<<< Date Index >>>     <<< Thread Index >>>

US-CERT Technical Cyber Security Alert TA04-104A -- Multiple Vulnerabilities in Microsoft Products



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple Vulnerabilities in Microsoft Products

   Original release date: April 13, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * Microsoft Windows Operating Systems

     * Microsoft Windows Remote Procedure Call (RPC) and Distributed
       Component Object Model (DCOM) subsystems

     * Microsoft Windows MHTML Protocol Handler

     * Microsoft Jet Database Engine

Overview

   Microsoft Corporation has released a series of security bulletins
   affecting most users of the Microsoft Windows operating system. Users
   of systems running Microsoft Windows are strongly encouraged to visit
   the "Windows Security Updates for April 2004" site at

   <https://www.microsoft.com/security/security_bulletins/200404_windows.
   asp>

   and take actions appropriate to their system configurations.

I. Description

   Microsoft has released four security bulletins listing a number of
   vulnerabilities which affect a variety of Microsoft Windows software
   packages. The following section summarizes the issues identified in
   their bulletins.

Summary of Microsoft Bulletins for April 2004

  Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)

   This bulletin addresses 14 vulnerabilities affecting the systems
   listed below. There are several new vulnerabilities address by this
   bulletin, and several updates to previously reported vulnerabilities.

   Impact

     Remote attackers could execute arbitrary code on vulnerable systems.

   Systems affected

     * Windows NT Workstation 4.0
     * Windows NT Server 4.0
     * Windows NT Server 4.0, Terminal Server Edition
     * Windows 2000
     * Windows XP
     * Windows Server 2003

   Vulnerability identifiers

   The following table outlines these issues and is based on Microsoft's
   Security Bulletin:

   Vulnerability Title |US-CERT ID |CVE ID       | Impact of Vulnerability
   --------------------+-----------+-------------+------------------------
   LSASS Vulnerability |VU#753212  |CAN-2003-0533| Remote Code Execution
   LDAP Vulnerability  |VU#639428  |CAN-2003-0663| Denial of Service
   PCT Vulnerability   |VU#586540  |CAN-2003-0719| Remote Code Execution
   Winlogon Vulnerabili|VU#471260  |CAN-2003-0806| Remote Code Execution
   Metafile Vulnerabili|VU#547028  |CAN-2003-0906| Remote Code Execution
   Help and Support Cen|VU#260588  |CAN-2003-0907| Remote Code Execution
   Utility Manager Vuln|VU#526084  |CAN-2003-0908| Privilege Elevation
   Windows Management V|VU#206468  |CAN-2003-0909| Privilege Elevation
   Local Descriptor Tab|VU#122076  |CAN-2003-0910| Privilege Elevation
   H.323 Vulnerability |VU#353956  |CAN-2004-0117| Remote Code Execution
   Virtual DOS Machine |VU#783748  |CAN-2004-0118| Privilege Elevation
   Negotiate SSP Vulner|VU#638548  |CAN-2004-0119| Remote Code Execution
   SSL Vulnerability   |VU#150236  |CAN-2004-0120| Denial of Service
   ASN.1 "Double Free" |VU#255924  |CAN-2004-0123  Remote Code Execution


  Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM
   (828741)

   This  bulletin  addresses  several  new  vulnerabilities affecting the
   systems  listed  below. These vulnerabilities are in Microsoft Windows
   Remote  Procedure  Call  (RPC)  and Distributed Component Object Model
   (DCOM).

   Impact

     Remote attackers could execute arbitrary code on vulnerable systems.

   Systems affected

     * Windows NT Workstation 4.0
     * Windows NT Server 4.0
     * Windows NT Server 4.0, Terminal Server Edition
     * Windows 2000
     * Windows XP
     * Windows Server 2003

   Vulnerability identifiers

   The  following table outlines these issues and is based on Microsoft's
   Security Bulletin:

   Vulnerability Title |US-CERT ID |CVE ID       | Impact of Vulnerability
   --------------------+-----------+-------------+------------------------
   RPC Runtime Library |VU#547820  |CAN-2003-0813| Remote Code Execution
   RPCSS Service Vulner|VU#417052  |CAN-2004-0116| Denial of Service
   RPC over HTTP Vulner|VU#698564  |CAN-2003-0807| Denial of Service
   Object Identity Vuln|VU#212892  |CAN-2004-0124| Information Disclosure


  Security Bulletin MS04-013:Cumulative Security Update for Outlook Express
   (837009)

   This  bulletin  addresses a vulnerability affecting the systems listed
   below.  The vulnerability affects the Microsoft Windows MHTML Protocol
   handler  and any applications that use it, including Microsoft Outlook
   and  Internet Explorer. This vulnerability has been assigned VU#323070
   and CAN-2004-0380.

   Note:   MS04-013   includes   patches  remediating  the  vulnerability
   described in TA04-099A.

   Impact

     Remote attackers could execute arbitrary code on vulnerable systems.

   Systems affected

     * Windows NT Workstation 4.0
     * Windows NT Server 4.0
     * Windows NT Server 4.0, Terminal Server Edition
     * Windows 2000
     * Windows XP
     * Windows Server 2003
     * Windows 98
     * Windows 98 Second Edition (SE)
     * Windows Millennium Edition (Windows Me)

   Note:  This  issue  affects  systems  with  Outlook Express installed.
   Outlook  Express  is installed by default on most (if not all) current
   versions of Microsoft Windows.


  Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database
   Engine Could Allow Code Execution (837001)

   This  bulletin  addresses a vulnerability affecting the systems listed
   below.  There  is  a  buffer overflow vulnerability in Microsoft's Jet
   Database  Engine (Jet). An attacker could take control of a vulnerable
   system,  including installing programs; viewing, changing, or deleting
   data;  or  creating  new  accounts  that  have  full  privileges. This
   vulnerability has been assigned VU#740716 and CAN-2004-0197.

   Impact

     Remote attackers could execute arbitrary code on vulnerable systems.

   Systems affected

     * Windows NT Workstation 4.0
     * Windows NT Server 4.0
     * Windows NT Server 4.0, Terminal Server Edition
     * Windows 2000
     * Windows XP
     * Windows Server 2003


Update to TA04-099A

   Microsoft  has  released  a  patch  that  addresses  the  cross-domain
   vulnerability  discussed  in  TA04-099A:  "Vulnerability  in  Internet
   Explorer  ITS  Protocol  Handler".  US-CERT  is tracking this issue as
   VU#323070.   This   reference  number  corresponds  to  CVE  candidate
   CAN-2004-0380.

   The  patches  and  further  information  about  the  vulnerability are
   available  in Microsoft Security Bulletin MS04-013. MS04-013 is titled
   "Cumulative  Security  Update for Outlook Express". Since most (if not
   all)  current  Windows  systems  have  Outlook  Express  installed  by
   default, and the MHTML protocol handler is part of the Outlook Express
   software  package,  most  (if  not  all)  Windows  systems  should  be
   considered vulnerable.

   TA04-099A and VU#323070 focused on the ITS protocol handlers; however,
   the latent vulnerability appears to be in the MHTML handler shipped as
   part of Outlook Express. These documents have been updated.

II. Impact

   Several  of  the issues identified by Microsoft have been described as
   "Critical" in nature.Each bulletin contains at least one vulnerability
   which may allow remote attackers to execute arbitrary code on affected
   systems. The privileges gained would depend on the security context of
   the software and vulnerability exploited.

III. Solution

Apply an appropriate set of updates from Microsoft

   Please  see  the following site for more information about appropriate
   remediation.

     Windows Security Updates for April 2004 -

     <http://www.microsoft.com/security/security_bulletins/200404_windows
     .asp>

Appendix A. Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   technical alert. As vendors report new information to US-CERT, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Microsoft Corporation

     Windows Security Updates for April 2004

     + Microsoft Security Bulletin MS04-011 -  
        Security Update for Microsoft Windows (835732)

     + Microsoft Security Bulletin MS04-012 -
        Cumulative  Update  for Microsoft RPC/DCOM (828741)

     + Microsoft Security Bulletin MS04-013 - 
        Cumulative Security Update for Outlook Express (837009)

     + Microsoft Security Bulletin MS04-014 - 
        Vulnerability  in  the Microsoft Jet Database Engine Could
        Allow Code Execution (837001)


Appendix B. References

     * Technical    Cyber    Security   Alert   TA04-099A:   Cross-Domain
       Vulnerability   in   Outlook  Express  MHTML  Protocol  Handler  -
       <http://www.us-cert.gov/cas/techalerts/TA04-099A.html>

     * US-CERT   Cyber  Security  Alert  SA04-104A:  Summary  of  Windows
       Security Updates for April 2004 -
       <http://www.us-cert.gov/cas/alerts/SA04-104A.html>

     * Windows      Security     Updates     for     April     2004     -
       <http://www.microsoft.com/security/security_bulletins/200404_windo
       ws.asp>

     * Microsoft   Security  Bulletin  MS04-011  -  Security  Update  for
       Microsoft Windows (835732) -
       <http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>

     * Microsoft  Security  Bulletin  MS04-012  -  Cumulative  Update for
       Microsoft RPC/DCOM (828741) -
       <http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx>

     * Microsoft  Security Bulletin MS04-013 - Cumulative Security Update
       for Outlook Express (837009) -
       <http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx>

     * Microsoft  Security  Bulletin  MS04-014  -  Vulnerability  in  the
       Microsoft  Jet Database Engine Could Allow Code Execution (837001)
       -
       <http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx>

     * Microsoft  Security  Response  Center  Security  Bulletin Severity
       Rating System (Revised, November 2002) -
       <http://www.microsoft.com/technet/security/bulletin/rating.mspx>

     * Vulnerability  Note  VU#323070:  Outlook  Express  MHTML  protocol
       handler  does  not  properly validate location of alternate data -
       <http://www.kb.cert.org/vuls/id/323070>

     * Vulnerability   Note   VU#547820:   Microsoft   Windows   DCOM/RPC
       vulnerability - <http://www.kb.cert.org/vuls/id/547820>

     * Vulnerability   Note  VU#740716:  Microsoft  Jet  Database  Engine
       database      request      handling      buffer     overflow     -
       <http://www.kb.cert.org/vuls/id/740716>
     _________________________________________________________________

   Feedback  about  this  technical  alert  should  be  sent  to "US-CERT
   Technical Alert" at <mailto:cert@xxxxxxxx>. Please include the Subject
   line "TA04-104A Feedback VU#667571".
     _________________________________________________________________

   Copyright 2004 Carnegie   Mellon   University.

   Terms   of   use: <http://www.us-cert.gov/legal.html>

   Revision History

   April 13, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAfJtjXlvNRxAkFWARAmmUAJ4jbj7Mm8I5NdasPeDIliOCUTJutQCfaeoC
uIhq7G9V+u7Cg0B78NzRMGk=
=UEBC
-----END PGP SIGNATURE-----