View Full Version : *critical Windows, Exchange Alerts Issued


Andrew
10-16-03, 05:31 PM
Microsoft recommends immediately patching five critical vulnerabilities, four in Windows and one in Exchange 2000 Server. All five, if exploited, could enable an outsider to remotely execute code on a vulnerable system.

Yesterday's alerts are the first released under Microsoft's new monthly release cycle announced last week at a partner conference.

A buffer overrun flaw found in Exchange 2000 Server lets an attacker connect to an Exchange server's SMTP port and send an extended verb request that crashes the server. Microsoft said if the attacker sends "carefully chosen data," he could cause an overflow of the buffer and run code of his choice. A similar denial-of-service bug exists in Exchange 5.5. Microsoft deems this flaw "important."

Microsoft also recommends the use of SMTP protocol inspection to filter SMTP protocol extensions, if practical, to only accept connections from SMTP servers that use the SMTP AUTH command. Resetting firewalls to block port 25, generally used by SMTP, is recommended only as a last resort because doing so could impact e-mail services.

In Windows, Microsoft warns of separate vulnerabilities in Authenticode, Windows Troubleshooter ActiveX Control, Messenger Service and Windows Help and Support Center.

The flaws in Authenticode and Messenger Service impact Windows NT workstations and servers, Windows 2000, Windows XP and Windows Server 2003 and 2003 64-bit edition. The ActiveX Control bug impacts Windows 2000 systems.

The Authenticode flaw arises under certain low-memory conditions and could enable an ActiveX control to download and install without notifying the user, Microsoft said. An attacker hosting a malicious Web page, or using a malicious HTML e-mail message, could install and execute the ActiveX control with the same permissions as the user. Users who have applied the patch included in MS03-040 or Microsoft Outlook E-mail Security Update are at less risk. Default configurations of IE on Windows 2003 block this attack.

Microsoft suggests administrators disable downloading of ActiveX controls in the Internet zone, restrict Web sites to only trusted sites, install Outlook E-mail Security Update if using Outlook 2000 SP1 or earlier, or read e-mail as plain text in Outlook 2002.

Another buffer overflow vulnerability was discovered in Microsoft Local Troubleshooter ActiveX control, which is installed by default on Windows 2000. Again, an attacker using a special HTML e-mail or hosting a malicious Web site could surreptitiously download and install an ActiveX control. The attacker could then run code of their choice on a vulnerable system with user privileges.

As with the Authenticode flaw, the patch in MS03-040 or Microsoft Outlook E-mail Security Update diminishes potential damage. The same workarounds also apply here.

Messenger Service also contains a critical buffer overflow flaw, Microsoft warns. The service doesn't accurately validate the length of a message before it sends it to the buffer. Attackers exploiting this flaw could run code with local privileges or crash the service. Successful exploits could enable an outsider to install malicious programs, change or view data or create new accounts.

Microsoft said Messenger Service messages are delivered via NetBIOS or RPC, and blocking those ports (137-139) could mitigate damage. Also, admins could disable the Messenger Service, which is disabled by default on Windows Server 2003.

The final critical alert concerns Windows Help and Support Center, a function that ships with Windows XP and Windows Server 2003. An unchecked buffer file associated with the HCP protocol could be exploited by an attacker. A malicious URL, when clicked on by a user, could execute code in the local security context. The URL could be hosted on a Web page or sent via e-mail.

Microsoft recommends deregistering the HCP Protocol as a workaround.

Microsoft also issued an "important" alert regarding a buffer overflow in Windows ListBox and ComboBox. Neither control, located in the User32.dll file, correctly validates Windows messages. Exploits could elevate user privileges and enable an attacker to remotely control a system.

MS03-041: http://www.microsoft.com/technet/security/bulletin/ms03-041.asp
MS03-042: http://www.microsoft.com/technet/security/bulletin/ms03-042.asp
MS03-043: http://www.microsoft.com/technet/security/bulletin/ms03-043.asp
MS03-044: http://www.microsoft.com/technet/security/bulletin/ms03-044.asp
MS03-046: http://www.microsoft.com/technet/security/bulletin/ms03-046.asp