On October 12, 2004, Microsoft released a flurry of critical
security alerts (Microsoft Security Bulletins MS04-032 through MS04-038) along
with some less important threat bulletins (MS04-029 through MS04-031). Most of
the security alerts affect Windows systems, but Macintosh computers are also vulnerable
to some of the threats.

Details

MS04-032 “Security Update for Microsoft
Windows” addresses the following flaws:

  • CAN-2004-0207,
    Windows management vulnerability, is an elevation of privilege threat.
  • CAN-2004-0208,
    virtual DOS machine vulnerability, is an elevation of privilege threat.
  • CAN-2004-0209,
    graphics rendering engine vulnerability, is the most serious of this
    group, being a remote code execution threat.
  • CAN-2004-0211, Windows kernel
    vulnerability, is a denial of service threat.

MS04-033 “Vulnerability in Microsoft
Excel Could Allow Remote Code Execution” addresses CAN-2004-0846, an Excel vulnerability
that is a remote code execution threat. This can also affect Macintosh systems.

MS04-034 “Vulnerability in Compressed
(zipped) Folders Could Allow Remote Code Execution” addresses CAN-2004-0575, which is a newly
discovered vulnerability and hasn’t been exploited yet.

MS04-035 “Vulnerability in SMTP Could
Allow Remote Code Execution” addresses CAN-2004-0840.

MS04-036 “Vulnerability in NNTP
(Network News Transfer Protocol) Could Allow Remote Code Execution” addresses CAN-2004-0574, which is a new,
privately reported remote code execution vulnerability which hasn’t been exploited
in the wild as yet.

MS04-037 “Vulnerability in Windows
Shell Could Allow Remote Code Execution” addresses the following flaws:

  • CAN-2004-0214,
    shell vulnerability, is a remote code execution threat.
  • CAN-2004-0572, program group
    converter vulnerability, is a remote code execution threat.

MS04-038, “Cumulative Security Update
for Internet Explorer” addresses the following flaws:

  • CAN-2004-0842,
    CSS heap corruption vulnerability, is a remote code execution threat.
  • CAN-2004-0727,
    name redirection cross-domain vulnerability, is a remote code execution
    threat.
  • CAN-2004-0216,
    install engine vulnerability, is a remote code execution threat.
  • CAN-2004-0839,
    drag-and-drop vulnerability, is a remote code execution threat.
  • CAN-2004-0844,
    address bar name spoofing, is an information disclosure threat.
  • CAN-2004-0843
    , plug-in navigation address bar name spoofing vulnerability,
    is also an information disclosure threat.
  • CAN-2004-0841,
    imaging tag file script vulnerability, is a remote code execution threat.
  • CAN-2004-0845, SSL-caching
    vulnerability, is an information disclosure threat.

Applicability

MS04-032

The elevation of privilege threats affect NT 4.0, Windows
2000, XP, and Windows Server 2003. XP with SP2 isn’t vulnerable to the virtual
DOS threat.

The graphics rendering vulnerability affects Windows 2000, XP,
and Windows Server 2003. XP with SP2 isn’t vulnerable to the graphics rendering
threat.

The Windows kernel vulnerability only affects Windows Server
2003.

MS04-033

Office 2000 SP 3 and Excel 2000, Office XP SP2 and Excel
2002, Office 2001 for Macintosh and Excel 2001 for Macintosh, Office v.X for
Macintosh and Excel v.X for Macintosh. Office XP SP3 is not vulnerable. Office
2003 and Office 2003 SP1 are not vulnerable; neither is Excel 2004 for
Macintosh.

MS04-034

Windows XP and Windows Server 2003 are the only systems
vulnerable to this threat.

MS04-035

This affects Windows XP (64-bit edition), Windows Server
2003 (64-bit edition), Windows Server 2003, and Exchange Server 2003.

MS04-036

This affects Exchange Server 2000 and 2003, NT Server 4.0,
Windows 2000 Server and Windows Server 2003.

MS04-037

CAN-2004-0214
affects Windows 98, 98 SE, Me, NT 4.0, Windows 2000, and XP and XP SP1.

CAN-2004-0572 affects Windows 98, 98
SE, Me, NT 4.0, Windows 2000, XP and XP SP1, and Windows Server 2003.

MS04-038

CAN-2004-0842
affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0727
affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0216
affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0839
affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, IE 6 WS 2003, and
IE 6 SP2.

CAN-2004-0844 affects IE 6 SP1 and IE 6
WS 2003.

CAN-2004-0843
affects IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0841
affects IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

CAN-2004-0845 affects IE 5.01 SP3, IE
5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

Risk level–Critical (overall for each of these bulletins)

MS04-032

For the four vulnerabilities, the overall threat level is
critical. The graphics rendering vulnerability is rated critical for Windows
2000, XP, and Windows Server 2003.

MS04-033

This is a critical threat for Office 2000 SP 3 and Excel
2000, as well as Office XP SP2 and Excel 2002. The threat is rated important
for Office 2001 for Macintosh and Excel 2001 for Macintosh, Office v.X for
Macintosh and Excel v.X for Macintosh.

MS04-034

This is a critical remote code execution vulnerability for
both XP and Windows Server 2003.

MS04-035

This is an important threat for Windows XP (64-bit edition),
Windows Server 2003 (64-bit edition), and Windows Server 2003. For Exchange
Server 2003 this is a critical threat.

MS04-036

This is a critical threat for Exchange Server 2000 and an
important threat for Exchange Server 2003, NT Server 4.0, and Windows Server
2000 and 2003.

MS04-037

CAN-2004-0214
is a critical threat for NT 4.0, Windows 2000, and XP and XP SP1. It is a noncritical
threat for Windows 98, 98 SE, Me.

CAN-2004-0572 is an important threat
for Windows 98, 98 SE, Me, NT 4.0, Windows 2000, XP and XP SP1, and Windows
Server 2003.

MS04-038

CAN-2004-0842
is a critical threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6
SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0727
is a critical threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6
SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0216
is a critical threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6
SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0839
is an important threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6
SP1, and IE 6 SP2. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0844 is an important threat
for IE 6 SP1 and IE 6 WS 2003.

CAN-2004-0843
is an important threat for IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6 SP1. It is a
moderate threat for IE 6 WS 2003.

CAN-2004-0841
is an important threat for IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, and IE 6
SP1. It is a moderate threat for IE 6 WS 2003.

CAN-2004-0845 is a moderate threat for
IE 5.01 SP3, IE 5.01 SP4, IE 5.5 SP2, IE 6, IE 6 SP1, and IE 6 WS 2003.

Mitigating factors

MS04-035

For most versions the SMTP engine is not installed by
default.

MS04-036

NT Server 4.0, Windows 2000 Server, and Windows Server 2003
do not install the affected component by default.

Fix

See the specific security bulletins for details on patches.

Final word

At first glance this slew of new security notices looks
really bad for Microsoft, but careful reading shows that most of the threats
are relatively low level and many are fixes for vulnerabilities that were
unknown outside Microsoft and a single reporting agent. In other words, the
flaws existed but there was no significant threat because they were not being
exploited.


Also watch for…

  • MS04-029 “Vulnerability in RPC
    Runtime Library Could Allow Information Disclosure and Denial of Service”
    is a threat (CAN-2004-0569) rated as Important
    for NT 4.0 but it doesn’t apply to later Microsoft operating systems.
  • MS04-030 “Vulnerability in WebDAV
    XML Message Handler Could Lead to a Denial of Service” (CAN-2004-0718) is rated important
    for Windows 2000, but only a moderate threat for XP and Windows Server
    2003.
  • MS04-031 “Vulnerability in NetDDE
    Could Allow Remote Code Execution” (CAN-2004-0206) affects all modern
    versions of Windows. For Windows 98, 98SE, and Me, this is rated as not
    critical. For NT 4.0, Windows 2000, and XP it is rated important, but it
    is a moderate threat for Windows Server 2003.