DHS/FedCIRC Advisory FA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 10/16/03
- Next message: melvin: "Re: This message board is used to infect other systems"
- Previous message: Brian: "Icons disappear - can't open anything"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Oct 2003 16:11:41 -0400
-----BEGIN PGP SIGNED MESSAGE-----
DHS/FedCIRC Advisory FA-2003-27 Multiple Vulnerabilities in Microsoft
Windows and Exchange
Original issue date: October 16, 2003
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Multiple versions of Microsoft Windows (ME, NT 4.0, NT 4.0 TSE,
2000, XP, Server 2003)
* Microsoft Exchange Server 5.5 and Microsoft Exchange Server 2000
Overview
There are multiple vulnerabilities in Microsoft Windows and Microsoft
Exchange, the most serious of which could allow remote attackers to
execute arbitrary code.
I. Description
There are a number of vulnerabilities in Microsoft Windows and
Microsoft Exchange that could allow an attacker to gain administrative
control of a vulnerable system. The most serious of these
vulnerabilities allow an unauthenticated, remote attacker to execute
arbitrary code with no action required on the part of the victim. For
detailed information, see the following vulnerability notes:
VU#575892 - Buffer overflow in Microsoft Windows Messenger Service
There is a buffer overflow in the Messenger service on most recent
versions of Microsoft Windows that could allow an attacker to
execute arbitrary code.
(Other resources: MS03-043, CAN-2003-0717)
VU#422156 - Microsoft Exchange Server fails to properly handle
specially crafted SMTP extended verb requests
Microsoft Exchange fails to handle certain SMTP extended verbs
correctly. In Exchange 5.5, this can lead to a denial-of-service
condition. In Exchange 2000, this could permit an attacker to run
arbitrary code.
(Other resources: MS03-046, CAN-2003-0714)
In addition, several other vulnerabilities may permit an attacker to
execute arbitrary code if the attacker can convince the victim to take
some specific action (e.g., viewing a web page or an HTML email
message). For detailed information, see the following vulnerability
notes:
VU#467036 - Microsoft Windows Help and Support Center contains
buffer overflow in code used to handle HCP protocol
There is a buffer overflow in the Microsoft Windows Help and
Support Center that could permit an attacker to execute arbitrary
code with SYSTEM privileges.
(Other resources: MS03-044, CAN-2003-0711)
VU#989932 - Microsoft Windows contains buffer overflow in Local
Troubleshooter ActiveX control (Tshoot.ocx)
Microsoft Windows ships with a troubleshooting application to
assist users with problems. A vulnerability in this application may
permit a remote attacker to execute arbitrary code with the
privileges of the current user.
(Other resources: MS03-042)
VU#838572 - Microsoft Windows Authenticode mechanism installs
ActiveX controls without prompting user
A vulnerability in Microsoft's Authenticode could allow a remote
attacker to install an untrusted ActiveX control on the victim's
system. The ActiveX control could run code of the attacker's
choice.
(Other resources: MS03-041, CAN-2003-0660)
VU#435444 - Microsoft Outlook Web Access (OWA) contains cross-site
scripting vulnerability in the "Compose New Message" form
There is a cross-site scripting vulnerability in Microsoft Outlook
Web Access.
(Other resources: MS03-047, CAN-2003-0712)
Finally, there is a vulnerability in ListBox and ComboBox controls
that could allow a local user to gain elevated privileges. For
detailed information, see
VU#967668 - Microsoft Windows ListBox and ComboBox controls
vulnerable to buffer overflow when supplied crafted Windows message
There is a buffer overflow in a function called by the Microsoft
Windows ListBox and ComboBox controls that could allow a local
attacker to execute arbitrary code with privileges of the process
hosting the controls.
(Other resources: MS03-045, CAN-2003-0659)
II. Impact
The impact of these vulnerabilities ranges from denial of service to
the ability to execute arbitrary code.
III. Solution
Disable the Messenger Service
For VU#575892, Microsoft recommends first disabling the Messenger
service and then evaluating the need to apply the patch. If the
Messenger service is not required, leave it in the disabled state.
Apply the patch to make sure that systems are protected, especially if
the Messenger service is re-enabled. Instructions for disabling the
Messenger service can be found in VU#575892 and MS03-043.
Apply patches
Microsoft has provided patches for these problems. Details can be
found in the relevant Microsoft Security Bulletins. For many home
users, the simplest way to obtain these patches will be by running
Windows Update.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors
report new information, this section is updated, and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their authenticated, direct statement. Further
vendor information is available in the Systems Affected sections of
the vulnerability notes listed above.
Microsoft Corporation
Please see the following Microsoft Security Bulletins: MS03-041,
MS03-042, MS03-043, MS03-044, MS03-045, MS03-046, and MS03-047.
Appendix B. References
* CERT/CC Vulnerability Note VU#575892 -
<http://www.kb.cert.org/vuls/id/575892>
* CERT/CC Vulnerability Note VU#422156 -
<http://www.kb.cert.org/vuls/id/422156>
* CERT/CC Vulnerability Note VU#467036 -
<http://www.kb.cert.org/vuls/id/467036>
* CERT/CC Vulnerability Note VU#989932 -
<http://www.kb.cert.org/vuls/id/989932>
* CERT/CC Vulnerability Note VU#838572 -
<http://www.kb.cert.org/vuls/id/838572>
* CERT/CC Vulnerability Note VU#435444 -
<http://www.kb.cert.org/vuls/id/435444>
* CERT/CC Vulnerability Note VU#967668 -
<http://www.kb.cert.org/vuls/id/967668>
* Microsoft Security Bulletin MS03-041 -
<http://www.microsoft.com/technet/security/bulletin/MS03-041.asp>
* Microsoft Security Bulletin MS03-041 -
<http://www.microsoft.com/technet/security/bulletin/MS03-042.asp>
* Microsoft Security Bulletin MS03-041 -
<http://www.microsoft.com/technet/security/bulletin/MS03-043.asp>
* Microsoft Security Bulletin MS03-041 -
<http://www.microsoft.com/technet/security/bulletin/MS03-044.asp>
* Microsoft Security Bulletin MS03-041 -
<http://www.microsoft.com/technet/security/bulletin/MS03-045.asp>
* Microsoft Security Bulletin MS03-041 -
<http://www.microsoft.com/technet/security/bulletin/MS03-046.asp>
* Microsoft Security Bulletin MS03-041 -
<http://www.microsoft.com/technet/security/bulletin/MS03-047.asp>
_________________________________________________________________
Our thanks to Microsoft Corporation for the information contained in
their security bulletins. Microsoft has credited the following people
for their help in discovering and responding to these issues: Greg
Jones of KPMG UK and Cesar Cerrudo, The Last Stage of Delirium
Research Group, David Litchfield of Next Generation Security Software
Ltd., Brett Moore of Security-Assessment.com, Joao Gouveia, and Ory
Segal of Sanctum Inc.
_________________________________________________________________
Feedback can be directed to the authors, Shawn V. Hernan and Art
Manion.
______________________________________________________________________
This document is available from:
<http://www2.fedcirc.gov/advisories/FA-2003-27.html>
______________________________________________________________________
DHS/FedCIRC Contact Information
Email: fedcirc@fedcirc.gov
Phone: +1 888-282-0870 (24-hour toll-free hotline)
Phone: +1 703-375-4220 (24-hour hotline)
Fax: +1 703-326-9461
DHS/FedCIRC personnel answer the hotline 24 hours a day, 7 days a
week.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
DHS/FedCIRC PGP keys are available from
<http://www.fedcirc.gov/generalInfo/contactUs.html#sensitive>
Getting security information
DHS/FedCIRC publications and other security information are available
from our web site:
DHS/FedCIRC (Federal Computer Incident Response Center) provides
security services to U.S. Federal civilian agencies. DHS/FedCIRC is a
component of the Department of Homeland Security (DHS) Information
Assurance and Infrastructure Protection Directorate. The CERT
Coordination Center performs incident and vulnerability analysis and
issues advisories.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Copyright 2003 Carnegie Mellon University.
Revision History
October 16, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQEVAwUBP473Krz04mtpwLBVAQGVzwf+Ojrb+xhCLdDd24+NTi7mBWhs/RXHdxKp
zBPV2MhQtzndYVp9Jb6av0soHFtj96XVefBEjpWXJv1c60YXQ8aiH67h5iJXEqOY
ttmmcsRtuR1+HGi0p6qNVYb4Y2Re10hn+zNmQToPnfjz5nkKwffc103HbVo8Oux0
y4klIDb4NOa+alTQqk94Wq4auX4tF0eRVNkCzEnq8UHqiukhRtAk/tgSVdDOEgGt
ay7jcdKqoElkEBxCT3fkhw0Cg/OwpsognlZYSm/QmWBXhyd7y1WjbhT/kqjHmuKp
DHykBrVewnjhjiC1OYC+zwi8/O8wQgFeKdJm2Y8gTuUUGYjQ+a1ZEQ==
=/7r/
-----END PGP SIGNATURE-----
- Next message: melvin: "Re: This message board is used to infect other systems"
- Previous message: Brian: "Icons disappear - can't open anything"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
