MajorRev: v2.0 Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732)

From: Russ Cooper (Russ.Cooper_at_TRUSECURE.CA)
Date: 06/15/04

  • Next message: Russ Cooper: "Alert: Microsoft Security Bulletin MS04-015 - Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)"
    Date:         Tue, 15 Jun 2004 17:52:49 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Microsoft Security Bulletin MS04-011:
    Security Update for Microsoft Windows (835732)

    Bulletin URL:
    <http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>

    Reason for Revision: Updated bulletin to advise on the availability of
    an updated Windows NT 4.0 Workstation update for the Pan Chinese
    language. This update should be installed by customers even if the
    original update was installed.
    Version Number: 2.0
    Issued Date: Tuesday, April 13, 2004
    Revision Date: Tuesday, June 15, 2004
    Impact of Vulnerability: Remote Code Execution
    Maximum Severity Rating: Critical
    Patch(es) Replaced: This bulletin replaces several prior security
    updates. See the frequently asked questions (FAQ) section of this
    bulletin for the complete list.
    Caveats: The security update for Windows NT Server 4.0 Terminal Server
    Edition Service Pack 6 requires, as a prerequisite, the Windows NT
    Server 4.0 Terminal Server Edition Security Rollup Package (SRP). To
    download the SRP, visit the following Web site. You must install the SRP
    before you install the security update that is provided in this security
    bulletin. If you are not using Windows NT Server 4.0 Terminal Server
    Edition Service Pack 6 you do not need to install the SRP. Microsoft
    Knowledge Base Article 835732 documents the currently known issues that
    customers may experience when they install this security update. The
    article also documents recommended solutions for these issues. For more
    information, see Microsoft Knowledge Base Article 835732.

    Executive Summary:
    ------------------
    Microsoft re-issued this bulletin on June 15, 2004 to advise on the
    availability of an updated Windows NT 4.0 Workstation update for the Pan
    Chinese language.

    This revised update corrects an installation issue that some customers
    experienced with the original update. This issue is unrelated to the
    security vulnerability discussed in this bulletin. However, this issue
    has caused some customers difficulty installing the update. If you have
    previously applied this security update, this update does need to be
    installed to avoid potential issues when installing future security
    updates. This issue only affects the Pan Chinese language version of the
    update and only those versions of the update are being re-released.
    Other language versions of this update are not affected and are not
    being re-released.

    This update resolves several newly-discovered vulnerabilities. Each
    vulnerability is documented in this bulletin in its own section.

    An attacker who successfully exploited the most severe of these
    vulnerabilities could take complete control of an affected system,
    including installing programs; viewing, changing, or deleting data; or
    creating new accounts that have full privileges.

    Tested Software:
    Affected Software:
    ------------------
    * Microsoft Windows NT. Workstation 4.0 Service Pack 6a
    <http://tinyurl.com/2qctw>
    * Microsoft Windows NT Server 4.0 Service Pack 6a
    <http://tinyurl.com/226ud>
    * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
    <http://tinyurl.com/3339r>
    * Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
    Pack 3, and Microsoft Windows 2000 Service Pack 4
    <http://tinyurl.com/2r7lg>
    * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
    <http://tinyurl.com/2vj4h>
    * Microsoft Windows XP 64-Bit Edition Service Pack 1
    <http://tinyurl.com/3g95k>
    * Microsoft Windows XP 64-Bit Edition Version 2003
    <http://tinyurl.com/2stag>
    * Microsoft Windows Server(tm) 2003
    <http://tinyurl.com/yuoq4>
    * Microsoft Windows Server 2003 64-Bit Edition
    <http://tinyurl.com/2stag>
    * Microsoft NetMeeting
    * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME) - Review the FAQ section of
    this bulletin for details about these operating systems.

    Technical Description:
    ----------------------
    * LSASS Vulnerability - CAN-2003-0533: A buffer overrun vulnerability
    exists in LSASS that could allow remote code execution on an affected
    system. An attacker who successfully exploited this vulnerability could
    take complete control of the affected system.

    * LDAP Vulnerability - CAN-2003-0663: A denial of service vulnerability
    exists that could allow an attacker to send a specially crafted LDAP
    message to a Windows 2000 domain controller. An attacker could cause the
    service responsible for authenticating users in an Active Directory
    domain to stop responding.

    * PCT Vulnerability - CAN-2003-0719: A buffer overrun vulnerability
    exists in the Private Communications Transport (PCT) protocol, which is
    part of the Microsoft Secure Sockets Layer (SSL) library. Only systems
    that have SSL enabled, and in some cases Windows 2000 domain
    controllers, are vulnerable. An attacker who successfully exploited this
    vulnerability could take complete control of an affected system.

    * Winlogon Vulnerability - CAN-2003-0806: A buffer overrun vulnerability
    exists in the Windows logon process (Winlogon). It does not check the
    size of a value used during the logon process before inserting it into
    the allocated buffer. The resulting overrun could allow an attacker to
    remotely execute code on an affected system. Systems that are not
    members of a domain are not affected by this vulnerability. An attacker
    who successfully exploited this vulnerability could take complete
    control of an affected system.

    * Metafile Vulnerability - CAN-2003-0906: A buffer overrun vulnerability
    exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile
    (EMF) image formats that could allow remote code execution on an
    affected system. Any program that renders WMF or EMF images on the
    affected systems could be vulnerable to this attack. An attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system.

    * Help and Support Center Vulnerability - CAN-2003-0907: A remote code
    execution vulnerability exists in the Help and Support Center because of
    the way that it handles HCP URL validation. An attacker could exploit
    the vulnerability by constructing a malicious HCP URL that could
    potentially allow remote code execution if a user visited a malicious
    Web site or viewed a malicious e-mail message. An attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system.

    * Utility Manager Vulnerability - CAN-2003-0908: A privilege elevation
    vulnerability exists in the way that Utility Manager launches
    applications. A logged-on user could force Utility Manager to start an
    application with system privileges and take complete control of the
    system.

    * Windows Management Vulnerability - CAN-2003-0909 A privilege elevation
    vulnerability exists in the way that Windows XP allows tasks to be
    created. Under special conditions, a non-privileged user could create a
    task that could execute with system permissions and therefore take
    complete control of the system.

    * Local Descriptor Table Vulnerability - CAN-2003-0910 A privilege
    elevation vulnerability exists in a programming interface that is used
    to create entries in the Local Descriptor Table (LDT). These entries
    contain information about segments of memory. An attacker who is logged
    on locally, could create a malicious entry and thereby gain access to
    protected memory, could take complete control of the system.

    * H.323 Vulnerability - CAN-2004-0117 A remote code execution
    vulnerability exists in the way the Microsoft H.323 protocol
    implementation handles malformed requests. An attacker who successfully
    exploited this vulnerability could take complete control of an affected
    system.

    * Virtual DOS Machine Vulnerability - CAN-2004-0118: A privilege
    elevation vulnerability exists in the operating system component that
    handles the Virtual DOS Machine (VDM) subsystem. This vulnerability
    could allow a logged on user to take complete control of the system.

    * Negotiate SSP Vulnerability - CAN-2004-0119 A buffer overrun
    vulnerability exists in the Negotiate Security Software Provider (SSP)
    interface that could allow remote code execution. This vulnerability
    exists because of the way the Negotiate SSP interface validates a value
    that is used during authentication protocol selection. An attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system.

    * SSL Vulnerability - CAN-2004-0120: A denial of service vulnerability
    exists in the Microsoft Secure Sockets Layer (SSL) library. The
    vulnerability results from the way that the Microsoft SSL library
    handles malformed SSL messages. This vulnerability could cause the
    affected system to stop accepting SSL connections on Windows 2000 and
    Windows XP. On Windows Server 2003, the vulnerability could cause the
    affected system to automatically restart.

    * ASN.1 'Double Free' Vulnerability - CAN-2004-0123 A remote code
    execution vulnerability exists in the Microsoft ASN.1 Library. The
    vulnerability is caused by a possible "double-free" condition in the
    Microsoft ASN.1 Library that could lead to memory corruption on an
    affected system. An attacker who successfully exploited this
    vulnerability could take complete control of an affected system.
    However, under the most likely attack scenario this issue is a denial of
    service vulnerability.

    Revision History:
    -----------------
    * v1.0 - 4/13/2004: Bulletin published
    * v1.1 - 4/21/2004: Bulletin updated to reflect updated information in
    the Update Replacement Section. Bulletin has also been updated to
    reflect the change in the MBSA detection behavior as described in the
    updated FAQ section. The bulletin also contains revisions to the
    workaround section for the Utility Manager Vulnerability
    (CAN-2003-0908).
    * v1.2 - 4/28/2004: Updated Caveats section to reflect the availability
    of a revised Microsoft Knowledge Base Article 835732. It documents the
    currently known issues that customers may experience when installing
    this security update. The article also documents recommended solutions
    for these issues.
    * v1.3 - 5/4/2004: Added new information in the Workarounds section for
    the LSASS Vulnerability.
    * v2.0 - 6/15/2004: Updated bulletin to advise on the availability of an
    updated Windows NT 4.0 Workstation update for the Pan Chinese language.
    This update should be installed by customers even if the original update
    was installed.

    This email is sent to NTBugtraq automagically as a service to my
    subscribers. (v4.01.1627.30356)

    Cheers,
    Russ - Senior Scientist - TruSecure Corporation/NTBugtraq Editor

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Russ Cooper: "Alert: Microsoft Security Bulletin MS04-015 - Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #177
      ... RobotFTP Server Username Buffer Overflow Vulnerability ... Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul... ... Microsoft Windows XP Help And Support Center Interface Spoof... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #158
      ... Gamespy 3d IRC Client Remote Buffer Overflow Vulnerability ... Microsoft Windows PostThreadMessage() Arbitrary Process Kill... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #228
      ... RaidenHTTPD Remote File Disclosure Vulnerability ... Microsoft Outlook Web Access Login Form Remote URI Redirecti... ... Microsoft Windows Hyperlink Object Library Buffer Overflow V... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #124
      ... Bladeenc Signed Integer Memory Corruption Vulnerability ... Opera JavaScript Console Attribute Injection Vulnerability ... Microsoft Windows 2000 NetBIOS Continuation Packets Kernel... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #138
      ... Nessus LibNASL Arbitrary Code Execution Vulnerability ... Blackmoon FTP Server Username Information Disclosure... ... Microsoft Windows Media Player Automatic File Download and... ...
      (Focus-Microsoft)