<<< Date Index >>>     <<< Thread Index >>>

CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange



-----BEGIN PGP SIGNED MESSAGE-----


CERT Advisory  CA-2003-27  Multiple  Vulnerabilities in Microsoft Windows
and Exchange

   Original issue date: October 16, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.


Systems Affected

     * Multiple  versions  of  Microsoft Windows (ME, NT 4.0, NT 4.0 TSE,
       2000, XP, Server 2003)
     * Microsoft Exchange Server 5.5 and Microsoft Exchange Server 2000


Overview

   There  are multiple vulnerabilities in Microsoft Windows and Microsoft
   Exchange,  the  most  serious of which could allow remote attackers to
   execute arbitrary code.


I. Description

   There  are  a  number  of  vulnerabilities  in  Microsoft  Windows and
   Microsoft Exchange that could allow an attacker to gain administrative
   control   of   a   vulnerable   system.  The  most  serious  of  these
   vulnerabilities  allow  an unauthenticated, remote attacker to execute
   arbitrary  code with no action required on the part of the victim. For
   detailed information, see the following vulnerability notes:

     VU#575892 - Buffer overflow in Microsoft Windows Messenger Service
     There  is a buffer overflow in the Messenger service on most recent
     versions  of  Microsoft  Windows  that  could  allow an attacker to
     execute arbitrary code.
     (Other resources: MS03-043, CAN-2003-0717)

     VU#422156  -  Microsoft  Exchange  Server  fails to properly handle
     specially crafted SMTP extended verb requests
     Microsoft  Exchange  fails  to  handle  certain SMTP extended verbs
     correctly.  In  Exchange  5.5, this can lead to a denial-of-service
     condition.  In  Exchange 2000, this could permit an attacker to run
     arbitrary code.
     (Other resources: MS03-046, CAN-2003-0714)

   In  addition,  several other vulnerabilities may permit an attacker to
   execute arbitrary code if the attacker can convince the victim to take
   some  specific  action  (e.g.,  viewing  a  web  page or an HTML email
   message).  For  detailed  information, see the following vulnerability
   notes:

     VU#467036  -  Microsoft  Windows  Help  and Support Center contains
     buffer overflow in code used to handle HCP protocol
     There  is  a  buffer  overflow  in  the  Microsoft Windows Help and
     Support  Center  that could permit an attacker to execute arbitrary
     code with SYSTEM privileges.
     (Other resources: MS03-044, CAN-2003-0711)

     VU#989932  -  Microsoft  Windows  contains buffer overflow in Local
     Troubleshooter ActiveX control (Tshoot.ocx)
     Microsoft  Windows  ships  with  a  troubleshooting  application to
     assist users with problems. A vulnerability in this application may
     permit  a  remote  attacker  to  execute  arbitrary  code  with the
     privileges of the current user.
     (Other resources: MS03-042)

     VU#838572  -  Microsoft  Windows  Authenticode  mechanism  installs
     ActiveX controls without prompting user
     A  vulnerability  in  Microsoft's Authenticode could allow a remote
     attacker  to  install  an untrusted ActiveX control on the victim's
     system.  The  ActiveX  control  could  run  code  of the attacker's
     choice.
     (Other resources: MS03-041, CAN-2003-0660)

     VU#435444  - Microsoft Outlook Web Access (OWA) contains cross-site
     scripting vulnerability in the "Compose New Message" form
     There  is a cross-site scripting vulnerability in Microsoft Outlook
     Web Access.
     (Other resources: MS03-047, CAN-2003-0712)

   Finally,  there  is  a  vulnerability in ListBox and ComboBox controls
   that  could  allow  a  local  user  to  gain  elevated privileges. For
   detailed information, see

     VU#967668   -  Microsoft  Windows  ListBox  and  ComboBox  controls
     vulnerable to buffer overflow when supplied crafted Windows message
     There  is  a  buffer overflow in a function called by the Microsoft
     Windows  ListBox  and  ComboBox  controls  that could allow a local
     attacker  to  execute arbitrary code with privileges of the process
     hosting the controls.
     (Other resources: MS03-045, CAN-2003-0659)


II. Impact

   The  impact  of these vulnerabilities ranges from denial of service to
   the ability to execute arbitrary code.


III. Solution

Disable the Messenger Service

   For  VU#575892,  Microsoft  recommends  first  disabling the Messenger
   service  and  then  evaluating  the  need  to  apply the patch. If the
   Messenger  service  is  not  required, leave it in the disabled state.
   Apply the patch to make sure that systems are protected, especially if
   the  Messenger  service  is re-enabled. Instructions for disabling the
   Messenger service can be found in VU#575892 and MS03-043.

Apply patches

   Microsoft  has  provided  patches  for  these problems. Details can be
   found  in  the  relevant  Microsoft  Security Bulletins. For many home
   users,  the  simplest  way  to obtain these patches will be by running
   Windows Update.


Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information, this section is updated, and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have  not  received  their  authenticated,  direct  statement. Further
   vendor  information  is  available in the Systems Affected sections of
   the vulnerability notes listed above.

Microsoft Corporation

     Please  see  the  following Microsoft Security Bulletins: MS03-041,
     MS03-042, MS03-043, MS03-044, MS03-045, MS03-046, and MS03-047.


Appendix B. References

     * CERT/CC Vulnerability Note VU#575892 -
       <http://www.kb.cert.org/vuls/id/575892>
     * CERT/CC Vulnerability Note VU#422156 -
       <http://www.kb.cert.org/vuls/id/422156>
     * CERT/CC Vulnerability Note VU#467036 -
       <http://www.kb.cert.org/vuls/id/467036>
     * CERT/CC Vulnerability Note VU#989932 -
       <http://www.kb.cert.org/vuls/id/989932>
     * CERT/CC Vulnerability Note VU#838572 -
       <http://www.kb.cert.org/vuls/id/838572>
     * CERT/CC Vulnerability Note VU#435444 -
       <http://www.kb.cert.org/vuls/id/435444>
     * CERT/CC Vulnerability Note VU#967668 -
       <http://www.kb.cert.org/vuls/id/967668>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-041.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-042.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-043.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-044.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-045.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-046.asp>
     * Microsoft Security Bulletin MS03-041 -
       <http://www.microsoft.com/technet/security/bulletin/MS03-047.asp>

     _________________________________________________________________

   Our  thanks  to Microsoft Corporation for the information contained in
   their  security bulletins. Microsoft has credited the following people
   for  their  help  in  discovering and responding to these issues: Greg
   Jones  of  KPMG  UK  and  Cesar  Cerrudo,  The  Last Stage of Delirium
   Research  Group, David Litchfield of Next Generation Security Software
   Ltd.,  Brett  Moore  of Security-Assessment.com, Joao Gouveia, and Ory
   Segal of Sanctum Inc.
     _________________________________________________________________

   Feedback  can  be  directed  to  the  authors, Shawn V. Hernan and Art
   Manion.
   ______________________________________________________________________

   This document is available from:

     <http://www.cert.org/advisories/CA-2003-27.html>
   ______________________________________________________________________


CERT/CC Contact Information

   Email: <cert@xxxxxxxx>
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
     <http://www.cert.org/CERT_PGP.key>

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   
     <http://www.cert.org/>

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send email to <majordomo@xxxxxxxx>. Please include in the body of your
   message

     subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History

   October 16, 2003: Initial release


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP474hpZ2NNT/dVAVAQHpowP/XT60oVtiTpggPZC3c7zmqQNOLeC2ah1L
c7gcNSmwa8Ij25D53ephFaMP0PyPDM9w8WX7uDfCYE2W/yMyBx3jwfMs6C5d2wM1
7zhOwu9b2N75rf/UGDuO/QXMe9KSHkIFVJuS3hS6PsOcP307zuh5ieaWCnrGaHFj
3JwQQsmNUTA=
=C7x3
-----END PGP SIGNATURE-----