Microsoft has released five new Security Bulletins for
December 2004, and all of them are rated Important, not Critical. Several of
them apply to Windows XP Service Pack 2.
Details
MS04-041 Vulnerability in WordPad Could Allow
Code Execution (885836) patches a table conversion
vulnerability (CAN-2004-0571)
and a font conversion vulnerability (CAN-2004-0901),
both due to an unchecked buffer. These threats are related to a conversion
utility that lets WordPad open Word documents. Since this isn’t a macro threat,
saving documents in .rtf format doesn’t prevent the attack, but it only relates
to documents created in Word 6. The WordPad converter is included in most Windows
operating systems but doesn’t open by default in most of them (and never opens if
you have a properly configured system with Word installed).
MS04-042
Vulnerability in DHCP Could Allow Remote Code Execution and Denial Of Service
(885249) covers a logging vulnerability (CAN-2004-0899)
and a DHCP request vulnerability (CAN-2004-0900);
both are due to unchecked buffers.
MS04-043
Vulnerability in HyperTerminal Could Allow Code Execution (873339) is also
due to an unchecked buffer (CAN-2004-0568).
MS04-044
Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege
(885835) involves a Windows Kernel Vulnerability (CAN-2004-0893)
that relates to the way applications are launched, and also includes a Local
Security Authentication Server Vulnerability (CAN-2004-0894)
with a token validation problem.
MS04-045
Vulnerability in WINS (Windows Internet Naming Service) Could Allow Remote Code
Execution (870736) involves a Name Validation Vulnerability (CAN-2004-0567)
and an Association Context Vulnerability (CAN-2004-1080);
the latter is another buffer overrun threat.
Applicability
Please note that the operating system and OS versions listed
below are only those that are known to be vulnerable and are still supported.
For example, Windows XP is vulnerable but not always listed because only XP SP1
and XP SP2 are supported.
MS04-041
This affects Windows 98, Me, NT 4.0, 2000, XP SP1, XP SP2,
and Server 2003.
MS04-042
This only affects Windows NT Server 4.0 and NT Server 4.0
Terminal Server Edition. Microsoft Baseline Security Analyzer and Systems
Management Server can detect whether the update is required.
MS04-043
This affects Windows NT 4.0, 2000, XP, and Server 2003. Microsoft
Baseline Security Analyzer and Systems Management Server can detect whether the
update is required.
MS04-044
This affects Windows NT 4.0, 2000, XP SP1, XP SP2, and Server
2003.
MS04-045
This affects Windows NT 4.0, Windows 2000 Server, and
Windows Server 2003.
For each of these Security Bulletins, Microsoft Baseline
Security Analyzer and Systems Management Server can detect whether the update
is required.
Risk level – Moderate to Important (Microsoft ratings)
Microsoft gives these relatively low risk ratings because
the company balances the chance of being successfully attacked against the
potential damage. I feel they are more severe threats. Since some can allow
remote code execution, I rate those as serious to extreme threats, because
although the chances you are vulnerable are low, if you are attacked the
results can be devastating.
MS04-041 (remote code execution)
- Windows
98 and Me – not critical - Windows
NT 4.0, 2000, and XP SP1 – important - Windows
XP SP2 and Server 2003 – moderate
These threats are newly discovered and haven’t been
exploited yet.
MS04-042 (denial of service and remote code execution)
Windows NT 4.0 – moderate (logging vulnerability) and
important (DHCP vulnerability)
These threats are newly discovered and haven’t been
exploited yet.
MS04-043 (remote code execution)
- Windows
NT 4.0, 2000, and XP – important - Windows
Server 2003 – moderate
This is a newly discovered threat and
exploits haven’t been seen yet.
MS04-044 (remote code execution)
Windows NT 4.0, 2000, XP SP1, XP SP2, and Windows Server 2003
– important
For some versions or some threats there is only moderate or
no threat, but the same patch also fixes an important threat in each listed
system so that doesn’t affect the decision to patch or not patch. This is a
newly discovered threat and exploits haven’t been seen yet.
MS04-045 (remote code execution)
Windows NT 4.0, Windows Server 2000, and Windows Server 2003
– important
Some exploits have been seen for one of these
vulnerabilities.
Mitigating factors
MS04-041
This is disabled by default in Windows XP SP2 and Windows
Server 2003. For any application this can only be exploited if you open a
malicious document. The main threat is to those using WordPad to open .wri,
.rtf, or .doc files (and possibly other extensions), and these will
automatically open in Word, not WordPad.
MS04-042
The vulnerable DHCP Server service is not installed by
default and DHCP Client service is not vulnerable.
MS04-043
HyperTerminal is not installed by default on Windows Server
2003 and is not set as the default Telnet client on Windows XP or NT 4.0 Server.
The only threat comes from .ht extension files and should not be opened if they
arrive as e-mail attachments.
MS04-044
For the Windows Kernel Vulnerability (CAN-2004-0893), valid
logon credentials are required to exploit the vulnerability, and XP SP2 and
Windows Server 2003 systems would probably crash if attacked. For the LSASS
Vulnerability (CAN-2004-0894), valid logon credentials are required and NT 4.0
Server is not vulnerable.
MS04-045
WINS is not installed by default except on Microsoft Small
Business Server 2000 and SBS 2003, and on vulnerable systems an attack would
probably trigger a crash.
Fix – Apply patch, some workarounds are available
MS04-041
Patches fixes the buffer problem and also disables the Word
for Windows 6.0 Converter. There are some detailed workarounds provided in the
Microsoft Security Bulletin.
MS04-042
Patches fix both buffer faults. There are several
workarounds described in the Microsoft Security Bulletin.
MS04-043
Patches fix the buffer overrun threat. As a workaround simply
remove the HyperTerminal application from the system or block .ht
(HyperTerminal) session files in e-mail. To do this in Outlook and Outlook
Express, see Microsoft Knowledge
Base Article 837388 and Microsoft
Knowledge Base Article 291387.
MS04-044
Use the patch. No workarounds are available for Windows
Kernel Vulnerability (CAN-2004-0893) and LSASS Vulnerability (CAN-2004-0894).
MS04-045
Use the patch. As a workaround, remove WINS if not used
(this is mostly a legacy threat) and block TCP 42 and UDP 42 in your firewall.
This can cause some network problems, so the patch is preferable.
Final word
For those who haven’t looked in a while, Microsoft has
changed the way it presents these bulletins by adding summaries on a single
page (here
is the December 2004 page), which includes a color rating (shades of
Homeland Security). This makes sense because the colors simply reflect the
standard severity ratings.
The bulletins are also now linked to numbers that correspond
to the related Knowledge Base Article explaining the details of the problem
addressed by the Security Bulletin or explains ways to work around any known
problems caused by installing the patches.
I like the new system for average administrators who can
quickly see which, if any, bulletins they need to look at, both based on the
severity rating and the clear list of affected software.