[NT] Security Update for Microsoft Windows (MS04-032)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/13/04

  • Next message: SecuriTeam: "[NT] Vulnerability in Compressed (zipped) Folders Allows Remote Code Execution (MS04-034)"
    To: list@securiteam.com
    Date: 13 Oct 2004 15:38:09 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Security Update for Microsoft Windows (MS04-032)
    ------------------------------------------------------------------------

    SUMMARY

    This update resolves several newly-discovered, privately reported
    vulnerabilities in the Microsoft Windows Management, Virtual DOS Machine,
    Graphics Rendering Engine and in Windows Kernel.

    Window Management Vulnerability - A privilege elevation vulnerability
    exists in the Window Management application programming interfaces (APIs).
    This vulnerability could allow a logged on user to take complete control
    of the system.

    Virtual DOS Machine Vulnerability - A local privilege elevation
    vulnerability exists in the operating system component that handles the
    Virtual DOS Machine (VDM) subsystem. This vulnerability could allow a
    logged on user to take complete control of the system.

    Graphics Rendering Engine Vulnerability - A remote code execution
    vulnerability in the rendering of Windows Metafile (WMF) and Enhanced
    Metafile (EMF) image formats that could allow remote code execution on an
    affected system. Any program that renders WMF or EMF images on the
    affected systems could be vulnerable to this attack. An attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system.

    Windows Kernel Vulnerability - A local denial of service vulnerability
    exists in the Windows kernel. An attacker could locally run a program that
    could cause the affected system to stop responding.

    An attacker who successfully exploited the most severe of these
    vulnerabilities could take complete control of an affected system,
    including installing programs; viewing, changing, or deleting data; or
    creating new accounts that have full privileges.

    DETAILS

    Affected Software:
    Microsoft Windows NT Server 4.0 Service Pack 6a
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=533AE5CD-74CE-470A-8916-8E358084497C> Download the update
    Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=3B871A96-5F64-4432-920F-FA5760DF683A> Download the update
    Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service
    Pack 4
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=4A614222-BA0B-4927-856D-D443BBBE1A42> Download the update
    Microsoft Windows XP and Microsoft Windows XP Service Pack 1
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=715E985B-7929-4BD5-9564-5CFE7D528398> Download the update
    Microsoft Windows XP 64-Bit Edition Service Pack 1
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=99184841-70A8-47C7-9993-44A60E999A40> Download the update
    Microsoft Windows XP 64-Bit Edition Version 2003
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9C> Download the update
    Microsoft Windows Server 2003
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=206E9842-997D-45E4-9252-61F3CE5EA66C> Download the update
    Microsoft Windows Server 2003 64-Bit Edition
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9C> Download the update
    Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME) Review the FAQ section of this
    bulletin for details about these operating systems.

    Non-Affected Software:
    Microsoft Windows XP Service Pack 2

    Caveats: Microsoft Knowledge Base Article
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;840987> 840987
    documents the currently known issues that customers may experience when
    they install this security update. The article also documents recommended
    solutions for these issues. For more information, see Microsoft Knowledge
    Base Article
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;840987> 840987.

    CVE Information:
    Window Management Vulnerability -
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0207>
    CAN-2004-0207
    Virtual DOS Machine Vulnerability - CAN-2004-0208
    Graphics Rendering Engine Vulnerability -
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0209>
    CAN-2004-0209
    Windows Kernel Vulnerability -
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0211>
    CAN-2004-0211

    Mitigating Factors for Window Management Vulnerability:
    An attacker must have valid logon credentials and be able to logon locally
    to exploit this vulnerability. The vulnerability could not be exploited
    remotely or by anonymous users.

    FAQ for Window Management Vulnerability:
    What is the scope of the vulnerability?
    This is a local privilege elevation vulnerability. An attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system, including installing programs; viewing, changing, or
    deleting data; or creating new accounts that have full privileges.

    What causes the vulnerability?
    Several Window Management API functions allow programs to change the
    properties of other programs that are running at a higher level of
    privilege. Programs should be limited to changing the properties of other
    programs that are running at the same level of privilege. The properties
    of the program that is running at a higher level of privilege could be
    changed in such a way that the change could cause an elevation of
    privilege for the locally logged on user.

    What are the Window Management application programming interface
    functions?
    The Windows graphical user interface (GUI) allows programs to change
    various properties that define that program such as the size of the window
    or the name of the program. The Window Management API functions are the
    components of the operating system that programs use to change these
    properties. For more information about the components that are used to
    build Windows programs, visit the
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowui.asp> MSDN Web site.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of the affected system.

    Who could exploit the vulnerability?
    To exploit the vulnerability, an attacker must be able to log on locally
    to a system and run a program.

    How could an attacker exploit the vulnerability?
    To exploit this vulnerability, an attacker would first have to log on to
    the system. An attacker could then run a specially-crafted program that
    could attempt to exploit the vulnerability, and thereby gain complete
    control over the affected system.

    What systems are primarily at risk from the vulnerability?
    Workstations and terminal servers are primarily at risk. Servers are only
    at risk if users who do not have sufficient administrative credentials are
    given the ability to log on to servers and to run programs. However, best
    practices strongly discourage allowing this.

    Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
    critically affected by this vulnerability?
    No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium
    Edition do contain the affected component, the vulnerability is not
    critical. For more information about severity ratings, visit the following
     <http://go.microsoft.com/fwlink/?LinkId=21140> Web site.

    Could the vulnerability be exploited over the Internet?
    No. An attacker must be able to log on to the specific system that is
    targeted for attack. An attacker cannot load and run a program remotely by
    using this vulnerability.

    What does the update do?
    The update removes the vulnerability by preventing programs from changing
    the properties of other programs that are running at a different level of
    privilege.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft received information about this vulnerability through
    responsible disclosure. Microsoft had not received any information
    indicating that this vulnerability had been publicly disclosed when this
    security bulletin was originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued

    Mitigating Factors for Virtual DOS Machine Vulnerability:
    An attacker must have valid logon credentials and be able to log on
    locally to exploit this vulnerability. The vulnerability could not be
    exploited remotely or by anonymous users.
    Windows XP Service Pack 2 is not affected by this vulnerability.

    FAQ for Virtual DOS Machine Vulnerability:
    What is the scope of the vulnerability?
    This is a privilege elevation vulnerability. An attacker who successfully
    exploited this vulnerability could take complete control of an affected
    system, including installing programs; viewing, changing, or deleting
    data; or creating new accounts that have full privileges. To exploit the
    vulnerability, an attacker must be able to log on locally to the system
    and run a program.

    What causes the vulnerability?
    The operating system component that handles the virtual DOS machine (VDM)
    subsystem could be used to gain access to protected kernel memory. In
    certain circumstances, some privileged operating system functions might
    not validate system structures and could allow an attacker to execute a
    specially-designed program with system privileges.

    What is the virtual DOS machine subsystem?
    A virtual DOS machine (VDM) subsystem is an environment that emulates the
    MS-DOS operating system and the MS-DOS-based Windows operating system on
    Windows NT-based operating systems. A VDM is created whenever a user
    starts an MS-DOS application on a Windows NT-based operating system.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of an affected system, including installing programs;
    viewing, changing, or deleting data; or creating new accounts that have
    full privileges.

    Who could exploit the vulnerability?
    To exploit the vulnerability, an attacker must be able to log on locally
    to a system and run a program.

    How could an attacker exploit this vulnerability?
    To exploit this vulnerability, an attacker would first have to log on to
    the system. An attacker could then run a specially-designed application
    that could exploit the vulnerability, and thereby gain complete control
    over the affected system.

    What systems are primarily at risk from the vulnerability?
    Workstations and terminal servers are primarily at risk. Servers are only
    at risk if users who do not have sufficient administrative credentials are
    given the ability to log on to servers and to run programs. However, best
    practices strongly discourage allowing this.

    Could the vulnerability be exploited over the Internet?
    No. An attacker must be able to log on to the specific system targeted for
    attack. An attacker cannot load and run a program remotely by using this
    vulnerability.

    What does the update do?
    This update modifies the way that Windows validates data when referencing
    memory locations that are allocated to a VDM.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    How does this vulnerability relate to the virtual DOS machine
    vulnerability that is corrected by MS04-011?
    Both vulnerabilities were in the virtual DOS machine. However, this update
    addresses a new vulnerability that was not addressed as part of MS04-011.
    MS04-011 helps protect against the vulnerability that is discussed in that
    bulletin, but does not address this new vulnerability. This update does
    not replace MS04-011. You must install this update and the update that is
    provided as part of the MS04-011 security bulletin to help protect your
    system against both vulnerabilities.

    Mitigating Factors for Graphics Rendering Engine Vulnerability:
    The vulnerability could be exploited by an attacker who persuaded a user
    to open a specially crafted file or to view a folder that contains the
    specially crafted image. There is no way for an attacker to force a user
    to open a malicious file, except potentially through previewing an email
    message.
    In a Web-based attack scenario, an attacker would have to host a Web site
    that contains a Web page that is used to exploit this vulnerability. An
    attacker would have no way to force users to visit a malicious Web site.
    Instead, an attacker would have to persuade them to visit the Web site,
    typically by getting them to click a link that takes them to the
    attacker's site.
    Windows XP Service Pack 2 is not affected by this vulnerability.

    Workarounds for Graphics Rendering Engine Vulnerability:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    below.

    Read e-mail messages in plain text format if you are using Outlook 2002 or
    later, or Outlook Express 6 SP1 or later, to help protect yourself from
    the HTML e-mail attack vector.

    Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or
    later and Microsoft Outlook Express 6 users who have applied Internet
    Explorer 6 Service Pack 1 can enable this setting and view e-mail messages
    that are not digitally signed or e-mail messages that are not encrypted in
    plain text only.

    Digitally signed e-mail messages or encrypted e-mail messages are not
    affected by the setting and may be read in their original formats. For
    more information about enabling this setting in Outlook 2002, see
    Microsoft Knowledge Base Article
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;307594> 307594.

    For information about this setting in Outlook Express 6, see Microsoft
    Knowledge Base Article <http://support.microsoft.com/?kbid=291387>
    291387.

    Impact of Workaround: E-mail messages that are viewed in plain text format
    will not contain pictures, specialized fonts, animations, or other rich
    content. In addition:

    The changes are applied to the preview pane and to open messages.

    Pictures become attachments so that they are not lost.
    Note Manually viewing these pictures could allow remote code execution if
    you are using a vulnerable application or operating system.
    Because the message is still in Rich Text or HTML format in the store, the
    object model (custom code solutions) may behave unexpectedly.

    FAQ for Graphics Rendering Engine Vulnerability:
    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. An attacker who
    successfully exploited this vulnerability could remotely take complete
    control of an affected system, including installing programs; viewing,
    changing, or deleting data; or creating new accounts that have full
    privileges. This vulnerability could also be used to attempt to perform a
    local elevation of privilege or a remote denial of service.

    What causes the vulnerability?
    An unchecked buffer in the way that the Graphics Rendering Engine
    processes Windows Metafile (WMF) and Enhanced Metafile (EMF) image
    formats.

    What are Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats?
    A WMF image is a 16-bit metafile format that can contain both vector
    information and bitmap information. It is optimized for the Windows
    operating system. An EMF image is a 32-bit format that can contain both
    vector information and bitmap information. This format is an improvement
    over the Windows Metafile format and contains extended features.

    For more information about image types and formats, see Microsoft
    Knowledge Base Article 320314. Additional information about these file
    formats is also available at the MSDN Library Web site.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of an affected system, including installing programs;
    viewing, changing, or deleting data; or creating new accounts that have
    full privileges.

    How could an attacker exploit this vulnerability?
    Any program that renders the affected image types could be vulnerable to
    this attack. Here are some examples:
     * An attacker could host a malicious Web site that is designed to exploit
    this vulnerability through Internet Explorer and then persuade a user to
    view the Web site.
     * An attacker could create an HTML e-mail message that has a specially
    crafted image attached. The specially crafted image could be designed to
    exploit this vulnerability through Microsoft Outlook or through Outlook
    Express 6. An attacker could persuade the user to view the HTML e-mail
    message.
     * An attacker could embed a specially crafted image in an Office document
    and then persuade the user to view the document.
     * An attacker could add a specially crafted image to the local file
    system or onto a network share and then persuade the user to preview the
    folder.
     * An attacker could locally log on to the system. An attacker could then
    run a specially-designed program that could exploit the vulnerability, and
    thereby gain complete control over the affected system.

    An attacker could also access the affected component through another
    vector. For example, an attacker could log on to the system interactively
    or by using another program that passes parameters to the vulnerable
    component (locally or remotely). To locally exploit this vulnerability, an
    attacker would first have to log on to the system. An attacker could then
    run a specially-designed application that could exploit the vulnerability,
    and thereby gain complete control over the affected system.

    What systems are primarily at risk from the vulnerability?
    The vulnerability could be exploited on the affected systems by an
    attacker who persuaded a user to open a specially crafted file or to view
    a folder that contains the specially crafted image. There is no way for an
    attacker to force a user to open a specially crafted file, except
    potentially through previewing an email message.

    In a Web-based attack scenario, an attacker would have to host a Web site
    that contains a Web page that is used to exploit this vulnerability. An
    attacker would have no way to force users to visit a malicious Web site.
    Instead, an attacker would have to persuade them to visit the Web site,
    typically by getting them to click a link that takes them to the
    attacker's site.

    Could the vulnerability be exploited over the Internet?
    Yes. An attacker could attempt to exploit this vulnerability over the
    Internet.

    What does the update do?
    The update removes the vulnerability by modifying the way that the
    Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced
    Metafile (EMF) image formats.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft received information about this vulnerability through
    responsible disclosure. Microsoft had not received any information
    indicating that this vulnerability had been publicly disclosed when this
    security bulletin was originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    How does this vulnerability relate to the metafile vulnerability that is
    addressed by MS04-011?
    Both vulnerabilities are related to the processing of WMF and EMF image
    formats. However, this update addresses a new vulnerability that was not
    addressed as part of MS04-011. MS04-011 helps protect against the
    vulnerability that is discussed in that bulletin, but does not address
    this new vulnerability. This update does not replace MS04-011. You must
    install this update and the update provided as part of the MS04-011
    security bulletin to help protect your system against both
    vulnerabilities.

    How does this vulnerability relate to the JPEG processing (GDI+)
    vulnerability that is addressed by MS04-028?
    The affected component of this vulnerability is a native operating system
    component and is not redistributed. The affected component in the MS04-028
    JPEG processing (GDI+) vulnerability was able to be redistributed by other
    applications and third-party programs. Installing this operating system
    update helps protect against this vulnerability for all applications that
    could be possible attack vectors that may attempt to exploit this
    vulnerability. MS04-028 helps protect against the vulnerability that is
    discussed in that bulletin, but does not address this new vulnerability.
    This update does not replace MS04-028. You must install this update and
    the update that is provided as part of the MS04-028 security bulletin to
    help protect your system against both vulnerabilities.

    Mitigating Factors for Windows Kernel Vulnerability:
    The vulnerability would not enable an attacker to gain any privileges on
    an affected system. This issue is strictly a denial of service
    vulnerability.
    Windows NT 4.0, Windows 2000, and Windows XP are not affected by this
    vulnerability

    FAQ for Windows Kernel Vulnerability:
    What is the scope of the vulnerability?
    This is a denial of service vulnerability. An attacker who exploited this
    vulnerability could cause the affected system to stop responding and
    automatically restart. During that time, the server cannot respond to
    requests.

    Note The denial of service vulnerability would not allow attackers to
    execute code or elevate their privileges, but it could cause the affected
    system to stop accepting requests.

    What causes the vulnerability?
    The Windows kernel does not properly reset some values within some CPU
    data structures.

    What is the Windows kernel?
    The Windows kernel is the core of the operating system. It provides system
    level services such as device management and memory management, it
    allocates processor time to processes, and it manages error handling. For
    more information about the kernel and about other operating system
    structures, visit the following Web site.

    What might an attacker use the vulnerability to do?
    An attacker who exploited this vulnerability could cause the affected
    system to stop responding and automatically restart. During that time, the
    server cannot respond to requests.

    Who could exploit the vulnerability?
    To exploit the vulnerability, an attacker must be able to log on locally
    to a system and run a program.

    How could an attacker exploit the vulnerability?
    To exploit this vulnerability, an attacker would first have to log on to
    the system. An attacker could then run a specially-designed program that
    could exploit the vulnerability. This could cause the system to stop
    responding and therefore cause a denial of service condition.

    What systems are primarily at risk from the vulnerability?
    Terminal servers are primarily at risk. Servers are only at risk if users
    who do not have sufficient administrative credentials are given the
    ability to log on to servers and to run programs. However, best practices
    strongly discourage allowing this.

    Could the vulnerability be exploited over the Internet?
    No. An attacker must be able to log on to the specific system targeted for
    attack. An attacker cannot load and run a program remotely by using this
    vulnerability.

    What does the update do?
    The update addresses the vulnerability by modifying the way that the
    Windows kernel resets some values in some CPU data structures.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft received information about this vulnerability through
    responsible disclosure. Microsoft had not received any information
    indicating that this vulnerability had been publicly disclosed when this
    security bulletin was originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    ADDITIONAL INFORMATION

    The information has been provided by Microsoft Product Security.
    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerability in Compressed (zipped) Folders Allows Remote Code Execution (MS04-034)"

    Relevant Pages

    • MajorRev: v2.0 Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732)
      ... an updated Windows NT 4.0 Workstation update for the Pan Chinese ... Impact of Vulnerability: Remote Code Execution ... Microsoft Windows NT. ... take complete control of the affected system. ...
      (NT-Bugtraq)
    • SecurityFocus Microsoft Newsletter #228
      ... RaidenHTTPD Remote File Disclosure Vulnerability ... Microsoft Outlook Web Access Login Form Remote URI Redirecti... ... Microsoft Windows Hyperlink Object Library Buffer Overflow V... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #124
      ... Bladeenc Signed Integer Memory Corruption Vulnerability ... Opera JavaScript Console Attribute Injection Vulnerability ... Microsoft Windows 2000 NetBIOS Continuation Packets Kernel... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #138
      ... Nessus LibNASL Arbitrary Code Execution Vulnerability ... Blackmoon FTP Server Username Information Disclosure... ... Microsoft Windows Media Player Automatic File Download and... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #163
      ... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
      (Focus-Microsoft)