Bumper crop of Microsoft updates

Microsoft's October 'Patch Tuesday' swung by last week and what a bumper crop of updates! Ten security bulletins covering 22 vulnerabilities, with more than half of them rated as 'critical' severity on at least one platform or version of the affected software. On top of that the deeply troubled MS04-028 GDI+ JPEG buffer overflow patch saw significant revisions to its security bulletin, some patches re-released, a further affected product added plus advice to obtain and install the latest versions of some commonly used but unsupported utilities that are not supported with security updates.

This issue's topics:

Introduction:

* 10 MS patches; MS04-028 updated; ASP.NET update; Mac OS X updates; new Mydoom

Virus News:

* New Mydoom variant no threat, comments on Jaschan's employment

Security News:

* RPC runtime library DoS, information disclosure in NT 4.0 Server fixed

* Update fixes WebDAV XML DoS

* Net DDE remote code execution flaws fixed

* Multiple critical Windows vulnerabilities fixed in one update

* Update fixes Excel remote code execution vulnerability

* Remote code execution flaw in Windows compressed folders fixed

* Fix for remote code execution flaw in Windows SMTP component

* Remote arbitrary code execution in Windows NNTP server patched

* Critical Windows shell updates released

* Multiple critical IE vulnerabilities patched

* Trouble at mill with unduly complex patch - MS04-028 updated again

* ASP.NET directory traversal update; MS releases interim workaround

* Multiple Mac OS X security patches

* Multiple buffer overflows fixed in GNU sharutils

* SANS 'Top 20' list updated for 2004

Introduction:

Microsoft's October 'Patch Tuesday' swung by last week and what a bumper crop of updates! Ten security bulletins covering 22 vulnerabilities, with more than half of them rated as 'critical' severity on at least one platform or version of the affected software. On top of that the deeply troubled MS04-028 GDI+ JPEG buffer overflow patch saw significant revisions to its security bulletin, some patches re-released, a further affected product added plus advice to obtain and install the latest versions of some commonly used but unsupported utilities that are not supported with security updates.

And administrators of IIS web servers running ASP.NET are not out of the Microsoft patch woods yet. The canonicalization flaw we highlighted last week still has not been patched but Microsoft has released an HTTP module that can be installed on ASP.NET servers to fix all currently known canonicalization issues until a proper patch for ASP.NET is released.

Mac OS users not running with automatic updates should check the latest security updates from Apple, and several nasty buffer overflows in the GNU sharutils package could leave some Unix and Linux systems pen to trouble unless patched. Finally in the security section, we note that the SANS 'Top 20' has had it latest update to reflect the ever-shifting sands of the computer security landscape...

It was a very quiet week on the virus and worm front. Although not posing any significant threat, we have chosen to cover the very recently discovered Mydoom.AE (or .AF or probably several other sub-variant ascriptions as more virus scanner updates are released to detect it...) because of its commentary on Sven Jaschan's employment in the security sector - a story we covered in its own right last week.

Virus News:

* New Mydoom variant no threat, comments on Jaschan's employment

Last week we discussed the furore surrounding German firewall maker Securepoint employing admitted writer of the Sasser and Netsky worms, Sven Jaschan. This weekend a new Mydoom variant (which has entirely failed to take off) was isolated and it contains an encrypted message commenting on Jaschan's employment 'Sasser author gets IT security job and we will work with Mydoom , P2P worms and exploit codes'. Very few AV vendor's have descriptions posted yet, so aside from the two usual virus encyclopedia entries we have also linked to F-Secure's antivirus research team weblog, which comments a little further than their technical description of the virus.

Aside from its hidden social commentary, this is a boringly typical mass-mailer that also downloads and installs a backdoor, which in turn downloads and installs another backdoor. Anyone silly enough to run this from its unbidden e-mail attachment will therefore make their machine triple-sick...

F-Secure Security Information Center

F-Secure Weblog entry

Symantec Security Response

Security News:

* RPC runtime library DoS, information disclosure in NT 4.0 Server fixed

Microsoft has released an update for NT 4.0 Server and Terminal Server that addresses inadequate bounds checking on certain RPC calls. Carefully constructed RPC requests could allow an attacker to read portions of active memory on the RPC server they should not have access to, or even cause the RPC server process to stop responding entirely, requiring a system restart to restore service.

Firewall best practices mean that RPC services should not be accessible outside the LAN, so Microsoft rates this vulnerability as being of important severity.

Microsoft Security Bulletin MS04-029

* Update fixes WebDAV XML DoS

IIS 5.0, 5.1 and 6.0 on Windows 2000, XP pre-SP2, XP 64-bit and all Server 2003 versions is vulnerable to a denial of service attack via WebDAV. Due to the lack of limitations on the number of he number of attributes that can be specified for each XML element in WebDAV requests, an IIS server can be made to consume massive CPU resources processing WebDAV XML requests with large numbers of attributes per XML element.

Note that the update Microsoft has supplied to address this issue may have consequences that affect the performance of existing, legitimate and non-malicious web applications. The 'Does this update contain any other changes to functionality?' section of the security bulletin describes these issues and links to KnowledgeBase article discussing the issue in more depth and describing the workarounds to fix any such cases. Also note that the update installer also bundles the MSXML 5.0 Service Pack 5 update, which is installed (if necessary) with the update. Certain functionality enhancements from MSXML 3.0 SP5 are necessary for the MS04-030 fix to work, but this may also introduce subtle changes to existing applications on servers that only have earlier versions of MSXML installed. Read the security bulletin carefully to evaluate these issues, rather than rushing straight out and installing this update!

Microsoft rates this vulnerability as being of 'moderate' severity on XP and Server 2003 and 'important' on Windows 2000.

Microsoft Security Bulletin MS04-030

* Net DDE remote code execution flaws fixed

A buffer overflow in Network Dynamic Data Exchange (NetDDE) services, in all supported versions of Windows apart from XP SP2 has been patched (for most affected platforms). As Microsoft only rates this as being of 'important' severity, and not 'critical', it has not produced patches for Windows 98 and ME, which are now both in the 'extended support' phase of the Microsoft Support Lifecycle.

An unchecked buffer in NetDDE services could allow a remote attacker to take complete control of a vulnerable system. Proper firewalling and standard Windows networking best practices guidelines mean that NetDDE should be disabled in most circumstances anyway, and certainly not directly accessible across a public network like the Internet. The security bulletin discusses disabling the service as a workaround and long-term security enhancement. Note that some applications may require NetDDE, or at least will not perform the same with NetDDE disabled.

Microsoft rates the severity of this vulnerability as 'important' or 'moderate' on all platforms apart from Windows 98/ME where it is rated 'not critical'.

Microsoft Security Bulletin MS04-031

* Multiple critical Windows vulnerabilities fixed in one update

All supported versions of Windows are vulnerable to one or more of four vulnerabilities fixed by the MS04-032 update, however, as with the MS04-031 update, Windows 98 and ME are either not affected by the vulnerabilities or a vulnerability's severity is not rated as 'critical', so no update has been shipped for these issues on Win98/ME.

Amongst the four vulnerabilities, Microsoft only rates one - the graphics rendering engine vulnerability - as being of 'critical' severity, and this vulnerability is not listed as affecting NT 4.0 platforms. However, depending on how you run your systems, the local privilege escalation vulnerability in the Virtual DOS Machine component that gives up full system control may well be considered 'critical', and this affects all the 'NT class' (NT 4.0, Windows 2000, XP and Server 2003) platforms.

Microsoft Security Bulletin MS04-032

* Update fixes Excel remote code execution vulnerability

An unchecked buffer in Excel's handling of its spreadsheet files can lead to an arbitrary code execution attack, with the code running under the privileges of the current Excel user. Excel 2000, 2002 (the version in Office XP), 2001 for Mac and v. X for Mac are affected. Office XP SP3, Office 2003, Office 2003 SP1 and Excel 2004 for Mac are not affected by this vulnerability.

MBSA users should note that MBSA can only detect the need for this update if run locally. When scanning client machines across the network MBSA cannot detect the presence or absence of updates supported by the Office Inventory Tool.

Microsoft Security Bulletin MS04-033

* Remote code execution flaw in Windows compressed folders fixed

32- and 64-bit versions of both Windows XP (except XP SP2) and Server 2003 are vulnerable to remote code execution vulnerabilities due to improper bounds checking. Specially crafted malformed ZIP archive files can be used to execute arbitrary code supplied by an attacker. Such code would run with the privileges of the user running the application that opened the malformed archive file.

Microsoft rates this vulnerability as being of 'critical' severity for all affected platforms as there are simple web-based mechanism by which such an attack can be launched. Users of affected systems should obtain and install the relevant update as soon as is practicable.

Microsoft Security Bulletin MS04-034

* Fix for remote code execution flaw in Windows SMTP component

The SMTP component of Windows XP 64-bit Edition Version 2003 and Server 2003 (32- and 64-bit editions), and the Exchange Server 2003 Routing Engine component (when installed on Windows 2000 Server) are vulnerable to a remote arbitrary code execution vulnerability. As the vulnerable components run with system privileges, an attacker successfully exploiting this vulnerability would be able to completely take over control of a vulnerable machine.

Under Exchange Server 2003 Microsoft rates this vulnerability as being of 'critical' severity; on the other affected platforms it is rated as being of 'important' severity. Partial workarounds and a detailed description of some of the mitigating circumstances affecting the possible impact of this vulnerability in various situations are included in the Microsoft security bulletin associated with this update.

Microsoft Security Bulletin MS04-035

* Remote arbitrary code execution in Windows NNTP server patched

Microsoft has released updates for the NNTP component of NT 4.0 Server, Windows 2000 Server and Windows Server 2003 (32- and 64-bit editions). Administrators of servers running Exchange 2000 Server and Exchange Server 2003 should pay special heed as both versions of Exchange require the NNTP component to be installed as a prerequisite to their own installation. Although Exchange Server 2003 disables NNTP after it is installed, Exchange 2000 Server will leave the service enabled, even if it is unused.

The NNTP component is not installed by default as part of the operating system installation or IIS, so servers not running Exchange and otherwise running default installations are unlikely to have the vulnerable components running. Microsoft rates the severity of this vulnerability as 'important' across all affected platforms/applications except Exchange 2000 Server, where it is rated as 'critical'. Typical network best practices, such as firewall policies and service minimizations should see the risk lowered in most cases, and several mitigating factors and workarounds are discussed in the security bulletin associated with this update.

Microsoft Security Bulletin MS04-036

* Critical Windows shell updates released

All currently supported Windows OSes apart from XP SP2 are affected to varying degrees by one or both of two vulnerabilities addressed in the MS04-037 security update. As the severity rating for Windows 98/ME is not critical, there is no update for that platform, but updates are available for all other supported platforms and on all but Server 2003 Microsoft's aggregate severity rating is 'critical' (it is 'important' for Server 2003).

One vulnerability affects the mis-handling of the shell: protocol - a vulnerability that has been roundly abused to install all manner of spyware and other undesirable software since its public disclosure a couple of months back. Further to fixing the shell: protocol gaffs, on Windows XP and Server 2003, other functionality changes have been made in the cause of 'defense in depth' to bring the shell's functionality into line with the tightened security of XP SP2. The other vulnerability fixed in this update is a buffer overflow in 'grpconv.exe' - a simple utility program that converts old Windows 'Program Manager' .GRP files for use with the newer Explorer desktop interface.

Both vulnerabilities can be exploited remotely to execute arbitrary code of an attacker's choosing.

Microsoft Security Bulletin MS04-037

* Multiple critical IE vulnerabilities patched

Eight vulnerabilities, three of which are rated by Microsoft as being of 'critical' severity in most cases, are addressed in the latest cumulative security update for Internet Explorer. Further, although one of the vulnerabilities is only rated as being of 'important' severity (and 'moderate' on Windows Server 2003), it is being actively exploited to install undesirable software ('spyware', 'adware', etc).

Many security experts consider that vulnerability - referred to as the 'Drag and Drop' vulnerability in the Microsoft security bulletin - to be much easier to exploit than Microsoft suggests. For example, one of the mitigating factors Microsoft claims reduces the direct threat posed by this vulnerability is that users must be 'tricked' or 'persuaded' to 'perform an action on the malicious web site that would invoke drag-and-drop handling in Internet Explorer'. While that is true of the initial proof of concept exploit that was publicly posted, it was quickly shown that in fact, the drag and drop operation could be automated via scripting embedded in the same web page, so really all that was necessary was for an IE user to visit a page employing a scripted form of the vulnerability for them to be exploited. And, that aside, drag and drop operations are very common and familiar to most Windows users, so a malicious page employing just the original form of exploit could easily 'trick' a user into dragging and dropping if the page was designed to look like some kind of game or reaction time test or other cognitive processing exercise or test where the user had to 'pick up and move' objects from one location on the screen to another.

Interested users can read Microsoft's spin on the rest of the vulnerabilities in this core operating system component in the security bulletin associated with the patch. Regardless, you should read the security bulletin for the 'other changes' information, as some third-party web applications may no longer work properly with these updates installed.

Microsoft Security Bulletin MS04-038

* Trouble at mill with unduly complex patch - MS04-028 updated again

The update process for the GDI+ JPEG processing buffer overflow has been fraught with problems from the beginning. To start with, you needed an advanced degree in formal logic to work out, from the convoluted and wordy (and in places apparently contradictory) descriptions of what products were affected depending on what service pack level the product was at and which OS and OS service pack level the application was installed on. Second, those depending on WindowsUpdate to test their machines for patch compliance get one crack at running the detection utility, which then marked itself as run, never to be offered by WindowsUpdate again despite the possibility that newly installed applications may subsequently introduce their own vulnerable versions of the GDI+ DLL file. Third, it was not clear to many system administrators that vulnerable copies of the DLL could be included with and used by many third party programs and utilities, and Microsoft even missed that some of its own tools shipped and installed vulnerable versions of the DLL that were not detected in at least some cases but were still used by the applications they were installed with.

A month after all this confusion began, it seems things are still not sorted and Microsoft has just updated the MS04-028 security bulletin again. The scale of this update would constitute a major rewrite for most other security bulletins, but due to the already burgeoning size of MS04-028, these changes appear almost miniscule in scale. Despite these issues of apparent scale however, these changes are very important. First, new updates for Office and associated products for users of XP SP2 have been released - yes, the original installers could severely botch the installation. Second, this update notes that Journal Viewer is vulnerable if installed on Windows 2000 and now includes an update for this application (if installed on other supported OSes, Journal Viewer uses the OS copy of gdiplus.dll and thus is not vulnerable so long as the appropriate OS update has been applied). Third, Microsoft notes that the standalone viewer utilities for Visio 2002, 2003, and PowerPoint 2003 are also vulnerable because they include older versions of gdiplus.dll. These utilities are not directly supported for security updates, but newer versions of all three viewers, which are not vulnerable to this flaw, have been released and download locations are linked in the updated security bulletin.

Finally, and most important, the 'MS04-028 Enterprise Update Scanning Tool' has been released. The rationale for this, as described in the security bulletin is an impeccable example of Microsoft spin and deserves being quoted in full: 'In an effort to further support enterprise customers through the unique deployment complexities of MS04-28, due to the number of products and components affected, Microsoft has released a scanning tool and guidance that offers system administrators the ability to scan computers on their network for the software listed in the Affected Software and Affected Components sections of this security bulletin and to automatically apply the appropriate MS04-028 updates'.

Maybe we missed something along the way here, but isn't the point of WindowsUpdate, SUS and all the associated update and patching technology (also potentially deployed through MBSA, SMS and other third-party patch management tools) to automate the detection and installation of, at a minimum, important security updates such as MS04-028? If so, why should an additional tool be needed because more than the usual two, three, four or five products and/or OS versions are affected by a specific vulnerability?

Microsoft is quite right that MS04-028 has (hopefully) 'unique deployment complexities'. However, these are not due to the fact that the 'affected software' list for this patch is more than fifty items long (if you add the Office and related viewers where the recommendation is to get the newest version because they are not officially supported for security updates). These 'deployment complexities' are largely due to the labyrinthine mess that is Windows' library handling, affectionately known to system admins as 'DLL hell'. DLL hell is of Microsoft's own devising, and a part of Windows that has been severely criticized from a system design perspective since at least Windows 3.x.

MS04-028's 'deployment complexities' are further compounded by the fact that the affected component is available under a redistributable license and third-party developers have been encouraged to use the component, but without Microsoft having effective control over where this component has been installed, copies of it now litter many users' disks and it is turning up in the darnedest of places. And, those 'deployment complexities' are still further compounded due to the addled and inconsistent 'solution' to DLL hell that Microsoft subsequently built into its later OSes.

If you run any Windows machines, re-read all of MS04-028 and very carefully re-assess your MS04-028 patching efforts. In the unlikely event that you got everything right to date it won't matter to you that the 'JPEG of death' worm that so many security experts were predicting close to a month ago has still not eventuated, but the rest of us may take an ounce or two of comfort from that...

Microsoft Security Bulletin MS04-028

* ASP.NET directory traversal update; MS releases interim workaround

Last week we pointed IIS web server administrators and content providers with systems running ASP.NET of a trivial authentication bypass issue that likely affected their systems. In the last few days Microsoft has updated its incident note 'What You Should Know About a Reported Vulnerability in ASP.NET' that discusses this issues. Although Microsoft has still not released a patch to address the issue in ASP.NET, it has released an HTTP module that can be installed on ASP.NET servers to protect against all canonicalization issues Microsoft currently knows of. Obviously, once a patch for ASP.NET is available, this module will become redundant, but it provides a good workaround solution in the interim.

As well as linking to the updated incident note, which now includes a download link for Microsoft's ValidatePath module, we have included a link to the associated KnowledgeBase article that describes the module's installation and removal process, and provides its source code.

What You Should Know About a Vulnerability in ASP.NET - microsoft.com

HTTP Module Checks Canonicalization Issues with ASP.NET - microsoft.com

* Multiple Mac OS X security patches

Apple has released further security updates for Mac OS X 10.2.8 and 10.3.5. These include patches that address security issues in such components as AFP Server, CUPS, NetInfo Manager, postfix, QuickTime, and iChat. More details, including download links (if you don't have your Macs set to obtain security fixes automatically in their Software Update preferences) are available from the Apple Security Updates page linked below.

Apple Security Updates - apple.com

* Multiple buffer overflows fixed in GNU sharutils

Security researcher Ulf Harnhammar discovered multiple buffer overflows in the shar.c and unshar.c source components of the GNU sharutils. These utilities are widely distributed with Linux some other Unix-like operating systems for handling shell archives. Exploitation of these overflows could lead to execution of arbitrary code of an attacker's choice running with the privileges of the sharutils user. Most distributions that ship sharutils have provided update packages.

sharutils: Buffer overflows in shar.c and unshar.c - securityfocus.com

* SANS 'Top 20' list updated for 2004

The SANS (SysAdmin, Audit, Network, Security) Institute has updated its 'Top 20' internet security vulnerabilities list to reflect shifts in attacks and related security research in the last year. The list is actually two 'Top 10' lists - one covering Windows platforms and one for Unix and Linux platforms. The lists are compiled as the consensus of a large number of active security experts, and provide advice on the ten most important things to get right in your systems so as to avoid the greatest amount of pain likely to be caused by the most commonly seen recent and ongoing network-borne attacks.

Even if you think you're doing everything right, a few minutes reviewing the SANS Top 20 list every year is bound to be time well-spent, even if all it does is provide peace of mind that you are on-track with the consensus of expert opinion!

The Twenty Most Critical Internet Security Vulnerabilities - sans.org

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AppleExcelF-SecureLANLinuxMacsMBSAMicrosoftSymantecVisio

Show Comments
[]