Microsoft has issued a flurry of medium-level security threats that Windows administrators need to be aware of.
MS04-018, -Cumulative Security Update for Outlook Express," is caused by a failure of Outlook express to properly handle some specifically malformed e-mail headers. This is a DoS threat and Microsoft reports having seen published exploits but hasn't received any reports from customers that have been compromised by the exploit. This threat is covered by CAN-2004-0215.
MS04-019, -Vulnerability in Utility Manager Could Allow Code Execution," is a local elevation of privilege threat that can't be exploited remotely. MSBA will report if your system needs this update and Systems Management Server (SMS) can help deploy it.
MS04-020, -Vulnerability in POSIX Could Allow Code Execution," is an unchecked buffer vulnerability in the Portable Operating System Interface for Unix. MSBA will report if your system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0210.
MS04-021, -Security Update for IIS 4.0," is a buffer overrun vulnerability in the redirect function that can allow remote execution. MSBA will report if your system needs this update and SMS can help deploy it. This threat is covered by CAN-2004-0205.
MS04-024, -Vulnerability in Windows Shell Could Allow Remote Code Execution," replaces MS03-027 for Windows XP (but not for the other affected operating systems). This threat is covered by CAN-2004-0420.
MS04-018 applies to all versions of Outlook Express from 5.5 through 6, including operating systems from NT 4.0 through Windows Server 2003.
MS04-019 affects all versions (and all Service Packs) of Windows 2000.
MS04-020 affects all versions of Windows NT 4.0 and all versions of Windows 2000 (and all its service packs).
MS04-021 affects Windows NT Workstation 4.0 Service Pack 6a and Windows NT Server 4.0 SP6a (but only with IIS installed as part of the NT 4 Option Pack).
MS04-024 affects all versions of:
- Windows NT 4.0
- Windows 2000
- Windows XP
- Windows Server 2003
Windows 98, 98 SE and ME may be affected by all of these threats, but since none of these flaws are a critical threat to those operating environments, updates are not provided by Microsoft (which limits support for discontinued operating systems to critical-only updates).
Risk levels
MS04-021 and MS-024 are both remote code execution
vulnerabilities that allow a remote attacker to run arbitrary programs and take
complete control over the vulnerable systems. I would rate these as critical
rather than the moderate rating Microsoft has given them.
MS04-020 is a local elevation of privilege threat and can't be exploited remotely or without detailed information about the system and access to it.
Although MS04-019 can allow someone to take complete control over a system, it is rated a moderate threat because it can only be exploited locally by a legitimate user. This is not a remotely executable threat or one that could be executed by a complete stranger.
MS04-018 is considered only a moderate denial of service threat because successful execution would cause only Outlook Express to fail, not the operating system or other applications.
Fixes
Please check the Microsoft bulletins before taking any
action on these vulnerabilities, because several of the bulletins have been
updated multiple times.
A partial workaround for MS04-018 is to disable the preview pane (View, Layout, and uncheck View Preview Pane). This doesn't completely remove the threat, but it does make it easier to remove the offending message.
There is no workaround for MS04-024.
As mentioned above, Windows 98, 98 SE, and ME are no longer supported except for critical threats, so no patches are available for those operating systems. Also, Windows NT Workstation 4.0 has also just passed out of normal support, but Microsoft already had a number of these patches prepared for that operating system and has included fixes for it in these updates.
Warnings
MS04-019 (Utility Manager bulletin) - In addition to fixing
the vulnerability, applying this update will eliminate access to
context-sensitive help from the Utility Manager.
MS04-021 (IIS 4.0) - There is apparently a problem updating with the ISAPI filters running (see knowledge base article 873401). That's what Microsoft says. Actually the problem is a complete crash-and-burn, so I'd pay attention to this knowledge base article if I were applying this patch. The IISLockdown tool installs URLScan and will protect against this vulnerability. See the workarounds section of the Microsoft bulletin for directions on configuring the tool. Also, the workaround using URLScan will block all incoming requests larger than 16K. IIS can be disabled or stopped in IIS Manager or removed, but this will also block other Internet services, such as the IIS SMTP service.
MS04-024 (Windows Shell) - Active X features may be limited by some of the recent IE patches and this patch refines some previous changes in IE 6 Service Pack 1 that may prevent other cross domain vulnerabilities. The update can prevent attackers from moving code execution from the Internet Zone to the more permissive Local Machine security zone.
As for the problem in Outlook Express, MS04-019, I don't believe this software belongs on any business system. In fact, I don't even use the full version of Outlook because it is tied to, or is the source of, so many vulnerabilities. Thus, my personal best practices would have avoided this problem entirely.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
7%
3%
