New Patches Help Solve Security Issues with Microsoft Products

Oct. 14, 2004
October's batch of patches includes a monster fix for the Internet Explorer browser and critical updates for SMTP, NNTP, Excel and Windows Shell.

In all, the software giant issued 10 advisories, seven rated "critical" and three with the lower "important" rating.

In addition, Microsoft re-released the MS04-028 bulletin to correct newly discovered issues for customers running Windows XP Service Pack 2 (SP2). The updated MS04-028 advisory covers JPEG Parsing (GDI+) in Windows, Office and other graphics programs, and comes at a time when active exploits are already making the rounds.

The most notable fix released Tuesday ( download MS04-038 ) covers known holes in the IE browser, and Microsoft warned that active exploits are already targeting Windows users. The cumulative IE patch includes a fix for a CSS Heap Memory Corruption flaw that could allow remote code execution; a name redirection flaw that would give an attacker access to a susceptible PC and a drag-and-drop vulnerability that gives malicious hackers complete control of an affected system.

Information on the drag-and-drop weakness, which affects IE versions 5.01, 5.5 and 6.0 on Microsoft Windows XP SP1 or SP2, has been available for nearly two months.

The IE patch also includes a fix for an Install Engine vulnerability; two separate flaws that could lead to address bar spoofing; an SSL caching weakness; and a privilege elevation vulnerability in the way IE processes scripts in image tags.

Microsoft issued another critical alert ( download MS04-034 ) to plug a remote code execution bug in the way that Windows processes Compressed (zipped) Folders. Microsoft warned that a successful exploit could let an attacker take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges.

Windows Server 2003 SMTP Component
The company also released a fix download MS04-035 ) for a code execution flaw in the way the Windows Server 2003 SMTP component handles Domain Name System (DNS) lookups.

"An attacker could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft warned.

The "critical" SMTP bug also exists in the Microsoft Exchange Server 2003 Routing Engine component when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4.

A separate patch with a "critical" rating download MS04-036 ) was also issued for a remote code execution vulnerability, the Network News Transfer Protocol (NNTP) component used in Microsoft Windows or Microsoft Exchange Server.

Microsoft said the NNTP hole could allow an attacker to construct a malicious request to launch harmful code and take over a user's PC.

Download MS04-037 was also released to cover two holes in Windows Shell that could lead to harmful code execution. It corrects the way that the Windows Shell starts applications, and it corrects a bug in the way specially crafted requests are handled in the Program Group Converter.

The company's Office Excel product suite was also patched to protect against a remote code execution vulnerability. Affected users can find the MS04-033 advisory here .

Windows Kernel Flaw
Another "critical" released Tuesday covers a remote execution code vulnerability in all versions of Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003. The patch corrects four flaws and replaces existing patches to window management, virtual DOS machine, Windows kernel and graphics rendering engine vulnerabilities released earlier by Microsoft.

The virtual DOS machine and window management breaches are both privilege elevation vulnerabilities, meaning attackers could gain administrative rights to an entire group of computers in the network. From there, they could add new users, delete others, install software or delete files in the network. The graphics engine vulnerability is a remote code execution flaw that attacks through Windows metafile and enhanced metafile images, and gives the cracker complete control of the system.

The kernel flaw allows the malicious code to launch a Denial-of-Service attack on the system's resources, causing the machine to stop responding. A fix for the four flaws, broken down by operating system type, can be downloaded here .

Microsoft had to restrict some of the functionality in the Internet standard Web-based Distributed Authoring and Versioning (WebDAV) requests to plug a vulnerability that allowed malware to consume all available memory and CPU time on an affected server, according to the company's alert.

Security officials discovered that WebDAV -- a set of extensions in HTTP (an Internet standard with the IETF) for file collaboration on remote servers -- doesn't put a limit on the number of attributes that can be passed to the server, thus allowing the malicious coder room to execute a DoS attack.

Microsoft officials imposed new limits on WebDAV, which will cause previously valid requests to fail. The vulnerability affects Internet Information Services 5.0/5.1/6.0 users and several versions of Windows XP/2000/2003. Users can download the patch here .

Microsoft also fixed a separate code execution flaw in its venerable Network Dynamic Data Exchange (NetDDE), which allows two computers to talk to each other. NetDDE, which is used with Microsoft Chat, Microsoft Hearts and, in some cases, Excel, could cede total control to the attacker, the company warned. It's not considered a critical vulnerability because NetDDE has to be running before the attacker can take advantage of the flaw.

The vulnerability affects versions of Windows XP/NT Server 4.0 and Windows 98/98 SE/ME. Windows XP users with Service Pack 2 are not affected by the vulnerability. Users can download the patches here .

Another important security patch released Tuesday plugs a flaw found in the Remote Procedure Call (RPC) run-time library, a protocol that allows a program on one system to access services on another machine. Malware capitalizing on this flaw can either launch a DoS attack or read portions of active memory on the user's machine.

The patch, which applies to Service Pack 6 for Windows NT Server 4.0 and 4.0 Terminal Server Edition, allows the RPC Runtime Library to validate message length before it's released to the buffer. Users can download the patch here .