[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 571/04 - Microsoft - Likely impact of vulnerabilities patched in Microsoft Security Bulletins MS04-29 and MS04-38.


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 571/04 dated 15.10.04  Time: 15:47  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Likely impact of vulnerabilities patched in Microsoft Security 
Bulletins MS04-29 and MS04-38. 

Departmental and company security officers are strongly recommended to apply 
Microsoft's patches issued for the month of October. Comments on the particular 
Microsoft Security Bulletins are provided below. 

Note: UNIRAS has not yet observed any exploitation of these vulnerabilities but is 
continuing to monitor the situation.

MS04-032: The buffer overflow in parsing Windows Meta File (WMF) and Extended 
Meta File (EMF) files is critical as it could have a similar impact to MS04-28 
(the JPEG rendering buffer overflow). The two privilege escalation vulnerabilities 
(in Windows Management and Virtual DOS) identified in MS04-032 are also major, 
although they require local access. 

MS04-034: The buffer overflow in Windows zip is critical. The advisory issued by 
eEye indicates that this vulnerability is an exploitable stack-based overflow. 
The eEye advisory (see http://www.eeye.com/html/research/advisories/AD20041012A.html 
<http://www.eeye.com/html/research/advisories/AD20041012A.html> ) states "This buffer 
overflow is triggered by an integer overflow. When a ZIP file containing a long file 
name (greater than around 0x8000 bytes) is opened in the Windows shell as a ZIP 
compressed folder, a stack-based buffer overflow occurs, allowing an exception handler 
to be overwritten and EIP to be hijacked."

MS04-035: The buffer overflow in MS SMTP and Exchange in handling DNS queries is 
critical, and very important for anyone using Exchange 2003 on Windows 2000 SP3 or SP4.

MS04-036: The heap overflow in the handling of NNTP by MS IIS is critical if you 
provides a Network News service. A proof-of-concept exploit is publicly available. 

MS04-037: The vulnerability in the "shell: " protocol is critical as the vulnerability 
demonstrator on Bugtraq shows that it is possible to script access to files through 
Windows Explorer.

MS04-038: The patch associated with this Security Bulletin fixes the two hitherto 
unpatched remote code execution vulnerabilities in IE, the drag and drop vulnerability 
and the similar name redirection vulnerability. Phishing attacks should be made more 
difficult as common URL obfuscation tricks should no longer be possible.

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

Version: PGP 8.0