Multiple Vulnerabilities in Microsoft Products
Systems Affected
- Microsoft Windows Operating Systems
- Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) subsystems
- Microsoft Windows MHTML Protocol Handler
- Microsoft Jet Database Engine
Overview
Microsoft Corporation has released a series of security bulletins
affecting most users of the Microsoft Windows operating system. Users
of systems running Microsoft Windows are strongly encouraged to visit
the Windows Security Updates for April 2004 and take actions appropriate to their system configurations.
Description
Microsoft has released four security bulletins listing a number of
vulnerabilities which affect a variety of Microsoft Windows software
packages. The following section summarizes the issues identified in
their bulletins.
Summary of Microsoft Bulletins for April 2004
Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)
This bulletin addresses 14 vulnerabilities affecting the systems
listed below. There are several new vulnerabilities address by this
bulletin, and several updates to previously reported vulnerabilities.
Impact
- Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected
- Windows NT Workstation 4.0
- Windows NT Server 4.0
- Windows NT Server 4.0, Terminal Server Edition
- Windows 2000
- Windows XP
- Windows Server 2003
Vulnerability identifiers
The following table outlines these issues and is based on Microsoft's Security Bulletin:
| Vulnerability Title | US-CERT ID | CVE ID | Impact of Vulnerability |
|
LSASS Vulnerability |
VU#753212 | CAN-2003-0533 |
Remote Code Execution |
|
LDAP Vulnerability |
VU#639428 | CAN-2003-0663 |
Denial of Service |
|
PCT Vulnerability |
VU#586540 | CAN-2003-0719 |
Remote Code Execution |
|
Winlogon Vulnerability |
VU#471260 | CAN-2003-0806 |
Remote Code Execution |
|
Metafile Vulnerability |
VU#547028 | CAN-2003-0906 |
Remote Code Execution |
|
Help and Support Center Vulnerability |
VU#260588 | CAN-2003-0907 |
Remote Code Execution |
|
Utility Manager Vulnerability |
VU#526084 | CAN-2003-0908 |
Privilege Elevation |
|
Windows Management Vulnerability |
VU#206468 | CAN-2003-0909 |
Privilege Elevation |
|
Local Descriptor Table Vulnerability |
VU#122076 | CAN-2003-0910 |
Privilege Elevation |
|
H.323 Vulnerability |
VU#353956 | CAN-2004-0117 |
Remote Code Execution |
|
Virtual DOS Machine Vulnerability |
VU#783748 | CAN-2004-0118 |
Privilege Elevation |
|
Negotiate SSP Vulnerability |
VU#638548 | CAN-2004-0119 |
Remote Code Execution |
|
SSL Vulnerability |
VU#150236 | CAN-2004-0120 |
Denial of Service |
|
ASN.1 "Double Free" Vulnerability |
VU#255924 | CAN-2004-0123 |
Remote Code Execution |
Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741)
This bulletin addresses several new vulnerabilities affecting the systems listed below. These vulnerabilities are in Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM).
Impact
- Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected
- Windows NT Workstation 4.0
- Windows NT Server 4.0
- Windows NT Server 4.0, Terminal Server Edition
- Windows 2000
- Windows XP
- Windows Server 2003
Vulnerability identifiers
The following table outlines these issues and is based on Microsoft's Security Bulletin:
| Vulnerability Title | US-CERT ID | CVE ID | Impact of Vulnerability |
|
RPC Runtime Library Vulnerability |
VU#547820 | CAN-2003-0813 |
Remote Code Execution |
|
RPCSS Service Vulnerability |
VU#417052 | CAN-2004-0116 |
Denial of Service |
|
COM Internet Services (CIS) -- RPC over HTTP Vulnerability |
VU#698564 | CAN-2003-0807 |
Denial of Service |
|
Object Identity Vulnerability |
VU#212892 | CAN-2004-0124 |
Information Disclosure |
Security Bulletin MS04-013:Cumulative Security Update for Outlook Express (837009)
This bulletin addresses a vulnerability affecting the systems listed
below. The vulnerability affects the Microsoft Windows MHTML Protocol
handler and any applications that use it, including Microsoft Outlook
and Internet Explorer. This vulnerability has been assigned VU#323070 and CAN-2004-0380.
Note: MS04-013 includes patches remediating the
vulnerability described in TA04-099A.
Impact
- Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected
- Windows NT Workstation
4.0 - Windows NT Server 4.0
- Windows NT Server 4.0, Terminal Server
Edition - Windows 2000
- Windows XP
- Windows Server
2003 - Windows 98
- Windows 98 Second Edition (SE)
- Windows
Millennium Edition (Windows Me)
Note: This issue affects systems with Outlook Express
installed. Outlook Express is installed by default on most (if not
all) current versions of Microsoft Windows.
Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)
This bulletin addresses a vulnerability affecting the systems listed
below. There is a buffer overflow vulnerability in Microsoft's Jet
Database Engine (Jet). An attacker could take control of a vulnerable
system, including installing programs; viewing, changing, or deleting
data; or creating new accounts that have full privileges. This
vulnerability has been assigned VU#740716 and CAN-2004-0197.
Impact
- Remote attackers could execute arbitrary code on vulnerable systems.
Systems affected
- Windows NT Workstation 4.0
- Windows NT Server 4.0
- Windows NT Server 4.0, Terminal Server Edition
- Windows 2000
- Windows XP
- Windows Server 2003
Update to TA04-099A
Microsoft has released a patch that addresses the cross-domain
vulnerability discussed in TA04-099A:
Vulnerability in Internet Explorer ITS Protocol Handler.
US-CERT is tracking this issue as VU#323070. This
reference number corresponds to CVE candidate CAN-2004-0380.
The patches and further information about the vulnerability are
available in Microsoft
Security Bulletin MS04-013. MS04-013 is titled Cumulative
Security Update for Outlook Express. Since most (if not all)
current Windows systems have Outlook Express installed by default, and the
MHTML protocol handler is part of the Outlook Express software package,
most (if not all) Windows systems should be considered vulnerable.
TA04-099A and VU#323070 focused on
the ITS protocol handlers; however, the latent vulnerability appears
to be in the MHTML handler shipped as part of Outlook Express. These
documents have been updated.
Impact
Several of the issues identified by Microsoft have been described as
Critical
in nature. Each bulletin contains at least one vulnerability which may
allow remote attackers to execute arbitrary code on affected
systems. The privileges gained would depend on the security context of
the software and vulnerability exploited.
Solution
Apply an appropriate set of updates from Microsoft
Please see the following site for more information about appropriate remediation.
Appendix A. Vendor Information
This appendix contains information provided by vendors for this
technical alert. As vendors report new information to US-CERT, we will update
this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
Microsoft Corporation
Windows Security Updates for April 2004
Microsoft Security Bulletin MS04-011 -
Security Update for Microsoft Windows (835732)
Microsoft Security Bulletin MS04-012 -
Cumulative Update for Microsoft RPC/DCOM (828741)
Microsoft Security Bulletin MS04-013 -
Cumulative Security Update for Outlook Express (837009)
Microsoft Security Bulletin MS04-014 -
Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)
Appendix B. References
- Technical Cyber Security Alert TA04-099A: Cross-Domain Vulnerability in Outlook Express MHTML Protocol Handler - http://www.us-cert.gov/cas/techalerts/TA04-099A.html
- US-CERT Cyber Security Alert SA04-104A: Summary of Windows Security Updates for April 2004 - http://www.us-cert.gov/cas/alerts/SA04-104A.html
- Windows Security Updates for April 2004 -
http://www.microsoft.com/security/security_bulletins/200404_windows.asp - Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732) - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
- Microsoft Security Bulletin MS04-012 -
Cumulative Update for Microsoft RPC/DCOM (828741) - http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx - Microsoft Security Bulletin MS04-013 -
Cumulative Security Update for Outlook Express (837009) - http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx - Microsoft Security Bulletin MS04-014 -
Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) - http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx - Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002) - http://www.microsoft.com/technet/security/bulletin/rating.mspx
- Vulnerability Note VU#323070: Outlook Express MHTML protocol handler does not properly validate location of alternate data - http://www.kb.cert.org/vuls/id/323070
- Vulnerability Note VU#547820: Microsoft Windows DCOM/RPC vulnerability - http://www.kb.cert.org/vuls/id/547820
- Vulnerability Note VU#740716: Microsoft Jet Database Engine database request handling buffer overflow - http://www.kb.cert.org/vuls/id/740716
Feedback: US-CERT Technical Alerts
Revision History
-
April 13, 2004: Initial release
April 14, 2004: Updated Vulnerability Note linksLast updated
This product is provided subject to this Notification and this Privacy & Use policy.