficult to exploit.
Opening e-mail as plain text rather than HTML would mean that users aren’t affected unless they also click on a link.
The bulletin also states that the attacker would only gain the privilege of the current user so this could provide some protection if everyone runs with the lowest possible privileges. But later in the same bulletin Microsoft states, “A privilege elevation vulnerability exists within Outlook 2002, and its handling of mailto URLs, that could allow Internet Explorer to execute script in the Local Machine Zone on an affected system. Outlook 2002 is available as a separate product and is also included as part of Office XP. An attacker who successfully exploited this vulnerability could access files on a user’s system or run arbitrary code on a user’s system.”
This is confusing, to say the least. I recommend that you treat this as a critical risk and not rely on any particular mitigating factors reported by Microsoft.
Windows Media Services is not installed by default. Also, if WMS is used to send streaming media only over unicast, then this vulnerability is eliminated. Plus, if you administer WMS servers directly, then you are not at risk. Although the exploit would block WMS as well as unicast, it apparently doesn’t close down the entire server but just blocks streaming media.
An attacker would need to know a legitimate sign-on name. The attacker would also have to know the exact location of the file he desires to see.
Install the patch or upgrade to SP3.
As a workaround to reduce the risk from this vulnerability until a patch is applied, you should read e-mails only in text mode rather than HTML. Outlook 2002 SP1 (Microsoft Knowledge Base Article 307594) and Outlook Express 6.0 SP1 (KBA 291387) added a feature that allows users to view most e-mails in plain text. Changing from the “Outlook Today” folder in Outlook 2002 will reduce, but not eliminate, the threat.
There is a patch available for this threat. There are also a number of possible workarounds ranging from blocking ports TCP 7007 and 7778 at the firewall, or disabling Windows Media Services. Those will prevent any use of WMS; however, Microsoft says that “administering the services directly from the console or through a Terminal Services session“ will block the effects of the attack but won’t have any impact on usability.
Simply apply the supplied security update.
I would like to mention one additional mitigating factor for MS04-009 that Microsoft failed to mention, but which I always recommend to clients—Don’t use Microsoft Outlook. Sure, it may mean a little inconvenience for some users, but if you can avoid it you can save a lot of time fighting threats and applying patches.
Also watch for…
- According to a report first seen on ZDNet UK, the author(s) of the 11 or so Netsky attacks placed a message in the “K” release where he or she claims that they will not launch any more Netsky worm attacks. The message indicates that the writers see releasing Netsky as a public service because it targets Beagle and MyDoom malware.
- Computerworld.com has reported that a number of parasitic worms (such as Doom.C and DoomJuice), are taking over machines originally infected by MyDoom and launching DoS attacks against Microsoft but are not spreading to other computers. Panda and TrendMicro have interesting reports on these attacks, as do most antivirus companies. Microsoft has released a worm-removal tool for MyDoom.A, MyDoom.B, and the DoomJuice variants. The latest Microsoft Security Newsletter, Vol.1 No.4, also has an overview of Microsoft’s progress in improving security by Jeffrey R. Jones, Senior Director – Microsoft Security Business Unit. (Personally I wouldn’t bother but you might find it interesting.)
- As reported in News.com, security firm Symbiot will launch a new proactive security effort at the end of March (just remember that April 1—or April Fool’s Day—is also just after the end of March). Texas-based Symbiot is apparently taking its home state’s traditions seriously because it says it is going to go gunning for producers of malware by attacking them in return. Personally, since such attacks would also constitute illegal attacks and could involve some incredibly Draconian penalties if their efforts led them to respond to some federal sites that had been hijacked and used to send out malware or participate in distributed denial of service attacks, I believe this is more of a hoax intended to garner publicity than a real program the company intends to implement, particularly when you consider the trigger date.
- An interesting story recently came out of the Oxford Internet Institute even though it originated from Fordham’s Joel Reidenberg, Professor of Law. A ZDNet UK story looks at the probability that governments will enforce Internet law by launching court ordered DDoS attacks against malefactors.
- CNET News reports Cisco is beefing up security with the introduction of two new products, the Cisco 7301 Router and VPN 3020. Also included are some management enhancements to the Cisco IOS software along with support for IPv6 and enhanced protection against DDoS attacks.
- There are reports from eEye Security of vulnerabilities in Norton Personal Firewall and the Norton Internet Security programs that can result in a DoS event. No details were available at the time this was written.