Microsoft’s monthly patch release for April 2004 caught a number of security specialists by surprise due to the number and severity of the vulnerabilities fixed. The four new Microsoft Security Bulletins are:
* MS04-011 “Security Update for Microsoft Windows”
* MS04-012 “Cumulative Update for Microsoft RPC/DCOM”
* MS04-013 “Cumulative Security Update for Outlook Express”
* MS04-014 “Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution”
Additionally, Microsoft has made major revisions to four earlier Security Bulletins (one from each of the past four years)—MS00-082, MS01-041, MS02-011, and MS03-046—as detailed at the end of this article.
Details
According to a CNET News.com report, Microsoft says that some of these fixes have been available for months but the company delayed the release of patches to ease the burden on harried administrators.
With the release of these patches, numerous companies are coming forward with distressing information about just how long many of these critical vulnerabilities were known. Symantec, for example, has been sitting on an Outlook Express MHTML vulnerability since November 25, 2003, waiting for Microsoft to release a patch that has been included in MS04-013.
Best Microsoft MCTS Training – Microsoft MCITP Certification at Certkingdom.com
eEyeDigital Security, which has been given credit for discovering six of the recently patched flaws, reports that some of these had been known for more than 200 days before being patched.
Author’s note
Please note that any of the Mitre CANdidate listings for individual vulnerabilities listed below can be accessed using this URL format: www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0807. Simply substitute the correct year and item number after CAN.
MS04-011
This “Security Update for Microsoft Windows” replaces some earlier bulletins and also covers some new threats. The patches provided address:
* LDAP Vulnerability (CAN-2003-0663) – A denial of service (DoS) threat
* PCT Vulnerability (CAN-2003-0719) – A buffer overrun may allow an attacker to take over a vulnerable system
* Winlogon Vulnerability (CAN-2003-0806) – A buffer overrun allows remote execution of arbitrary code
* Help and Support Vulnerability (CAN-2003-0907) – A remote code execution threat
* Utility Manager Vulnerability (CAN-2003-0908) – A privilege elevation threat
* Windows Management Vulnerability (CAN-2003-0909) – A privilege elevation threat
* Negotiate SSP Vulnerability (CAN-2004-0119) – A buffer overrun may allow an attacker to take over a vulnerable system
* SSL Vulnerability (CAN-2004-0120) – A DoS threat
* ASN.1 “Double Free” Vulnerability (CAN-2004-0123) – A DoS threat
* LSASS Vulnerability (CAN-2003-0533) – A buffer overrun allows remote execution of arbitrary code
* Metafile Vulnerability (CAN-2003-0906) – A buffer overrun allows remote execution of arbitrary code
* H.323 Vulnerability (CAN-2004-0117) – A remote code execution threat
* Local Descriptor Table Vulnerability (CAN-2003-0910) – A privilege elevation threat
* Virtual DOS Machine Vulnerability (CAN-2004-0118) – A privilege elevation threat
MS04-012
This “Cumulative Update for Microsoft RPC/DCOM” fixes vulnerabilities identified as:
* COM Internet Service and RPC over https: (CAN-2003-0807) – A DoS threat
* RPC Runtime Library (CAN-2003-0813) – A DoS threat caused by a race condition
* RPCSS Service (CAN-2004-0116) – A DoS threat
* Object Identity (CAN-2004-0124) – An information disclosure threat
MS04-013
This “Cumulative Security Update for Outlook Express” replaces MS03-014 and all previous Outlook Express updates.
MS04-014
This “Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution” is a remote code execution threat that results from a buffer overrun. An exploit would require that the attacker craft a special database query and send it to the Jet Database. The only vulnerability covered by MS04-014 is CAN-2004-0380.