Network Managing, Engineering and Administration with an eye toward security.
Best practices meets the real world!
Tuesday, January 11, 2005
Microsoft Security Bulletins (3) Microsoft has released three new security bulletins. They include three remote executable holes.
The first notice MS05-001 is a cross domain vulnerability (CAN-2004-1043) affecting Internet Explorer 6. It affects Windows 2000, XP (including SP2), Windows Server 2003, and Windows 98/ME (Note: a default install of Windows Server 2003 is not vulnerable, only if you turned off IE's restricted mode on the server). Although Windows NT is listed as not being "affected", under security updates, there is a patch for NT 4. This vulnerability is mitigated by not surfing to a page owned by an attacker.
The second notice (MS04-002) is an update from a previously issued item (MS03-045). It affects NT, 2000, XP (through SP1), Server 2003, and Windows 98/ME. There are two bugs here: Cursor and Icon format handling Vulnerability (CAN-2004-1049) and Windows Kernel Vulnerability (CAN-2004-1305). The FAQ notes that the Cursor and Icon Format Handling Vulnerability is a remote code execution issue, and the Kernel Vulnerability is a DOS issue. The remote code execution issue can be mitigated by not surfing to a page owned by an attacker, or update your IE to the latest patches, or use XP SP2. The denial of service issue is mitigated by installing the latest patches or versions of Outlook Express, or Outlook, and also by only viewing messages in plain text.
The third vulnerability listed (MS05-003) is a indexing service vulnerability that allows remote code execution (CAN-2004-0897). Please note that this requires that the indexing service be turned on, and accessible through IIS. In the notes it mentions that Windows 2000 is not affected, though they recommend applying the patch and update (what is the 'security related change' updating then?). This vulnerability is mitigated if the index service is turned off.
For those of you still running Windows 98, 98SE, and Windows ME, you are out of luck for patches for these issues, you need to upgrade to a system that has patches available. The browser vulnerability is also mitigated by using an alternative browser (like Firefox).
One thing I've noticed for a while now about Microsoft's notices is the incredible complexity they go to describing them. That's why you see groups and security companies like ISC (SANS), and Symantec having security calls the next day to review them. Oh, and don't get me started about printing them out you may need a ream of paper for these three alone.
These three don't look too severe to me in just a quick glance due to the requirement that you go to a remote page that has the vulnerability, but given that many people click on links in their email and on web pages it's easy to see how these vulnerabilities can be used for malicious activity. These people are also probably the last ones that would look for these security notices also.
[Update: 1-12-2004] I ran across this Secunia advisory that helps fill the gap as to why the first bug is so nasty, but I also noticed that this advisory has not been fixed yet.
[Update: 1-13-2004] SANS's ISC page had a couple of comments that I felt should be mentioned here. They said that eEye believes that they can remote execute code on the Windows Kernel Vulnerability (CAN-2004-1305). In addition, they complain about the "Quality Control" on their vulnerability announcments (one of the CVE notices has DOS, but the patch notes say remote code execution).
posted by David | 1/11/2005 03:07:00 PM