Alert: Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 10/16/03

  • Next message: Russ: "Alert: Microsoft Security Bulletin MS03-047 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)"
    Date:         Wed, 15 Oct 2003 19:38:14 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Bulletin URL:
    http://www.microsoft.com/technet/security/bulletin/MS03-045.asp

    Summary:

      Version Number: V1.0
      Revision Date: 10-15-2003
      Patch(es) Replaced: None
      Caveats: None
      CVE Number(s): CAN-2003-065

    Tested Software:
      Affected Software:
      * Microsoft Windows NT Workstation 4.0, Service Pack 6a
      * Microsoft Windows NT Server 4.0, Service Pack 6a
      * Microsoft Windows NT Server 4.0, Terminal Server Edition, Service
    Pack 6
      * Microsoft Windows 2000, Service Pack 2
      * Microsoft Windows 2000 Service Pack 3, Service Pack 4
      * Microsoft Windows XP Gold, Service Pack 1
      * Microsoft Windows XP 64 bit Edition
      * Microsoft Windows XP 64 bit Edition Version 2003
      * Microsoft Windows Server 2003
      * Microsoft Windows Server 2003 64 bit Edition

      Software Not Affected:
      * Microsoft Windows Millennium Edition

    Technical Description:
    A vulnerability exists because the ListBox control and the ComboBox
    control both call a function, which is located in the User32.dll file,
    that contains a buffer overrun. The function does not correctly validate
    the parameters that are sent from a specially-crafted Windows message.
    Windows messages provide a way for interactive processes to react to
    user events (for example, keystrokes or mouse movements) and to
    communicate with other interactive processes. A security vulnerability
    exists because the function that provides the list of accessibility
    options to the user does not correctly validate Windows messages that
    are sent to it. One process in the interactive desktop could use a
    specific Windows message to cause the ListBox control or the ComboBox
    control to execute arbitrary code. Any program that implements the
    ListBox control or the ComboBox control could allow code to be
    executed at an elevated level of administrative credentials, as long as
    the program is running at an elevated level of privileges (for example,
    Utility Manager in Windows 2000). This could include third-party
    applications. An attacker who had the ability to log on to a system
    interactively could run a program that could send a specially-crafted
    Windows message to any applications that have implemented the ListBox
    control or the ComboBox control, causing the application to take any
    action an attacker specified. This could give an attacker complete
    control over the system by using Utility Manager in Windows 2000.
    This email is sent to NTBugtraq automatically as a service to my
    subscribers. (v2.0)

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Russ: "Alert: Microsoft Security Bulletin MS03-047 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)"

    Relevant Pages

    • Alert: Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Cont
      ... * Microsoft Windows NT Workstation 4.0, Service Pack 6a ... A vulnerability exists because the ListBox control and the ComboBox ... the parameters that are sent from a specially-crafted Windows message. ...
      (NT-Bugtraq)
    • Re: Microsoft Security Bulletin MS02-048
      ... I applied this patch on 2 different NT 4.0 test servers and both times ... Microsoft Windows 98, Microsoft Windows 98 Second Edition, ... >The Microsoft Security Response Center has released Microsoft Security ... >Bulletin MS02-048 which concerns a vulnerability in an ActiveX Control known ...
      (microsoft.public.security)
    • Alert: Microsoft Security Bulletin - MS02-048
      ... Microsoft Windows 98 Second Edition ... In addition, the patch addresses a similar, but less serious vulnerability discovered in the SmartCard Enrollment control. ... The vulnerability would not enable certificates on smart cards to be corrupted, even if the smart card were in the system at the time of an attack. ...
      (NT-Bugtraq)
    • Microsoft Security Bulletin MS02-048
      ... Microsoft Windows 98, Microsoft Windows 98 Second Edition, ... The Microsoft Security Response Center has released Microsoft Security ... Bulletin MS02-048 which concerns a vulnerability in an ActiveX Control known ... as the Certificate Enrollment Control. ...
      (microsoft.public.security)
    • Microsoft Security Bulletin MS02-048
      ... Microsoft Windows 98, Microsoft Windows 98 Second Edition, ... The Microsoft Security Response Center has released Microsoft Security ... Bulletin MS02-048 which concerns a vulnerability in an ActiveX Control known ... as the Certificate Enrollment Control. ...
      (microsoft.public.windowsxp.security_admin)