Tuesday 12 October 2004

MS Security Bulletins - 12 October

Ten MS Security Bulletins issued today. The first three (MS04-029, MS04-030 and MS04-031) are rated important while the rest are critical.

Please note that Multiple Windows Vulnerabilities (MS04-032) is actually four vulnerabilities listed in one bulletin, Shell Vulnerabilities (MS04-037) is actually two vulnerabilities listed in one bulletin while the Cumulative Internet Explorer Vulnerabilities (MS04-038) is actually eight vulnerabilities listed in one bulletin. If you count all the individual vulnerabilities, then there are at least twenty of them spanning ten bulletins

Microsoft Security Bulletin MS04-029

Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)

An information disclosure and denial of service vulnerability exists when the RPC Runtime Library processes specially crafted messages. An attacker who successfully exploited this vulnerability could potentially read portions of active memory or cause the affected system to stop responding.

Remote Procedure Call (RPC) is a protocol that the Windows operating system uses. RPC provides an interprocess communication mechanism that allows a program that is running on one system to access services seamlessly on another system. The protocol is derived from the Open Software Foundation (OSF) RPC protocol, with the addition of some Microsoft-specific extensions.

The vulnerability is caused due to an unchecked buffer in the RPC Runtime Library.

The RPC Runtime Library provides services such as communication services, directory services, and security services to application developers.

References:

Microsoft Security Bulletin MS04-030

Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service (824151)

A denial of service vulnerability exists that could allow an attacker to send a specially crafted WebDAV request to a server that is running IIS and WebDAV. An attacker could cause WebDAV to consume all available memory and CPU time on an affected server. The IIS service would have to be restarted to restore functionality.

WebDAV is an industry standard extension to the HTTP specification. The "DAV" in "WebDAV" stands for "distributed authoring and versioning." WebDAV adds a capability for authorized users to remotely add and manage content on a Web server. By default, WebDAV is enabled when IIS is enabled on Windows 2000. By default, WebDAV is not installed on IIS 5.1 or on IIS 6.0.

The vulnerability is caused because WebDAV does not limit the number of attributes that can be specified per XML-element in WebDAV requests.

References:

Microsoft Security Bulletin MS04-031

Vulnerability in NetDDE Could Allow Remote Code Execution (841533)

A remote code execution vulnerability exists in the NetDDE services because of an unchecked buffer. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, the NetDDE services are not started by default and would have to be manually started for an attacker to attempt to remotely exploit this vulnerability. This vulnerability could also be used to attempt to perform a local elevation of privilege or remote denial of service.

Network Dynamic Data Exchange (NetDDE) allows two applications to communicate with each other over a network. This is considered an older communication method that typically has been replaced by newer technologies such as DCOM

The vulnerability is caused because of an unchecked buffer in the NetDDE services.

References:

Microsoft Security Bulletin MS04-032

Security Update for Microsoft Windows (840987)
References:

Microsoft Security Bulletin MS04-033

Vulnerability in Microsoft Excel Could Allow Remote Code Execution (886836)

A remote code execution vulnerability exists in Excel. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system.

An attacker could host a malicious Excel file on a web site and persuade a user to click a link to the file. The file could then be executed allowing the attacker to execute code of their choice. An attacker could also attempt to exploit the vulnerability by sending a specially crafted file in email.

References:

Microsoft Security Bulletin MS04-034

Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376)

A remote code execution vulnerability exists in Compressed (zipped) Folders because of an unchecked buffer in the way that it handles specially crafted compressed files. An attacker could exploit the vulnerability by constructing a malicious compressed file that could potentially allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.

The Compressed (zipped) Folders feature enables users to store data files and folders in a compressed (or zipped) format. Files and folders that are compressed require less space to store them. The feature lets users create, add files to, and extract files from zipped folders.

References:

Microsoft Security Bulletin MS04-035

Vulnerability in SMTP Could Allow Remote Code Execution (885881)

A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles Domain Name System (DNS) lookups. An attacker could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. The vulnerability also exists in the Microsoft Exchange Server 2003 Routing Engine component when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4.

Simple Mail Transfer Protocol (SMTP) is an industry standard for delivering e-mail messages over the Internet, as defined in RFC 2821 and in RFC 2822. The protocol defines the format of e-mail messages, the fields that are in e-mail messages, the contents of e-mail messages, and the handling procedures for e-mail messages.

The Exchange Routing Engine component is part of the Exchange Routing Engine Service. The Exchange Routing Engine Service implements the Routing Engine API and determines how e-mail messages are routed through an Exchange system.

The vulnerability is caused because of an unchecked buffer in the Windows SMTP component and in the Exchange Routing Engine component.

References:

Microsoft Security Bulletin MS04-036

Vulnerability in NNTP Could Allow Remote Code Execution (883935)

A remote code execution vulnerability exists within the Network News Transfer Protocol (NNTP) component of the affected operating systems. This vulnerability could potentially affect systems that do not use NNTP. This is because some programs that are listed in the affected software section require that the NNTP component be enabled before you can install them. An attacker could exploit the vulnerability by constructing a malicious request that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

The NNTP component provides a service that enables the distribution, retrieval, and posting of news articles among the Internet community. NNTP is designed so that news articles are stored in a central database allowing a subscriber to select only those items that they want to read.

The vulnerability is caused because of an unchecked buffer in the Network News Transfer Protocol (NNTP) component.

References:

Microsoft Security Bulletin MS04-037

Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)
References:

Microsoft Security Bulletin MS04-038

Cumulative Security Update for Internet Explorer (834707)
References:

Related Tools

Related Reading