MajorRev: v2.0 Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732)

• Previous message: Russ Cooper: "MajorRev: v2.0 Microsoft Security Bulletin MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 15 Jun 2004 17:52:49 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Microsoft Security Bulletin MS04-011:
Security Update for Microsoft Windows (835732)

Bulletin URL:
<http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>

Reason for Revision: Updated bulletin to advise on the availability of
an updated Windows NT 4.0 Workstation update for the Pan Chinese
language. This update should be installed by customers even if the
original update was installed.
Version Number: 2.0
Issued Date: Tuesday, April 13, 2004
Revision Date: Tuesday, June 15, 2004
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Patch(es) Replaced: This bulletin replaces several prior security
updates. See the frequently asked questions (FAQ) section of this
bulletin for the complete list.
Caveats: The security update for Windows NT Server 4.0 Terminal Server
Edition Service Pack 6 requires, as a prerequisite, the Windows NT
Server 4.0 Terminal Server Edition Security Rollup Package (SRP). To
download the SRP, visit the following Web site. You must install the SRP
before you install the security update that is provided in this security
bulletin. If you are not using Windows NT Server 4.0 Terminal Server
Edition Service Pack 6 you do not need to install the SRP. Microsoft
Knowledge Base Article 835732 documents the currently known issues that
customers may experience when they install this security update. The
article also documents recommended solutions for these issues. For more
information, see Microsoft Knowledge Base Article 835732.

Executive Summary:
------------------
Microsoft re-issued this bulletin on June 15, 2004 to advise on the
availability of an updated Windows NT 4.0 Workstation update for the Pan
Chinese language.

This revised update corrects an installation issue that some customers
experienced with the original update. This issue is unrelated to the
security vulnerability discussed in this bulletin. However, this issue
has caused some customers difficulty installing the update. If you have
previously applied this security update, this update does need to be
installed to avoid potential issues when installing future security
updates. This issue only affects the Pan Chinese language version of the
update and only those versions of the update are being re-released.
Other language versions of this update are not affected and are not
being re-released.

This update resolves several newly-discovered vulnerabilities. Each
vulnerability is documented in this bulletin in its own section.

An attacker who successfully exploited the most severe of these
vulnerabilities could take complete control of an affected system,
including installing programs; viewing, changing, or deleting data; or
creating new accounts that have full privileges.

Tested Software:
Affected Software:
------------------
* Microsoft Windows NT. Workstation 4.0 Service Pack 6a
<http://tinyurl.com/2qctw>
* Microsoft Windows NT Server 4.0 Service Pack 6a
<http://tinyurl.com/226ud>
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
<http://tinyurl.com/3339r>
* Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, and Microsoft Windows 2000 Service Pack 4
<http://tinyurl.com/2r7lg>
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
<http://tinyurl.com/2vj4h>
* Microsoft Windows XP 64-Bit Edition Service Pack 1
<http://tinyurl.com/3g95k>
* Microsoft Windows XP 64-Bit Edition Version 2003
<http://tinyurl.com/2stag>
* Microsoft Windows Server(tm) 2003
<http://tinyurl.com/yuoq4>
* Microsoft Windows Server 2003 64-Bit Edition
<http://tinyurl.com/2stag>
* Microsoft NetMeeting
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) - Review the FAQ section of
this bulletin for details about these operating systems.

Technical Description:
----------------------
* LSASS Vulnerability - CAN-2003-0533: A buffer overrun vulnerability
exists in LSASS that could allow remote code execution on an affected
system. An attacker who successfully exploited this vulnerability could
take complete control of the affected system.

* LDAP Vulnerability - CAN-2003-0663: A denial of service vulnerability
exists that could allow an attacker to send a specially crafted LDAP
message to a Windows 2000 domain controller. An attacker could cause the
service responsible for authenticating users in an Active Directory
domain to stop responding.

* PCT Vulnerability - CAN-2003-0719: A buffer overrun vulnerability
exists in the Private Communications Transport (PCT) protocol, which is
part of the Microsoft Secure Sockets Layer (SSL) library. Only systems
that have SSL enabled, and in some cases Windows 2000 domain
controllers, are vulnerable. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.

* Winlogon Vulnerability - CAN-2003-0806: A buffer overrun vulnerability
exists in the Windows logon process (Winlogon). It does not check the
size of a value used during the logon process before inserting it into
the allocated buffer. The resulting overrun could allow an attacker to
remotely execute code on an affected system. Systems that are not
members of a domain are not affected by this vulnerability. An attacker
who successfully exploited this vulnerability could take complete
control of an affected system.

* Metafile Vulnerability - CAN-2003-0906: A buffer overrun vulnerability
exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile
(EMF) image formats that could allow remote code execution on an
affected system. Any program that renders WMF or EMF images on the
affected systems could be vulnerable to this attack. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.

* Help and Support Center Vulnerability - CAN-2003-0907: A remote code
execution vulnerability exists in the Help and Support Center because of
the way that it handles HCP URL validation. An attacker could exploit
the vulnerability by constructing a malicious HCP URL that could
potentially allow remote code execution if a user visited a malicious
Web site or viewed a malicious e-mail message. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.

* Utility Manager Vulnerability - CAN-2003-0908: A privilege elevation
vulnerability exists in the way that Utility Manager launches
applications. A logged-on user could force Utility Manager to start an
application with system privileges and take complete control of the
system.

* Windows Management Vulnerability - CAN-2003-0909 A privilege elevation
vulnerability exists in the way that Windows XP allows tasks to be
created. Under special conditions, a non-privileged user could create a
task that could execute with system permissions and therefore take
complete control of the system.

* Local Descriptor Table Vulnerability - CAN-2003-0910 A privilege
elevation vulnerability exists in a programming interface that is used
to create entries in the Local Descriptor Table (LDT). These entries
contain information about segments of memory. An attacker who is logged
on locally, could create a malicious entry and thereby gain access to
protected memory, could take complete control of the system.

* H.323 Vulnerability - CAN-2004-0117 A remote code execution
vulnerability exists in the way the Microsoft H.323 protocol
implementation handles malformed requests. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system.

* Virtual DOS Machine Vulnerability - CAN-2004-0118: A privilege
elevation vulnerability exists in the operating system component that
handles the Virtual DOS Machine (VDM) subsystem. This vulnerability
could allow a logged on user to take complete control of the system.

* Negotiate SSP Vulnerability - CAN-2004-0119 A buffer overrun
vulnerability exists in the Negotiate Security Software Provider (SSP)
interface that could allow remote code execution. This vulnerability
exists because of the way the Negotiate SSP interface validates a value
that is used during authentication protocol selection. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.

* SSL Vulnerability - CAN-2004-0120: A denial of service vulnerability
exists in the Microsoft Secure Sockets Layer (SSL) library. The
vulnerability results from the way that the Microsoft SSL library
handles malformed SSL messages. This vulnerability could cause the
affected system to stop accepting SSL connections on Windows 2000 and
Windows XP. On Windows Server 2003, the vulnerability could cause the
affected system to automatically restart.

* ASN.1 'Double Free' Vulnerability - CAN-2004-0123 A remote code
execution vulnerability exists in the Microsoft ASN.1 Library. The
vulnerability is caused by a possible "double-free" condition in the
Microsoft ASN.1 Library that could lead to memory corruption on an
affected system. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.
However, under the most likely attack scenario this issue is a denial of
service vulnerability.

Revision History:
-----------------
* v1.0 - 4/13/2004: Bulletin published
* v1.1 - 4/21/2004: Bulletin updated to reflect updated information in
the Update Replacement Section. Bulletin has also been updated to
reflect the change in the MBSA detection behavior as described in the
updated FAQ section. The bulletin also contains revisions to the
workaround section for the Utility Manager Vulnerability
(CAN-2003-0908).
* v1.2 - 4/28/2004: Updated Caveats section to reflect the availability
of a revised Microsoft Knowledge Base Article 835732. It documents the
currently known issues that customers may experience when installing
this security update. The article also documents recommended solutions
for these issues.
* v1.3 - 5/4/2004: Added new information in the Workarounds section for
the LSASS Vulnerability.
* v2.0 - 6/15/2004: Updated bulletin to advise on the availability of an
updated Windows NT 4.0 Workstation update for the Pan Chinese language.
This update should be installed by customers even if the original update
was installed.

This email is sent to NTBugtraq automagically as a service to my
subscribers. (v4.01.1627.30356)

Cheers,
Russ - Senior Scientist - TruSecure Corporation/NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: Russ Cooper: "MajorRev: v2.0 Microsoft Security Bulletin MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]