Microsoft has released five new Security Bulletins for
December 2004, and all of them are rated Important, not Critical. Several of
them apply to Windows XP Service Pack 2.

Details

MS04-041 Vulnerability in WordPad Could Allow
Code Execution (885836) patches a table conversion
vulnerability (CAN-2004-0571)
and a font conversion vulnerability (CAN-2004-0901),
both due to an unchecked buffer. These threats are related to a conversion
utility that lets WordPad open Word documents. Since this isn’t a macro threat,
saving documents in .rtf format doesn’t prevent the attack, but it only relates
to documents created in Word 6. The WordPad converter is included in most Windows
operating systems but doesn’t open by default in most of them (and never opens if
you have a properly configured system with Word installed).

MS04-042
Vulnerability in DHCP Could Allow Remote Code Execution and Denial Of Service
(885249) covers a logging vulnerability (CAN-2004-0899)
and a DHCP request vulnerability (CAN-2004-0900);
both are due to unchecked buffers.

MS04-043
Vulnerability in HyperTerminal Could Allow Code Execution (873339) is also
due to an unchecked buffer (CAN-2004-0568).

MS04-044
Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege
(885835) involves a Windows Kernel Vulnerability (CAN-2004-0893)
that relates to the way applications are launched, and also includes a Local
Security Authentication Server Vulnerability (CAN-2004-0894)
with a token validation problem.

MS04-045
Vulnerability in WINS (Windows Internet Naming Service) Could Allow Remote Code
Execution (870736) involves a Name Validation Vulnerability (CAN-2004-0567)
and an Association Context Vulnerability (CAN-2004-1080);
the latter is another buffer overrun threat.

Applicability

Please note that the operating system and OS versions listed
below are only those that are known to be vulnerable and are still supported.
For example, Windows XP is vulnerable but not always listed because only XP SP1
and XP SP2 are supported.

MS04-041

This affects Windows 98, Me, NT 4.0, 2000, XP SP1, XP SP2,
and Server 2003.

MS04-042

This only affects Windows NT Server 4.0 and NT Server 4.0
Terminal Server Edition. Microsoft Baseline Security Analyzer and Systems
Management Server can detect whether the update is required.

MS04-043

This affects Windows NT 4.0, 2000, XP, and Server 2003. Microsoft
Baseline Security Analyzer and Systems Management Server can detect whether the
update is required.

MS04-044

This affects Windows NT 4.0, 2000, XP SP1, XP SP2, and Server
2003.

MS04-045

This affects Windows NT 4.0, Windows 2000 Server, and
Windows Server 2003.

For each of these Security Bulletins, Microsoft Baseline
Security Analyzer and Systems Management Server can detect whether the update
is required.

Risk level – Moderate to Important (Microsoft ratings)

Microsoft gives these relatively low risk ratings because
the company balances the chance of being successfully attacked against the
potential damage. I feel they are more severe threats. Since some can allow
remote code execution, I rate those as serious to extreme threats, because
although the chances you are vulnerable are low, if you are attacked the
results can be devastating.

MS04-041 (remote code execution)

  • Windows
    98 and Me – not critical
  • Windows
    NT 4.0, 2000, and XP SP1 – important
  • Windows
    XP SP2 and Server 2003 – moderate

These threats are newly discovered and haven’t been
exploited yet.

MS04-042 (denial of service and remote code execution)

Windows NT 4.0 – moderate (logging vulnerability) and
important (DHCP vulnerability)

These threats are newly discovered and haven’t been
exploited yet.

MS04-043 (remote code execution)

  • Windows
    NT 4.0, 2000, and XP – important
  • Windows
    Server 2003 – moderate

This is a newly discovered threat and
exploits haven’t been seen yet.

MS04-044 (remote code execution)

Windows NT 4.0, 2000, XP SP1, XP SP2, and Windows Server 2003
– important

For some versions or some threats there is only moderate or
no threat, but the same patch also fixes an important threat in each listed
system so that doesn’t affect the decision to patch or not patch. This is a
newly discovered threat and exploits haven’t been seen yet.

MS04-045 (remote code execution)

Windows NT 4.0, Windows Server 2000, and Windows Server 2003
– important

Some exploits have been seen for one of these
vulnerabilities.

Mitigating factors

MS04-041

This is disabled by default in Windows XP SP2 and Windows
Server 2003. For any application this can only be exploited if you open a
malicious document. The main threat is to those using WordPad to open .wri,
.rtf, or .doc files (and possibly other extensions), and these will
automatically open in Word, not WordPad.

MS04-042

The vulnerable DHCP Server service is not installed by
default and DHCP Client service is not vulnerable.

MS04-043

HyperTerminal is not installed by default on Windows Server
2003 and is not set as the default Telnet client on Windows XP or NT 4.0 Server.
The only threat comes from .ht extension files and should not be opened if they
arrive as e-mail attachments.

MS04-044

For the Windows Kernel Vulnerability (CAN-2004-0893), valid
logon credentials are required to exploit the vulnerability, and XP SP2 and
Windows Server 2003 systems would probably crash if attacked. For the LSASS
Vulnerability (CAN-2004-0894), valid logon credentials are required and NT 4.0
Server is not vulnerable.

MS04-045

WINS is not installed by default except on Microsoft Small
Business Server 2000 and SBS 2003, and on vulnerable systems an attack would
probably trigger a crash.

Fix – Apply patch, some workarounds are available

MS04-041

Patches fixes the buffer problem and also disables the Word
for Windows 6.0 Converter. There are some detailed workarounds provided in the
Microsoft Security Bulletin.

MS04-042

Patches fix both buffer faults. There are several
workarounds described in the Microsoft Security Bulletin.

MS04-043

Patches fix the buffer overrun threat. As a workaround simply
remove the HyperTerminal application from the system or block .ht
(HyperTerminal) session files in e-mail. To do this in Outlook and Outlook
Express, see Microsoft Knowledge
Base Article 837388 and Microsoft
Knowledge Base Article 291387.

MS04-044

Use the patch. No workarounds are available for Windows
Kernel Vulnerability (CAN-2004-0893) and LSASS Vulnerability (CAN-2004-0894).

MS04-045

Use the patch. As a workaround, remove WINS if not used
(this is mostly a legacy threat) and block TCP 42 and UDP 42 in your firewall.
This can cause some network problems, so the patch is preferable.

Final word

For those who haven’t looked in a while, Microsoft has
changed the way it presents these bulletins by adding summaries on a single
page (here
is the December 2004 page), which includes a color rating (shades of
Homeland Security). This makes sense because the colors simply reflect the
standard severity ratings.

The bulletins are also now linked to numbers that correspond
to the related Knowledge Base Article explaining the details of the problem
addressed by the Security Bulletin or explains ways to work around any known
problems caused by installing the patches.

I like the new system for average administrators who can
quickly see which, if any, bulletins they need to look at, both based on the
severity rating and the clear list of affected software.