Advisories

CERT-In Advisory CIAD-2004-0010

Multiple Vulnerabilities in Microsoft Products

Original Issue Date: April 14, 2004
Updated: April 24, 2004

Severity Rating: High

Systems Affected

Microsoft Windows Operating Systems
Microsoft Windows Remote Procedure Call RPC and Distributed Component Object Model DCOM subsystems
Microsoft Windows MHTML Protocol Handler
Microsoft Jet Database Engine

Overview

Microsoft has released four security bulletins which covers multiple vulnerabilities in different versions of above mentioned Microsoft products. Some of these vulnerabilities could potentially allow an attacker to take complete control of an affected system

Description

1 LSASS Vulnerability ( CAN-2003-0533   )

A buffer overrun vulnerability in LSASS could allow remote code execution on an affected system.

2 LDAP Vulnerability ( CAN-2003-0663   )

A specially crafted LDAP message to a Windows 2000 Domain Controller causes Denial of Service.

3 PCT Vulnerability ( CAN-2003-0719   )

A buffer overrun vulnerability in the Private Communications Transport PCT protocol Part of the Microsoft SSL library could allow an attacker to take complete control of an affected system. Systems having SSL enabled and in some cases Windows 2000 domain controllers, are vulnerable.

4 Winlogon Vulnerability ( CAN-2003-0806   )

During Windows logon process winlogon does not check the size which causes buffer over run.

5 Metafile Vulnerability ( CAN-2003-0906   )

Buffer overrun vulnerability in the rendering of Windows Metafile WMF and Enhanced Metafile EMF image formats could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack.

6 Help and Support Center Vulnerability ( CAN-2003-0907   )

A remote code execution vulnerability exists in the Help and Support Center because of the way that it handles HCP URL validation. An attacker could exploit the vulnerability by constructing a malicious HCP URL that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message.

7 Utility Manager Vulnerability ( CAN-2003-0908   )

A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and take complete control of the system.

8 Windows Management Vulnerability ( CAN-2003-0909   )

A privilege elevation vulnerability exists in the way that Windows XP allows tasks to be created. Under special conditions, a non-privileged user could create a task that could execute with system permissions and therefore take complete control of the system.

9 Local Descriptor Table Vulnerability ( CAN-2003-0910   )

A privilege elevation vulnerability exists in a programming interface that is used to create entries in the Local Descriptor Table LDT . These entries contain information about segments of memory.

10 H.323 Vulnerability ( CAN-2004-0117   )

A remote code execution vulnerability exists in the way the Microsoft H.323 protocol implementation handles malformed requests.

11 Virtual DOS Machine Vulnerability

A privilege elevation vulnerability exists in the operating system component that handles the Virtual DOS Machine (VDM) subsystem.

12 Negotiate SSP Vulnerability

A buffer overrun vulnerability exists in the Negotiate Security Software Provider (SSP) interface that could allow remote code execution. This vulnerability exists because of the way the Negotiate SSP interface validates a value that is used during authentication protocol selection.

13 SSL Vulnerability

A denial of service vulnerability exists in the Microsoft Secure Sockets Layer (SSL) library. The vulnerability results from the way that the Microsoft SSL library handles malformed SSL messages. This vulnerability could cause the affected system to stop accepting SSL connections on Windows 2000 and Windows XP. On Windows Server 2003, the vulnerability could cause the affected system to automatically restart.

14 ASN.1 "Double Free" Vulnerability

A remote code execution vulnerability exists in the Microsoft ASN.1 Library. The vulnerability is caused by a possible "double-free" condition in the Microsoft ASN.1 Library that could lead to memory corruption on an affected system.

Microsoft Security Bulletin MS04-012

1 RPC Runtime Library Vulnerability

Remote code execution vulnerability in the RPC Runtime Library allows an attacker to gain control of the system when Library processes specially crafted messages. However in most likely cases it causes DOS.

2 RPCSS Service Vulnerability

The RPCSS service may not reclaim discarded memory if a specially crafted message is sent to it. This behavior could result in a denial of service.

3 COM Internet Services (CIS) - RPC over HTTP Vulnerability

Specially crafted message could cause DOS in the CIS and in the RPC over HTTP Proxy components.

4 Object Identity Vulnerability

This vulnerability could allow an attacker to enable applications to open network communication ports. Though this vulnerability does not directly enable an attacker to compromise a system, it could be used to enable network communication through unexpected communication ports.

Microsoft Security Bulletin MS04-013

MHTML URL Processing Vulnerability

A remote code execution vulnerability exists in the processing of specially crafted MHTML URLs that could allow an attacker's HTML code to run in the Local Machine security zone in Internet Explorer. This vulnerability also affects systems with Outlook Express installed.

Microsoft Security Bulletin MS04-014

Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) A Vulnerability in Microsoft Jet Database Engine (Jet) allows an attacker to execute code remotely. An attacker creates a specially crafted database query and sends it through an application that is using Jet on an affected system and gets the complete control of an affected system.

Solution

Detailed solutions and workarounds can be obtained from the respective Microsoft security bulletins.

Suggestions

Reports have been received that exploits have been released for some of the vulnerabilities given above, specifically it was observed that code for exploiting IIS PCT/SSL vulnerability on servers running IIS with SSL authentication enabled is available on the internet. Users are advised to implement the workarounds and apply patches for these vulnerabilities from respective security bulletins expeditiously.

Microsoft has published a Knowledge base article KB187498 providing details on SSL and disabling PCT without applying patches at

http://support.microsoft.com/default.aspx?scid=kb;en-us;187498

References

Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Microsoft Security Bulletin MS04-012
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

Microsoft Security Bulletin MS04-013
http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx

Microsoft Security Bulletin MS04-014
http://www.microsoft.com/technet/security/bulletin/ms04-014.mspx

US-CERT Technical Cyber Security Alert TA04-104A
http://www.us-cert.gov/cas/techalerts/TA04-104A.html

eEye Digital Security
http://eeye.com/html/Press/PR20040413.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India