DHS/FedCIRC Advisory FA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 10/16/03


Date: Thu, 16 Oct 2003 16:11:41 -0400


-----BEGIN PGP SIGNED MESSAGE-----

DHS/FedCIRC Advisory FA-2003-27 Multiple Vulnerabilities in Microsoft
Windows and Exchange

   Original issue date: October 16, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Multiple versions of Microsoft Windows (ME, NT 4.0, NT 4.0 TSE,
       2000, XP, Server 2003)

     * Microsoft Exchange Server 5.5 and Microsoft Exchange Server 2000

Overview

   There are multiple vulnerabilities in Microsoft Windows and Microsoft
   Exchange, the most serious of which could allow remote attackers to
   execute arbitrary code.

I. Description

   There are a number of vulnerabilities in Microsoft Windows and
   Microsoft Exchange that could allow an attacker to gain administrative
   control of a vulnerable system. The most serious of these
   vulnerabilities allow an unauthenticated, remote attacker to execute
   arbitrary code with no action required on the part of the victim. For
   detailed information, see the following vulnerability notes:

     VU#575892 - Buffer overflow in Microsoft Windows Messenger Service
     There is a buffer overflow in the Messenger service on most recent
     versions of Microsoft Windows that could allow an attacker to
     execute arbitrary code.
     (Other resources: MS03-043, CAN-2003-0717)

     VU#422156 - Microsoft Exchange Server fails to properly handle
     specially crafted SMTP extended verb requests
     Microsoft Exchange fails to handle certain SMTP extended verbs
     correctly. In Exchange 5.5, this can lead to a denial-of-service
     condition. In Exchange 2000, this could permit an attacker to run
     arbitrary code.
     (Other resources: MS03-046, CAN-2003-0714)

   In addition, several other vulnerabilities may permit an attacker to
   execute arbitrary code if the attacker can convince the victim to take
   some specific action (e.g., viewing a web page or an HTML email
   message). For detailed information, see the following vulnerability
   notes:

     VU#467036 - Microsoft Windows Help and Support Center contains
     buffer overflow in code used to handle HCP protocol
     There is a buffer overflow in the Microsoft Windows Help and
     Support Center that could permit an attacker to execute arbitrary
     code with SYSTEM privileges.
     (Other resources: MS03-044, CAN-2003-0711)

     VU#989932 - Microsoft Windows contains buffer overflow in Local
     Troubleshooter ActiveX control (Tshoot.ocx)
     Microsoft Windows ships with a troubleshooting application to
     assist users with problems. A vulnerability in this application may
     permit a remote attacker to execute arbitrary code with the
     privileges of the current user.
     (Other resources: MS03-042)

     VU#838572 - Microsoft Windows Authenticode mechanism installs
     ActiveX controls without prompting user
     A vulnerability in Microsoft's Authenticode could allow a remote
     attacker to install an untrusted ActiveX control on the victim's
     system. The ActiveX control could run code of the attacker's
     choice.
     (Other resources: MS03-041, CAN-2003-0660)

     VU#435444 - Microsoft Outlook Web Access (OWA) contains cross-site
     scripting vulnerability in the "Compose New Message" form
     There is a cross-site scripting vulnerability in Microsoft Outlook
     Web Access.
     (Other resources: MS03-047, CAN-2003-0712)

   Finally, there is a vulnerability in ListBox and ComboBox controls
   that could allow a local user to gain elevated privileges. For
   detailed information, see

     VU#967668 - Microsoft Windows ListBox and ComboBox controls
     vulnerable to buffer overflow when supplied crafted Windows message
     There is a buffer overflow in a function called by the Microsoft
     Windows ListBox and ComboBox controls that could allow a local
     attacker to execute arbitrary code with privileges of the process
     hosting the controls.
     (Other resources: MS03-045, CAN-2003-0659)

II. Impact

   The impact of these vulnerabilities ranges from denial of service to
   the ability to execute arbitrary code.

III. Solution

Disable the Messenger Service

   For VU#575892, Microsoft recommends first disabling the Messenger
   service and then evaluating the need to apply the patch. If the
   Messenger service is not required, leave it in the disabled state.
   Apply the patch to make sure that systems are protected, especially if
   the Messenger service is re-enabled. Instructions for disabling the
   Messenger service can be found in VU#575892 and MS03-043.

Apply patches

   Microsoft has provided patches for these problems. Details can be
   found in the relevant Microsoft Security Bulletins. For many home
   users, the simplest way to obtain these patches will be by running
   Windows Update.

Appendix A. Vendor Information

   This appendix contains information provided by vendors. When vendors
   report new information, this section is updated, and the changes are
   noted in the revision history. If a vendor is not listed below, we
   have not received their authenticated, direct statement. Further
   vendor information is available in the Systems Affected sections of
   the vulnerability notes listed above.

    Microsoft Corporation

     Please see the following Microsoft Security Bulletins: MS03-041,
     MS03-042, MS03-043, MS03-044, MS03-045, MS03-046, and MS03-047.

Appendix B. References

     * CERT/CC Vulnerability Note VU#575892 -
       <http://www.kb.cert.org/vuls/id/575892>
     * CERT/CC Vulnerability Note VU#422156 -
       <http://www.kb.cert.org/vuls/id/422156>
     * CERT/CC Vulnerability Note VU#467036 -
       <http://www.kb.cert.org/vuls/id/467036>
     * CERT/CC Vulnerability Note VU#989932 -
       <http://www.kb.cert.org/vuls/id/989932>
     * CERT/CC Vulnerability Note VU#838572 -
       <http://www.kb.cert.org/vuls/id/838572>
     * CERT/CC Vulnerability Note VU#435444 -
       <http://www.kb.cert.org/vuls/id/435444>
     * CERT/CC Vulnerability Note VU#967668 -
       <http://www.kb.cert.org/vuls/id/967668>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-041.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-042.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-043.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-044.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-045.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-046.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-047.asp>

     _________________________________________________________________

   Our thanks to Microsoft Corporation for the information contained in
   their security bulletins. Microsoft has credited the following people
   for their help in discovering and responding to these issues: Greg
   Jones of KPMG UK and Cesar Cerrudo, The Last Stage of Delirium
   Research Group, David Litchfield of Next Generation Security Software
   Ltd., Brett Moore of Security-Assessment.com, Joao Gouveia, and Ory
   Segal of Sanctum Inc.
     _________________________________________________________________

   Feedback can be directed to the authors, Shawn V. Hernan and Art
   Manion.
   ______________________________________________________________________

   This document is available from:

     <http://www2.fedcirc.gov/advisories/FA-2003-27.html>
   ______________________________________________________________________

DHS/FedCIRC Contact Information

   Email: fedcirc@fedcirc.gov
          Phone: +1 888-282-0870 (24-hour toll-free hotline)
          Phone: +1 703-375-4220 (24-hour hotline)
          Fax: +1 703-326-9461

   DHS/FedCIRC personnel answer the hotline 24 hours a day, 7 days a
   week.

 Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   DHS/FedCIRC PGP keys are available from

     <http://www.fedcirc.gov/generalInfo/contactUs.html#sensitive>

 Getting security information

   DHS/FedCIRC publications and other security information are available
   from our web site:

     <http://www.fedcirc.gov/>

   DHS/FedCIRC (Federal Computer Incident Response Center) provides
   security services to U.S. Federal civilian agencies. DHS/FedCIRC is a
   component of the Department of Homeland Security (DHS) Information
   Assurance and Infrastructure Protection Directorate. The CERT
   Coordination Center performs incident and vulnerability analysis and
   issues advisories.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Copyright 2003 Carnegie Mellon University.

   Revision History

   October 16, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBP473Krz04mtpwLBVAQGVzwf+Ojrb+xhCLdDd24+NTi7mBWhs/RXHdxKp
zBPV2MhQtzndYVp9Jb6av0soHFtj96XVefBEjpWXJv1c60YXQ8aiH67h5iJXEqOY
ttmmcsRtuR1+HGi0p6qNVYb4Y2Re10hn+zNmQToPnfjz5nkKwffc103HbVo8Oux0
y4klIDb4NOa+alTQqk94Wq4auX4tF0eRVNkCzEnq8UHqiukhRtAk/tgSVdDOEgGt
ay7jcdKqoElkEBxCT3fkhw0Cg/OwpsognlZYSm/QmWBXhyd7y1WjbhT/kqjHmuKp
DHykBrVewnjhjiC1OYC+zwi8/O8wQgFeKdJm2Y8gTuUUGYjQ+a1ZEQ==
=/7r/
-----END PGP SIGNATURE-----



Relevant Pages

  • SecurityFocus Microsoft Newsletter #102
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Media Player File Attachment Script Execution... ... Microsoft TSAC ActiveX Control Buffer Overflow Vulnerability ... Abyss Web Server Malicious HTTP Request Information Disclosure... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #336
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Unspecified Remote Code Execution Vulnerability ... Microsoft Windows Explorer BMP Image Denial of Service Vulnerability ... An attacker could leverage this issue to have arbitrary code execute with kernel level privileges. ...
    (Focus-Microsoft)
  • CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange
    ... There are multiple vulnerabilities in Microsoft Windows and Microsoft ... execute arbitrary code. ... For detailed information, see the following vulnerability ...
    (Cert)
  • CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange
    ... There are multiple vulnerabilities in Microsoft Windows and Microsoft ... execute arbitrary code. ... For detailed information, see the following vulnerability ...
    (Cert)
  • SecurityFocus Microsoft Newsletter #445
    ... MICROSOFT VULNERABILITY SUMMARY ... Apple Safari CoreGraphics TrueType Font Handling Remote Code Execution Vulnerability ... Microsoft Windows Argument Validation Local Privilege Escalation Vulnerability ...
    (Focus-Microsoft)