The
following security bulletins were selected by David Stuart of collegebuys.org.
For more information
on the Microsoft Product Security Notification Service, please visit
http://www.microsoft.com/technet/security/notify.asp.
For security-related
information about Microsoft products, please visit the Microsoft Security
Advisor web site at
http://www.microsoft.com/security.
-
----------------------------------------------------------------------
Title: Unchecked
Buffer in DirectX Could Enable System
Compromise (819696)
Date: July 23,
2003
Software: Microsoft
DirectX(r) 5.2 on Windows 98
Microsoft
DirectX 6.1 on Windows 98 SE
Microsoft
DirectX 7.0a on Windows Millennium Edition
Microsoft
DirectX 7.0 on Windows 2000
Microsoft
DirectX 8.1 on Windows XP
Microsoft
DirectX 8.1 on Windows Server 2003
Microsoft
DirectX 9.0a when installed on Windows 98
Microsoft
DirectX 9.0a when installed on Windows 98 SE
Microsoft
DirectX 9.0a when installed on Windows
Millennium Edition
Microsoft
DirectX 9.0a when installed on Windows 2000
Microsoft
DirectX 9.0a when installed on Windows XP
Microsoft
DirectX(r) 9.0a when installed on Windows
Server
2003
Microsoft
Windows NT 4.0 Server with either Windows
Media
Player 6.4 or Internet Explorer 6 Service Pack 1
installed.
Microsoft
Windows NT 4.0, Terminal Server Edition with
either
Windows Media Player 6.4 or Internet Explorer 6
Service
Pack 1 installed.
Impact: Allow an
attacker to execute code on a user's system
Max Risk: Critical
Bulletin: MS03-030
Microsoft encourages customers to review the Security
Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-030.asp
http://www.microsoft.com/security/security_bulletins/ms03-030.asp
-
----------------------------------------------------------------------
Issue:
======
DirectX consists of a set of low-level Application
Programming
Interfaces (APIs) that are used by Windows programs for
multimedia
support. Within DirectX, the DirectShow technology performs
client-
side audio and video sourcing, manipulation, and rendering.
There are two buffer overruns with identical effects in the
function used by DirectShow to check parameters in a Musical
Instrument Digital Interface (MIDI) file. A security
vulnerability
results because it would be possible for a malicious user to
attempt to exploit these flaws and execute code in the
security
context of the logged-on user.
An attacker could seek to exploit this vulnerability by
creating a
specially crafted MIDI file designed to exploit this
vulnerability
and then host it on a Web site or on a network share, or
send it by
using an HTML-based e-mail. In the case where the file was
hosted
on a Web site or network share, the user would need to open
the
specially crafted file. If the file was embedded in a page
the
vulnerability could be exploited when a user visited the Web
page.
In the HTML-based e-mail case, the vulnerability could be
exploited
when a user opened or previewed the HTML-based e-mail. A
successful
attack could cause DirectShow, or an application making use
of
DirectShow, to fail. A successful attack could also cause an
attacker's code to run on the user's computer in the
security
context of the user.
Mitigating Factors:
====================
- - By default, Internet Explorer on Windows Server 2003
runs in
Enhanced Security Configuration. This default configuration
of
Internet Explorer blocks the e-mail-based vector of this
attack
because Microsoft Outlook Express running on Windows Server
2003 by
default reads e-mail in plain text. If Internet Explorer
Enhanced
Security Configuration were disabled, the protections put in
place
that prevent this vulnerability from being exploited would
be
removed.
- - In the Web-based attack scenario, the attacker would
have to host
a Web site that contained a Web page used to exploit these
vulnerabilities. An attacker would have no way to force
users to
visit a malicious Web site outside the HTML-based e-mail
vector.
Instead, the attacker would need to lure them there,
typically by
getting them to click a link that would take them to the
attacker's
site.
- -The combination of the above means that on Windows Server
2003 an
administrator browsing only to trusted sites should be safe
from
this vulnerability.
- - Code executed on the system would only run under the
privileges
of the logged-on user.
Risk Rating:
============
- Critical
Patch Availability:
===================
- A patch is
available to fix this vulnerability. Please read the
Security Bulletins
at
http://www.microsoft.com/technet/security/bulletin/ms03-030.asp
http://www.microsoft.com/security/security_bulletins/ms03-030.asp
for information on
obtaining this patch.
Acknowledgment:
===============
- eEye Digital
Security, http://www.eeye.com
-
-----------------------------------------------------------------
Title:
Cumulative Patch for Microsoft SQL Server (815495)
Date: 23 July
2003
Software:
- Microsoft SQL
Server 7.0
- Microsoft Data
Engine (MSDE) 1.0
- Microsoft SQL
Server 2000
- Microsoft SQL
Server 2000 Desktop Engine (MSDE 2000)
- Microsoft SQL
Server 2000 Desktop Engine (Windows)
Impact: Run code
of attacker's choice
Max Risk: Important
Bulletin: MS03-031
Microsoft encourages customers to review the Security
Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
http://www.microsoft.com/security/security_bulletins/ms03-031.asp
-
-----------------------------------------------------------------
Issue:
======
This is a cumulative patch that includes the functionality
of all
previously released patches for SQL Server 7.0, SQL Server
2000, MSDE
1.0, and MSDE 2000. In addition, it eliminates three newly
discovered
vulnerabilities.
- Named Pipe
Hijacking -
Upon system startup, SQL Server creates and listens on a
specific
named pipe for incoming connections to the server. A named
pipe is a
specifically named one-way or two-way channel for
communication
between a pipe server and one or more pipe clients. The
named pipe is
checked for verification of which connection attempts can
log on to
the system running SQL Server to execute queries against
data that is
stored on the server.
A flaw exists in the checking method for the named pipe that
could
allow an attacker local to the system running SQL Server to
hijack
(gain control of) the named pipe during another client's
authenticated logon password. This would allow the attacker
to gain
control of the named pipe at the same permission level as
the user
who is attempting to connect. If the user who is attempting
to
connect remotely has a higher level of permissions than the
attacker,
the attacker will assume those rights when the named pipe is
compromised.
- Named Pipe Denial
of Service -
In the same named pipes scenario that is mentioned in the
"Named Pipe
Hijacking" section of this bulletin, it is possible for
an
unauthenticated user who is local to the intranet to send a
very
large packet to a specific named pipe on which the system
running SQL
Server is listening and cause it to become unresponsive.
This vulnerability would not allow an attacker to run
arbitrary code
or elevate their permissions, but it may still be possible
for a
denial of service condition to exist that would require that
the
server be restarted to restore functionality.
- SQL Server Buffer
Overrun -
A flaw exists in a specific Windows function that may allow
an
authenticated user-with direct access to log on to the
system running
SQL Server-the ability create a specially crafted packet
that, when
sent to the listening local procedure call (LPC) port of the
system,
could cause a buffer overrun.
If successfully exploited, this could allow a user with
limited
permissions on the system to elevate their permissions to
the level
of the SQL Server service account, or cause arbitrary code
to run.
Mitigating Factors:
====================
Named Pipe Hijacking:
- To exploit this
flaw, the attacker would need to be an
authenticated user
local to the system.
- This vulnerability
provides no way for an attacker to remotely
usurp control over
the named pipe.
Named Pipe Denial of Service:
- Although it is
unnecessary that the attacker be authenticated,
to exploit this
flaw the attacker would require access to the
local intranet.
- Restarting the SQL
Server Service will reinstate normal
operations
- This flaw provides
no method by which an attacker can gain
access to the
system or information contained in the database.
SQL Server Buffer Overrun:
- To exploit this
flaw, the attacker would need to be an
authenticated user
local to the system.
- This vulnerability
cannot be remotely exploited.
Risk Rating:
============
- Important
Patch Availability:
===================
- A patch is
available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-031.asp
http://www.microsoft.com/security/security_bulletins/ms03-031.asp
for information on
obtaining this patch.
Acknowledgment:
===============
- Andreas Junestam
www.@stake.com
- -
---------------------------------------------------------------
Title: Buffer Overrun In RPC Interface Could
Allow Code
Execution (823980)
Date: 16 July 2003
Software: Microsoft(r) Windows (r) NT 4.0
Microsoft Windows NT 4.0 Terminal
Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-026
Microsoft encourages
customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
- -
---------------------------------------------------------------
Issue:
======
Remote Procedure Call
(RPC) is a protocol used by the Windows
operating system. RPC
provides an inter-process communication
mechanism that allows
a program running on one computer to
seamlessly execute
code on a remote system. The protocol itself
is derived from the
OSF (Open Software Foundation) RPC protocol,
but with the addition
of some Microsoft specific extensions.
There is a
vulnerability in the part of RPC that deals with
message exchange over
TCP/IP. The failure results because of
incorrect handling of
malformed messages. This particular
vulnerability affects
a Distributed Component Object Model (DCOM)
interface with RPC,
which listens on TCP/IP port 135. This
interface handles DCOM
object activation requests sent by client
machines (such as
Universal Naming Convention (UNC) paths) to the
server.
To exploit this
vulnerability, an attacker would need to send a
specially formed
request to the remote computer on port 135.
Mitigating factors:
====================
- To exploit this vulnerability, the attacker
would require the
ability to send a
specially crafted request to port 135 on the
remote machine. For
intranet environments, this port would
normally be
accessible, but for Internet connected machines, the
port 135 would
normally be blocked by a firewall. In the case
where this port is not
blocked, or in an intranet configuration,
the attacker would not
require any additional privileges.
- Best practices recommend blocking all
TCP/IP ports that are
not actually being
used. For this reason, most machines attached
to the Internet should
have port 135 blocked. RPC over TCP is not
intended to be used in
hostile environments such as the internet.
More robust protocols
such as RPC over HTTP are provided for
hostile environments.
Risk Rating:
============
Critical
Patch Availability:
===================
- A patch is available to fix this
vulnerability. Please read
the Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
for information on obtaining this patch.
- -
---------------------------------------------------------------
Title: Unchecked Buffer in Windows Shell Could
Enable System
Compromise (821557)
Date: 16 July 2003
Software: Microsoft(r) Windows (r) XP
Impact: Run code of attacker's choice
Max Risk: Important
Bulletin: MS03-027
Microsoft encourages
customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-027.asp
http://www.microsoft.com/security/security_bulletins/MS03-027.asp
- -
---------------------------------------------------------------
Issue:
======
The Windows shell is
responsible for providing the basic
framework of the
Windows user interface experience. It is most
familiar to users as
the Windows desktop. It also provides a
variety of other
functions to help define the user's computing
session, including
organizing files and folders, and providing
the means to start
programs.
An unchecked buffer
exists in one of the functions used by the
Windows shell to
extract custom attribute information from
certain folders. A
security vulnerability results because it is
possible for a
malicious user to construct an attack that could
exploit this flaw and
execute code on the user's system.
An attacker could seek
to exploit this vulnerability by creating
a Desktop.ini file
that contains a corrupt custom attribute, and
then host it on a
network share. If a user were to browse the
shared folder where
the file was stored, the vulnerability could
then be exploited. A
successful attack could have the effect of
either causing the
Windows shell to fail, or causing an
attacker's code to run
on the user's computer in the security
context of the user.
Mitigating factors:
====================
- In the case where an attacker's code was
executed, the code
would run in the
security context of the user. As a result, any
limitations on the
user's ability would also restrict the actions
that an attacker's
code could take.
- An attacker could only seek to exploit this
vulnerability by
hosting a malicious
file on a share.
- This vulnerability only affects Windows XP
Service Pack 1.
Users running Windows
XP Gold are not affected.
Risk Rating:
============
Important
Patch Availability:
===================
- A patch is available to fix this
vulnerability. Please read
the Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-027.asp
http://www.microsoft.com/security/security_bulletins/ms03-027.asp
for information on obtaining this patch.
- -
-----------------------------------------------------------------
Title: Buffer Overrun in Windows Could Lead to Data
Corruption (817606)
Date: 09 July 2003
Software:
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Terminal
Server Edition
- Microsoft Windows 2000
- Windows XP Professional
Impact: Allow an attacker to execute code of
their choice
Max Risk: Important
Bulletin: MS03-024
Microsoft encourages
customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-
024.asp
http://www.microsoft.com/security/security_bulletins/ms03-024.asp
- -
-----------------------------------------------------------------
Issue:
======
Server Message Block
(SMB) is the Internet Standard protocol that
Windows uses to share
files, printers, serial ports, and to
communicate between
computers using named pipes and mail slots.
In a networked
environment, servers make file systems and
resources available to
clients. Clients make SMB requests for
resources, and servers
make SMB responses in what's described as
a client server
request-response protocol.
A flaw exists in the
way that the server validates the parameters
of an SMB packet. When
a client system sends an SMB packet to the
server system, it
includes specific parameters that provide the
server with a set of
"instructions." In this case, the server is
not properly
validating the buffer length established by the
packet. If the client
specifies a buffer length that is less than
what is needed, it can
cause the buffer to be overrun.
By sending a specially
crafted SMB packet request, an attacker
could cause a buffer
overrun to occur. If exploited, this could
lead to data
corruption, system failure, or-in the worst case-
it could allow an
attacker to run the code of their choice.
An attacker would need
a valid user account and would need to
be authenticated by
the server to exploit this flaw.
Mitigating Factors:
====================
- Windows Server 2003 is not affected by this
vulnerability.
- By default, it is not possible to exploit
this flaw
anonymously. The
attacker would have to be authenticated by the
server prior to
attempting to send a SMB packet to it.
- Blocking port 139/445 at the firewall will
prevent the
possibility of an
attack from the Internet.
Risk Rating:
============
- Important
Patch Availability:
===================
- A patch is available to fix this
vulnerability. Please read
the Security Bulletins
at
http://www.microsoft.com/technet/security/bulletin/ms03-024.asp
http://www.microsoft.com/security/security_bulletins/ms03-024.asp
for information on
obtaining this patch.
- -
-----------------------------------------------------------------
Title: Buffer Overrun In HTML Converter Could
Allow Code
Execution (823559)
Date: 09 July 2003
Software: Microsoft(r) Windows (r) 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Impact: Allow an attacker to execute code of
their choice
Max Risk: Critical
Bulletin: MS03-023
Microsoft encourages
customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-023.asp
http://www.microsoft.com/security/security_bulletins/ms03-023.asp
- -
---------------------------------------------------------------
Issue:
======
All versions of
Microsoft Windows contain support for file
conversion within the
operating system. This functionality allows
users of Microsoft
Windows to convert file formats from one to
another. In
particular, Microsoft Windows contains support for
HTML conversion within
the operating system. This functionality
allows users to view,
import, or save files as HTML.
There is a flaw in the
way the HTML converter for Microsoft
Windows handles a conversion
request during a cut-and-paste
operation. This flaw
causes a security vulnerability to exist. A
specially crafted
request to the HTML converter could cause the
converter to fail in
such a way that it could execute code in the
context of the currently
logged-in user. Because this
functionality is used
by Internet Explorer, an attacker could
craft a specially
formed Web page or HTML e-mail that would cause
the HTML converter to
run arbitrary code on a user's system. A
user visiting an
attacker's Web site could allow the attacker to
exploit the
vulnerability without any other user action.
To exploit this
vulnerability, the attacker would have to create
a specially-formed
HTML e-mail and send it to the user.
Alternatively, an
attacker would have to host a malicious Web
site that contains a
Web page designed to exploit this
vulnerability. The
attacker would then have to persuade a user to
visit that site.
Mitigating factors:
====================
- By default, Internet Explorer on Windows
Server 2003 runs in
Enhanced Security
Configuration. This default configuration of
Internet Explorer
blocks automatic exploitation of this attack.
If Internet Explorer
Enhanced Security Configuration has been
disabled, the
protections put in place that prevent this
vulnerability from
being automatically exploited would be
removed.
- In the Web-based attack scenario, the
attacker would have to
host a Web site that
contained a Web page used to exploit this
vulnerability. An
attacker would have no way to force users to
visit a malicious Web
site outside the HTML e-mail vector.
Instead, the attacker
would need to lure them there, typically by
getting them to click
a link that would take them to the
attacker's site.
- Exploiting the vulnerability would allow
the attacker only the
same privileges as the
user. Users whose accounts are configured
to have few privileges
on the system would be at less risk than
ones who operate with
administrative privileges.
Risk Rating:
============
Critical
Patch Availability:
===================
- A patch is available to fix this
vulnerability. Please read
the Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-023.asp
http://www.microsoft.com/security/security_bulletins/ms03-023.asp
for information on obtaining this patch.
- -
---------------------------------------------------------------
THE INFORMATION
PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
