MS03-041 Vulnerability in Authenticode Verification Could Al

[robert]

SUBJECT: MS03-041 Vulnerability in Authenticode Verification Could Allow
Remote Code Execution (823182)

RISK FACTOR: 7

RISK FACTOR EXPLANATION: The Microsoft patch for advisory MS03-040,
(Cumulative Patch for Internet Explorer (828750)), will help protect
against an HTML email attack on this (MS03-041) vulnerability. Windows
Server 2003 with the default IE Enhanced Security Configuration will
also prevent exploitation.

IMPACT: Execution of arbitrary ActiveX controls

SUMMARY: There is a vulnerability in Authenticode that, under certain
low memory conditions, could allow an ActiveX control to download and
install without presenting the user with an approval dialog. An
attacker who hosted a web page containing a malicious ActiveX control,
or who sends an HTML email containing this control, may induce users to
execute the ActiveX control, which would run at the user's privilege
level.

PLATFORMS AFFECTED: Servers,Workstations,Personal Computers

Hardware:

Operating Systems: Windows NT,Windows 2000,Windows XP,Windows Server 2003

Applications:

BACKGROUND: Authenticode allows users to verify the publisher of an
ActiveX control through code signing. The vulnerability is in the
underlying Authenticode code, and not in Internet Explorer. Any
application that uses Authenticode is vulnerable. Because of the flaw,
Authenticode may not prompt the user about the download of an ActiveX
control under low memory conditions.

Reference:
http://www.microsoft.com/technet/sec...n/MS03-041.asp
CVE CAN-2003-0660

RECOMMENDATIONS: Apply the patch immediately, either via
windowsupdate.microsoft.com or at the following locations:

Microsoft Windows NT Workstation 4.0, Service Pack 6a
http://www.microsoft.com/downloads/d...BC40-4E8E-BB57
-6B81B57C21B6&displaylang=en

Microsoft Windows NT Server 4.0, Service Pack 6a
http://www.microsoft.com/downloads/d...9175-42BE-A8E4
-BDC59A98BDF2&displaylang=en

Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
http://www.microsoft.com/downloads/d...4682-4A30-BBD7
-1817F2944890&displaylang=en

Microsoft Windows 2000, Service Pack 2
http://www.microsoft.com/downloads/d...58B2-4486-8D98
-23183D7EE17D&displaylang=en

Microsoft Windows 2000, Service Pack 3, Service Pack 4
http://www.microsoft.com/downloads/d...7D2A-45FD-B85A
-E98E574338F1&displaylang=en

Microsoft Windows XP Gold, Service Pack 1
http://www.microsoft.com/downloads/d...D767-4D68-9BA7
-055E93E87847&displaylang=en

Microsoft Windows XP 64-bit Edition
http://www.microsoft.com/downloads/d...C03A-43C0-B428
-D76C4B669151&displaylang=en

Microsoft Windows XP 64-bit Edition Version 2003
http://www.microsoft.com/downloads/d...FA62-4B81-9C08
-5C9FCB905E11&displaylang=en

Microsoft Windows Server 2003
http://www.microsoft.com/downloads/d...7B4B-4C21-8EAA
-D58814635E0D&displaylang=en

Microsoft Windows Server 2003 64-bit Edition
http://www.microsoft.com/downloads/d...FA62-4B81-9C08
-5C9FCB905E11&displaylang=en

Workarounds:
Disable the download of ActiveX controls in the Internet zone, and then
add trusted sites to your Trusted Sites zones to enable ActiveX at these
sites. (see the vendor's advisory for details.)

Install Outlook Email Security Update if you are using Outlook 2000 SP1
or Earlier:
http://www.microsoft.com/office/outl...n/security.asp

Users of Outlook 2002 and Outlook Express 6.0 can protect themselves by
reading email in text format.

VENDOR-SUPPLIED INFORMATION:
http://www.microsoft.com/technet/sec...n/MS03-041.asp


///////////////////////////////////\\\\\\\\\\\\\\\\\
" ISAC Security Analysis Team
SECURITY ADVISORY
Please do not reply to this message as it was sent from an automated mailbox.


2003-10-044

///////////////////////////////////\\\\\\\\\\\\\\\\\

SUBJECT: MS03-042 Buffer Overflow in Windows Troubleshooter ActiveX
Control Could Allow Code Execution (826232)

RISK FACTOR: 6

RISK FACTOR EXPLANATION: Affects only Windows 2000, on which Tshoot.ocx
is installed by default. No exploits are known at this time.

IMPACT: Execution of arbitrary code

SUMMARY: The Microsoft Local Troubleshooter ActiveX control, Tshoot.ocx,
contains a buffer overflow condition that could be exploited to run
arbitrary code on a vulnerable system with the privileges of the
logged-on user.

PLATFORMS AFFECTED: Servers,Workstations

Hardware:

Operating Systems: Windows 2000

Applications:

BACKGROUND: The vulnerability is caused by the fact that Tshoot.ocx does
not adequately validate parameters sent to it under certain
circumstances. Because Tshoot.ocx is marked "Safe for Scripting", it
may be executed in the Internet Zone, according the default settings for
the Internet Zone Security Zone of Internet Explorer. So an attacker
could craft a special web page that accesses this control, and lure a
user to that webpage, or send an HTML email. When the user executes the
malicious control, it will run with the user's privileges.

Reference:
http://www.microsoft.com/technet/sec...n/MS03-042.asp
CVE CAN-2003-0661

RECOMMENDATIONS: Apply the appropriate patch immediately, either via
windowsupdate.microsoft.com or at the following locations:

Microsoft Windows 2000, Service Pack 2
http://www.microsoft.com/downloads/d...9B17-463B-A5D2
-D75BA5128EF9&displaylang=en

Microsoft Windows 2000, Service Pack 3, Service Pack 4
http://www.microsoft.com/downloads/d...B3A4-43F5-804B
-A2608EC56163&displaylang=en

Workarounds:
Disable the download of ActiveX controls in the Internet zone, and then
add trusted sites to your Trusted Sites zones to enable ActiveX at these
sites. (see the vendor's advisory for details.)

Install Outlook Email Security Update if you are using Outlook 2000 SP1
or Earlier:
http://www.microsoft.com/office/outl...n/security.asp

Users of Outlook 2002 and Outlook Express 6.0 can protect themselves by
reading email in text format.

VENDOR-SUPPLIED INFORMATION:
http://www.microsoft.com/technet/sec...n/MS03-042.asp


///////////////////////////////////\\\\\\\\\\\\\\\\\
" ISAC Security Analysis Team
SECURITY ADVISORY
Please do not reply to this message as it was sent from an automated mailbox.


2003-10-045

///////////////////////////////////\\\\\\\\\\\\\\\\\

SUBJECT: MS03-043 Buffer Overrun in Messenger Service Could Allow Code
Execution (828035)

RISK FACTOR: 7

RISK FACTOR EXPLANATION: This is a remote system compromise through
arbitrary code execution. Affects Windows NT 4.0, Windows 2000 and
Windows XP. No exploits are known at this time. Exploitable through
NETBIOS and RPC. Most firewalls block NETBIOS ports (ports 137-139), but
RPC is often allowed in trusted networks, so there is a possibility of a
worm that may be developed in the future to exploit this, just as RPC
DCOM is exploited today by worms such as Blaster.

IMPACT: Remote execution of arbitrary code; system compromise

SUMMARY: The Windows Messenger service, which runs with system
privileges, is vulnerable to a buffer overflow condition that allows
remote attackers to completely compromise the vulnerable system.

PLATFORMS AFFECTED: Servers,Workstations

Hardware:

Operating Systems: Windows NT,Windows 2000,Windows XP,Windows Server 2003

Applications:

BACKGROUND: The Messenger service is a Windows service that transmits
"net send" messages and messages that are sent through the Alerter service
between client computers and servers. For example, the Messenger service
can be used by network administrators to send administrative alerts to
network users. The Messenger Service does not properly validate the
length of a message before passing it to the allocated buffer.

An attacker could send a specially crafted message to the Messenger
service via NETBIOS or RPC. This could crash the Messenger service or
run arbitrary code as SYSTEM. The attacker could thus take any action
on the vulnerable computer.

Reference:
http://www.microsoft.com/technet/sec...n/MS03-043.asp
CVE CAN-2003-0717

RECOMMENDATIONS: Apply the patch immediately, either via
windowsupdate.microsoft.com or at the following locations:

Microsoft Windows NT Workstation 4.0, Service Pack 6a
http://www.microsoft.com/downloads/d...6615-4074-9E46
-A17D808ED38D&displaylang=en

Microsoft Windows NT Server 4.0, Service Pack 6a
http://www.microsoft.com/downloads/d...996A-485A-9A28
-79FD79F26A1B&displaylang=en

Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
http://www.microsoft.com/downloads/d...1A6E-4264-93A8
-26CDB98B05A8&displaylang=en

Microsoft Windows 2000, Service Pack 2
http://www.microsoft.com/downloads/d...1683-4C13-9527
-5534F6C7CF85&displaylang=en

Microsoft Windows 2000, Service Pack 3, Service Pack 4
http://www.microsoft.com/downloads/d...906A-4945-A021
-4B494CCCBDE0&displaylang=en

Microsoft Windows XP Gold, Service Pack 1
http://www.microsoft.com/downloads/d...4B0A-4438-A0B9
-5B67414C3833&displaylang=en

Microsoft Windows XP 64-bit Edition
http://www.microsoft.com/downloads/d...4C65-4CA5-80A5
-55FDF5AA2296&displaylang=en

Microsoft Windows XP 64-bit Edition Version 2003
http://www.microsoft.com/downloads/d...84C8-4C91-899C
-5A44EC13174E&displaylang=en

Microsoft Windows Server 2003
http://www.microsoft.com/downloads/d...7EC4-4EB0-9143
-C1E3C9E2F5F8&displaylang=en

Microsoft Windows Server 2003 64-bit Edition
http://www.microsoft.com/downloads/d...84C8-4C91-899C
-5A44EC13174E&displaylang=en

Workarounds:

Messages are delivered to the Messenger service via NetBIOS or RPC. If
users have blocked the NetBIOS ports (ports 137-139), and UDP broadcast
packets using a firewall, others will not be able to send messages to
them on those ports. Most firewalls, including Internet Connection
Firewall in Windows XP, block NetBIOS by default.

Disabling the Messenger Service will prevent the possibility of attack.

VENDOR-SUPPLIED INFORMATION:
http://www.microsoft.com/technet/sec...n/MS03-043.asp


///////////////////////////////////\\\\\\\\\\\\\\\\\
" ISAC Security Analysis Team
SECURITY ADVISORY
Please do not reply to this message as it was sent from an automated mailbox.


2003-10-046

///////////////////////////////////\\\\\\\\\\\\\\\\\

SUBJECT: MS03-044 Buffer Overrun in Windows Help and Support Center
Could Lead to System Compromise (825119)

RISK FACTOR: 6

RISK FACTOR EXPLANATION: Critical for Windows XP and Windows Server
2003, which support HSC by default.

IMPACT: Remote execution of arbitrary code

SUMMARY: An unchecked buffer in a file associated with the HCP protocol,
which is used by the Windows Help and Support Center (HSC), can allow
remote attackers to execute code of their choice as if it were local
code with full privileges. HSC is enabled by default on Windows XP and
Windows Server 2003.

PLATFORMS AFFECTED: Servers,Workstations

Hardware:

Operating Systems: Windows NT,Windows 2000,Windows Millenium Edition,Windows
XP,Windows Server 2003

Explanation: The file containing the vulnerable code is installed on all Windows
versions, but the only attack vector at this time is through HSC, which
is not available or supported on versions prior to XP.


Applications:

BACKGROUND: The HCP protocol (hcp://) is used to execute URL links in
the browser to access Windows Help and Support Center, which can be used
to download and install software updates, check for compatible hardware,
etc.

The file containing the vulnerable code is installed on all Windows
versions, but the only attack vector at this time is through HSC, which
is not available or supported on versions prior to XP.

An attacker who hosted a web page containing a malicious URL, or who
sends an HTML email, may induce users to execute the URL, which would
invoke the vulnerable function, allowing the attacker take any actions
the attacker chooses.

Reference:
http://www.microsoft.com/technet/sec...n/MS03-044.asp
CVE CAN-2003-0711

RECOMMENDATIONS: Apply the patch immediately, either via
windowsupdate.microsoft.com or at the following locations:

Microsoft Windows Millennium Edition
http://www.microsoft.com/downloads/d...0E31-4F46-9795
-5CDD566BB3B8&displaylang=en

Microsoft Windows NT Workstation 4.0, Service Pack 6a
http://www.microsoft.com/downloads/d...E370-47D8-B818
-4E659C7F95AE&displaylang=en

Microsoft Windows NT Server 4.0, Service Pack 6a
http://www.microsoft.com/downloads/d...BA6E-40D4-8A20
-3441F02A25CB&displaylang=en

Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
http://www.microsoft.com/downloads/d...9CE7-4444-9AA5
-BC6ABE3FD479&displaylang=en

Microsoft Windows 2000, Service Pack 2
http://www.microsoft.com/downloads/d...67F0-4F11-A95E
-E4FB080A63C6&displaylang=en

Microsoft Windows 2000, Service Pack 3, Service Pack 4
http://www.microsoft.com/downloads/d...35CA-4D33-9F8C
-8BF5DE2D1117&displaylang=en

Microsoft Windows XP Gold, Service Pack 1
http://www.microsoft.com/downloads/d...0BEB-4B2C-A095
-66CA09DFDAC6&displaylang=en

Microsoft Windows XP 64-bit Edition
http://www.microsoft.com/downloads/d...5E41-4657-B9FC
-7EA13954B982&displaylang=en

Microsoft Windows XP 64-bit Edition Version 2003
http://www.microsoft.com/downloads/d...84C8-4C91-899C
-5A44EC13174E&displaylang=en

Microsoft Windows Server 2003
http://www.microsoft.com/downloads/d...A815-4674-9175
-E3640E3EFD49&displaylang=en

Microsoft Windows Server 2003 64-bit Edition
http://www.microsoft.com/downloads/d...84C8-4C91-899C
-5A44EC13174E&displaylang=en

Workarounds:
Deregister the HCP Protocol. See vendor's advisory for instructions -
will disable certain functions, such as Control Panel example links.

Install Outlook Email Security Update if you are using Outlook 2000 SP1
or Earlier:
http://www.microsoft.com/office/outl...n/security.asp

Users of Outlook 2002 and Outlook Express 6.0 can protect themselves by
reading email in text format.

VENDOR-SUPPLIED INFORMATION:
http://www.microsoft.com/technet/sec...n/MS03-044.asp

[Dutch Paul]

Rob

I seem to have mislaid my gobbledygook-English dictionary.
What does this actually mean to us thickies?
I regularly update Norton Antivirus and Windows update thingy - is this enough?

[robert]

Yep, as long as you regularly update, then no problems.

[Dutch Paul]

Phew...Panic over:tu