Multiple Vulnerabilities in Microsoft Products

• Microsoft Windows Operating Systems
• Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) subsystems
• Microsoft Windows MHTML Protocol Handler
• Microsoft Jet Database Engine

Microsoft Corporation has released a series of security bulletins affecting most users of the Microsoft Windows operating system. Users of systems running Microsoft Windows are strongly encouraged to visit the Windows Security Updates for April 2004 and take actions appropriate to their system configurations.

Microsoft has released four security bulletins listing a number of vulnerabilities which affect a variety of Microsoft Windows software packages. The following section summarizes the issues identified in their bulletins.

Summary of Microsoft Bulletins for April 2004

Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)

This bulletin addresses 14 vulnerabilities affecting the systems listed below. There are several new vulnerabilities address by this bulletin, and several updates to previously reported vulnerabilities.

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

Vulnerability identifiers 

The following table outlines these issues and is based on Microsoft’s Security Bulletin:

 

Vulnerability Title	US-CERT ID	CVE ID	Impact of Vulnerability
LSASS Vulnerability	VU#753212	CAN-2003-0533	Remote Code Execution
LDAP Vulnerability	VU#639428	CAN-2003-0663	Denial of Service
PCT Vulnerability	VU#586540	CAN-2003-0719	Remote Code Execution
Winlogon Vulnerability	VU#471260	CAN-2003-0806	Remote Code Execution
Metafile Vulnerability	VU#547028	CAN-2003-0906	Remote Code Execution
Help and Support Center Vulnerability	VU#260588	CAN-2003-0907	Remote Code Execution
Utility Manager Vulnerability	VU#526084	CAN-2003-0908	Privilege Elevation
Windows Management Vulnerability	VU#206468	CAN-2003-0909	Privilege Elevation
Local Descriptor Table Vulnerability	VU#122076	CAN-2003-0910	Privilege Elevation
H.323 Vulnerability	VU#353956	CAN-2004-0117	Remote Code Execution
Virtual DOS Machine Vulnerability	VU#783748	CAN-2004-0118	Privilege Elevation
Negotiate SSP Vulnerability	VU#638548	CAN-2004-0119	Remote Code Execution
SSL Vulnerability	VU#150236	CAN-2004-0120	Denial of Service
ASN.1 “Double Free” Vulnerability	VU#255924	CAN-2004-0123	Remote Code Execution

 

Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741)

This bulletin addresses several new vulnerabilities affecting the systems listed below. These vulnerabilities are in Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM).

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

Vulnerability identifiers 

The following table outlines these issues and is based on Microsoft’s Security Bulletin:

 

Vulnerability Title	US-CERT ID	CVE ID	Impact of Vulnerability
RPC Runtime Library Vulnerability	VU#547820	CAN-2003-0813	Remote Code Execution
RPCSS Service Vulnerability	VU#417052	CAN-2004-0116	Denial of Service
COM Internet Services (CIS) — RPC over HTTP Vulnerability	VU#698564	CAN-2003-0807	Denial of Service
Object Identity Vulnerability	VU#212892	CAN-2004-0124	Information Disclosure

Security Bulletin MS04-013:Cumulative Security Update for Outlook Express (837009)

This bulletin addresses a vulnerability affecting the systems listed below. The vulnerability affects the Microsoft Windows MHTML Protocol handler and any applications that use it, including Microsoft Outlook and Internet Explorer. This vulnerability has been assigned VU#323070 and CAN-2004-0380. 

Note: MS04-013 includes patches remediating the vulnerability described in TA04-099A.
 

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003
• Windows 98
• Windows 98 Second Edition (SE)
• Windows Millennium Edition (Windows Me)

 

Note: This issue affects systems with Outlook Express installed. Outlook Express is installed by default on most (if not all) current versions of Microsoft Windows.

Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)

This bulletin addresses a vulnerability affecting the systems listed below. There is a buffer overflow vulnerability in Microsoft’s Jet Database Engine (Jet). An attacker could take control of a vulnerable system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. This vulnerability has been assigned VU#740716 and CAN-2004-0197.

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

 

Update to TA04-099A

Microsoft has released a patch that addresses the cross-domain vulnerability discussed in TA04-099A: Vulnerability in Internet Explorer ITS Protocol Handler. US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380.

The patches and further information about the vulnerability are available in Microsoft Security Bulletin MS04-013. MS04-013 is titled Cumulative Security Update for Outlook Express. Since most (if not all) current Windows systems have Outlook Express installed by default, and the MHTML protocol handler is part of the Outlook Express software package, most (if not all) Windows systems should be considered vulnerable.

TA04-099A and VU#323070 focused on the ITS protocol handlers; however, the latent vulnerability appears to be in the MHTML handler shipped as part of Outlook Express. These documents have been updated.

Impact

Several of the issues identified by Microsoft have been described as Critical in nature. Each bulletin contains at least one vulnerability which may allow remote attackers to execute arbitrary code on affected systems. The privileges gained would depend on the security context of the software and vulnerability exploited.

Solution

Apply an appropriate set of updates from Microsoft

Please see the following site for more information about appropriate remediation.

Windows Security Updates for April 2004

Appendix A. Vendor Information

This appendix contains information provided by vendors for this technical alert. As vendors report new information to US-CERT, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Microsoft Corporation

Windows Security Updates for April 2004
Microsoft Security Bulletin MS04-011 – Security Update for Microsoft Windows (835732)
Microsoft Security Bulletin MS04-012 – Cumulative Update for Microsoft RPC/DCOM (828741)
Microsoft Security Bulletin MS04-013 – Cumulative Security Update for Outlook Express (837009)
Microsoft Security Bulletin MS04-014 – Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)

 

Appendix B. References

• Technical Cyber Security Alert TA04-099A: Cross-Domain Vulnerability in Outlook Express MHTML Protocol Handler – http://www.us-cert.gov/cas/techalerts/TA04-099A.html
• US-CERT Cyber Security Alert SA04-104A: Summary of Windows Security Updates for April 2004 – http://www.us-cert.gov/cas/alerts/SA04-104A.html
• Windows Security Updates for April 2004 – http://www.microsoft.com/security/security_bulletins/200404_windows.asp
• Microsoft Security Bulletin MS04-011 – Security Update for Microsoft Windows (835732) – http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
• Microsoft Security Bulletin MS04-012 – Cumulative Update for Microsoft RPC/DCOM (828741) – http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
• Microsoft Security Bulletin MS04-013 – Cumulative Security Update for Outlook Express (837009) – http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
• Microsoft Security Bulletin MS04-014 – Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) – http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx
• Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002) – http://www.microsoft.com/technet/security/bulletin/rating.mspx
• Vulnerability Note VU#323070: Outlook Express MHTML protocol handler does not properly validate location of alternate data – http://www.kb.cert.org/vuls/id/323070
• Vulnerability Note VU#547820: Microsoft Windows DCOM/RPC vulnerability – http://www.kb.cert.org/vuls/id/547820
• Vulnerability Note VU#740716: Microsoft Jet Database Engine database request handling buffer overflow – http://www.kb.cert.org/vuls/id/740716

 

---

Feedback: US-CERT Technical Alerts

---

Revision History

• April 13, 2004: Initial release
  April 14, 2004: Updated Vulnerability Note links
   

  Last updated 

Source link