The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Security Update for Microsoft Windows (MS04-032)
------------------------------------------------------------------------
SUMMARY
This update resolves several newly-discovered, privately reported
vulnerabilities in the Microsoft Windows Management, Virtual DOS Machine,
Graphics Rendering Engine and in Windows Kernel.
Window Management Vulnerability - A privilege elevation vulnerability
exists in the Window Management application programming interfaces (APIs).
This vulnerability could allow a logged on user to take complete control
of the system.
Virtual DOS Machine Vulnerability - A local privilege elevation
vulnerability exists in the operating system component that handles the
Virtual DOS Machine (VDM) subsystem. This vulnerability could allow a
logged on user to take complete control of the system.
Graphics Rendering Engine Vulnerability - A remote code execution
vulnerability in the rendering of Windows Metafile (WMF) and Enhanced
Metafile (EMF) image formats that could allow remote code execution on an
affected system. Any program that renders WMF or EMF images on the
affected systems could be vulnerable to this attack. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.
Windows Kernel Vulnerability - A local denial of service vulnerability
exists in the Windows kernel. An attacker could locally run a program that
could cause the affected system to stop responding.
An attacker who successfully exploited the most severe of these
vulnerabilities could take complete control of an affected system,
including installing programs; viewing, changing, or deleting data; or
creating new accounts that have full privileges.
DETAILS
Affected Software:
Microsoft Windows NT Server 4.0 Service Pack 6a
<http://www.microsoft.com/downloads/details.aspx?FamilyId=533AE5CD-74CE-470A-8916-8E358084497C>
Download the update
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
<http://www.microsoft.com/downloads/details.aspx?FamilyId=3B871A96-5F64-4432-920F-FA5760DF683A>
Download the update
Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service
Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=4A614222-BA0B-4927-856D-D443BBBE1A42>
Download the update
Microsoft Windows XP and Microsoft Windows XP Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=715E985B-7929-4BD5-9564-5CFE7D528398>
Download the update
Microsoft Windows XP 64-Bit Edition Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=99184841-70A8-47C7-9993-44A60E999A40>
Download the update
Microsoft Windows XP 64-Bit Edition Version 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9C>
Download the update
Microsoft Windows Server 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=206E9842-997D-45E4-9252-61F3CE5EA66C>
Download the update
Microsoft Windows Server 2003 64-Bit Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9C>
Download the update
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) Review the FAQ section of this
bulletin for details about these operating systems.
Non-Affected Software:
Microsoft Windows XP Service Pack 2
Caveats: Microsoft Knowledge Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;840987> 840987
documents the currently known issues that customers may experience when
they install this security update. The article also documents recommended
solutions for these issues. For more information, see Microsoft Knowledge
Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;840987> 840987.
CVE Information:
Window Management Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0207>
CAN-2004-0207
Virtual DOS Machine Vulnerability - CAN-2004-0208
Graphics Rendering Engine Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0209>
CAN-2004-0209
Windows Kernel Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0211>
CAN-2004-0211
Mitigating Factors for Window Management Vulnerability:
An attacker must have valid logon credentials and be able to logon locally
to exploit this vulnerability. The vulnerability could not be exploited
remotely or by anonymous users.
FAQ for Window Management Vulnerability:
What is the scope of the vulnerability?
This is a local privilege elevation vulnerability. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system, including installing programs; viewing, changing, or
deleting data; or creating new accounts that have full privileges.
What causes the vulnerability?
Several Window Management API functions allow programs to change the
properties of other programs that are running at a higher level of
privilege. Programs should be limited to changing the properties of other
programs that are running at the same level of privilege. The properties
of the program that is running at a higher level of privilege could be
changed in such a way that the change could cause an elevation of
privilege for the locally logged on user.
What are the Window Management application programming interface
functions?
The Windows graphical user interface (GUI) allows programs to change
various properties that define that program such as the size of the window
or the name of the program. The Window Management API functions are the
components of the operating system that programs use to change these
properties. For more information about the components that are used to
build Windows programs, visit the
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowui.asp>
MSDN Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.
Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally
to a system and run a program.
How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially-crafted program that
could attempt to exploit the vulnerability, and thereby gain complete
control over the affected system.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only
at risk if users who do not have sufficient administrative credentials are
given the ability to log on to servers and to run programs. However, best
practices strongly discourage allowing this.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium
Edition do contain the affected component, the vulnerability is not
critical. For more information about severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is
targeted for attack. An attacker cannot load and run a program remotely by
using this vulnerability.
What does the update do?
The update removes the vulnerability by preventing programs from changing
the properties of other programs that are running at a different level of
privilege.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued
Mitigating Factors for Virtual DOS Machine Vulnerability:
An attacker must have valid logon credentials and be able to log on
locally to exploit this vulnerability. The vulnerability could not be
exploited remotely or by anonymous users.
Windows XP Service Pack 2 is not affected by this vulnerability.
FAQ for Virtual DOS Machine Vulnerability:
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system, including installing programs; viewing, changing, or deleting
data; or creating new accounts that have full privileges. To exploit the
vulnerability, an attacker must be able to log on locally to the system
and run a program.
What causes the vulnerability?
The operating system component that handles the virtual DOS machine (VDM)
subsystem could be used to gain access to protected kernel memory. In
certain circumstances, some privileged operating system functions might
not validate system structures and could allow an attacker to execute a
specially-designed program with system privileges.
What is the virtual DOS machine subsystem?
A virtual DOS machine (VDM) subsystem is an environment that emulates the
MS-DOS operating system and the MS-DOS-based Windows operating system on
Windows NT-based operating systems. A VDM is created whenever a user
starts an MS-DOS application on a Windows NT-based operating system.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of an affected system, including installing programs;
viewing, changing, or deleting data; or creating new accounts that have
full privileges.
Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally
to a system and run a program.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially-designed application
that could exploit the vulnerability, and thereby gain complete control
over the affected system.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only
at risk if users who do not have sufficient administrative credentials are
given the ability to log on to servers and to run programs. However, best
practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system targeted for
attack. An attacker cannot load and run a program remotely by using this
vulnerability.
What does the update do?
This update modifies the way that Windows validates data when referencing
memory locations that are allocated to a VDM.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
How does this vulnerability relate to the virtual DOS machine
vulnerability that is corrected by MS04-011?
Both vulnerabilities were in the virtual DOS machine. However, this update
addresses a new vulnerability that was not addressed as part of MS04-011.
MS04-011 helps protect against the vulnerability that is discussed in that
bulletin, but does not address this new vulnerability. This update does
not replace MS04-011. You must install this update and the update that is
provided as part of the MS04-011 security bulletin to help protect your
system against both vulnerabilities.
Mitigating Factors for Graphics Rendering Engine Vulnerability:
The vulnerability could be exploited by an attacker who persuaded a user
to open a specially crafted file or to view a folder that contains the
specially crafted image. There is no way for an attacker to force a user
to open a malicious file, except potentially through previewing an email
message.
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's site.
Windows XP Service Pack 2 is not affected by this vulnerability.
Workarounds for Graphics Rendering Engine Vulnerability:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.
Read e-mail messages in plain text format if you are using Outlook 2002 or
later, or Outlook Express 6 SP1 or later, to help protect yourself from
the HTML e-mail attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or
later and Microsoft Outlook Express 6 users who have applied Internet
Explorer 6 Service Pack 1 can enable this setting and view e-mail messages
that are not digitally signed or e-mail messages that are not encrypted in
plain text only.
Digitally signed e-mail messages or encrypted e-mail messages are not
affected by the setting and may be read in their original formats. For
more information about enabling this setting in Outlook 2002, see
Microsoft Knowledge Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;307594> 307594.
For information about this setting in Outlook Express 6, see Microsoft
Knowledge Base Article <http://support.microsoft.com/?kbid=291387>
291387.
Impact of Workaround: E-mail messages that are viewed in plain text format
will not contain pictures, specialized fonts, animations, or other rich
content. In addition:
The changes are applied to the preview pane and to open messages.
Pictures become attachments so that they are not lost.
Note Manually viewing these pictures could allow remote code execution if
you are using a vulnerable application or operating system.
Because the message is still in Rich Text or HTML format in the store, the
object model (custom code solutions) may behave unexpectedly.
FAQ for Graphics Rendering Engine Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system, including installing programs; viewing,
changing, or deleting data; or creating new accounts that have full
privileges. This vulnerability could also be used to attempt to perform a
local elevation of privilege or a remote denial of service.
What causes the vulnerability?
An unchecked buffer in the way that the Graphics Rendering Engine
processes Windows Metafile (WMF) and Enhanced Metafile (EMF) image
formats.
What are Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats?
A WMF image is a 16-bit metafile format that can contain both vector
information and bitmap information. It is optimized for the Windows
operating system. An EMF image is a 32-bit format that can contain both
vector information and bitmap information. This format is an improvement
over the Windows Metafile format and contains extended features.
For more information about image types and formats, see Microsoft
Knowledge Base Article 320314. Additional information about these file
formats is also available at the MSDN Library Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of an affected system, including installing programs;
viewing, changing, or deleting data; or creating new accounts that have
full privileges.
How could an attacker exploit this vulnerability?
Any program that renders the affected image types could be vulnerable to
this attack. Here are some examples:
* An attacker could host a malicious Web site that is designed to exploit
this vulnerability through Internet Explorer and then persuade a user to
view the Web site.
* An attacker could create an HTML e-mail message that has a specially
crafted image attached. The specially crafted image could be designed to
exploit this vulnerability through Microsoft Outlook or through Outlook
Express 6. An attacker could persuade the user to view the HTML e-mail
message.
* An attacker could embed a specially crafted image in an Office document
and then persuade the user to view the document.
* An attacker could add a specially crafted image to the local file
system or onto a network share and then persuade the user to preview the
folder.
* An attacker could locally log on to the system. An attacker could then
run a specially-designed program that could exploit the vulnerability, and
thereby gain complete control over the affected system.
An attacker could also access the affected component through another
vector. For example, an attacker could log on to the system interactively
or by using another program that passes parameters to the vulnerable
component (locally or remotely). To locally exploit this vulnerability, an
attacker would first have to log on to the system. An attacker could then
run a specially-designed application that could exploit the vulnerability,
and thereby gain complete control over the affected system.
What systems are primarily at risk from the vulnerability?
The vulnerability could be exploited on the affected systems by an
attacker who persuaded a user to open a specially crafted file or to view
a folder that contains the specially crafted image. There is no way for an
attacker to force a user to open a specially crafted file, except
potentially through previewing an email message.
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's site.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the
Internet.
What does the update do?
The update removes the vulnerability by modifying the way that the
Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced
Metafile (EMF) image formats.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
How does this vulnerability relate to the metafile vulnerability that is
addressed by MS04-011?
Both vulnerabilities are related to the processing of WMF and EMF image
formats. However, this update addresses a new vulnerability that was not
addressed as part of MS04-011. MS04-011 helps protect against the
vulnerability that is discussed in that bulletin, but does not address
this new vulnerability. This update does not replace MS04-011. You must
install this update and the update provided as part of the MS04-011
security bulletin to help protect your system against both
vulnerabilities.
How does this vulnerability relate to the JPEG processing (GDI+)
vulnerability that is addressed by MS04-028?
The affected component of this vulnerability is a native operating system
component and is not redistributed. The affected component in the MS04-028
JPEG processing (GDI+) vulnerability was able to be redistributed by other
applications and third-party programs. Installing this operating system
update helps protect against this vulnerability for all applications that
could be possible attack vectors that may attempt to exploit this
vulnerability. MS04-028 helps protect against the vulnerability that is
discussed in that bulletin, but does not address this new vulnerability.
This update does not replace MS04-028. You must install this update and
the update that is provided as part of the MS04-028 security bulletin to
help protect your system against both vulnerabilities.
Mitigating Factors for Windows Kernel Vulnerability:
The vulnerability would not enable an attacker to gain any privileges on
an affected system. This issue is strictly a denial of service
vulnerability.
Windows NT 4.0, Windows 2000, and Windows XP are not affected by this
vulnerability
FAQ for Windows Kernel Vulnerability:
What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this
vulnerability could cause the affected system to stop responding and
automatically restart. During that time, the server cannot respond to
requests.
Note The denial of service vulnerability would not allow attackers to
execute code or elevate their privileges, but it could cause the affected
system to stop accepting requests.
What causes the vulnerability?
The Windows kernel does not properly reset some values within some CPU
data structures.
What is the Windows kernel?
The Windows kernel is the core of the operating system. It provides system
level services such as device management and memory management, it
allocates processor time to processes, and it manages error handling. For
more information about the kernel and about other operating system
structures, visit the following Web site.
What might an attacker use the vulnerability to do?
An attacker who exploited this vulnerability could cause the affected
system to stop responding and automatically restart. During that time, the
server cannot respond to requests.
Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally
to a system and run a program.
How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially-designed program that
could exploit the vulnerability. This could cause the system to stop
responding and therefore cause a denial of service condition.
What systems are primarily at risk from the vulnerability?
Terminal servers are primarily at risk. Servers are only at risk if users
who do not have sufficient administrative credentials are given the
ability to log on to servers and to run programs. However, best practices
strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system targeted for
attack. An attacker cannot load and run a program remotely by using this
vulnerability.
What does the update do?
The update addresses the vulnerability by modifying the way that the
Windows kernel resets some values in some CPU data structures.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
