Microsoft issued five critical alerts today, warning of four serious vulnerabilities in Windows and one in Exchange 2000 Server. All five, if exploited, could enable an outsider to remotely execute code on a vulnerable system.
Patches are available from Microsoft for all of the vulnerabilities. Microsoft is urging Windows and Exchange administrators to patch immediately.
Today's alerts are the first to be released under Microsoft's new monthly release schedule, which was announced last week at its partner conference.
A buffer overrun flaw was found in Exchange 2000 Server. An attacker connecting to an Exchange server's SMTP port could send it an extended verb request that crashes the server. Microsoft said that, if the attacker sends "carefully chosen data," he could cause an overflow of the buffer and become able to run code of his choice. A similar denial-of-service bug exists in Exchange 5.5. Microsoft deems this flaw "important."
Microsoft recommends several workarounds for administrators; admins are advised to use SMTP protocol inspection to filter SMTP protocol extensions; only accept connections from SMTP servers that use the SMTP AUTH command, if practical to an enterprise's business needs; and reset firewalls to block port 25, which is generally used by SMTP, but only as a last resort because doing so could affect e-mail services.
In Windows, Microsoft warns of separate vulnerabilities in Authenticode, Windows Troubleshooter ActiveX Control, Messenger Service and Windows Help and Support Center.
The flaws in Authenticode and Messenger Service affect Windows NT workstations and servers, Windows 2000, Windows XP and Windows Server 2003 and 2003 64-bit edition. The ActiveX Control bug affects Windows 2000 systems.
The Authenticode flaw arises under certain low-memory conditions and could enable an ActiveX control to download and install without asking the user first, Microsoft said. An attacker hosting a malicious Web page, or using a malicious HTML e-mail message, could install and execute the ActiveX control with the same permissions as the user. Users who have applied the patch included in Microsoft security bulletin MS03-040, using Internet Explorer 6 or later or Microsoft Outlook E-mail Security Update, are at less risk of being affected. Default configurations of IE on Windows 2003 block this attack.
Microsoft suggests administrators disable downloading of ActiveX controls in the Internet zone, restrict Web sites to only trusted sites, install Outlook E-mail Security Update (if they're using Outlook 2000 SP1 or earlier), or read e-mail as plain text in Outlook 2002.
Another buffer overflow vulnerability was discovered in Microsoft Local Troubleshooter ActiveX control, which is installed by default on Windows 2000. Again, an attacker using a special HTML e-mail, or one hosting a malicious Web site, could surreptitiously download and install the ActiveX control. The attacker could then run code of his choice on a vulnerable system with user privileges.
As with the Authenticode flaw, the patch in Microsoft security bulletin MS03-040, Internet Explorer 6 or later or Microsoft Outlook E-mail Security Update diminish potential damage. The same workarounds also apply here.
Messenger Service also contains a critical buffer overflow flaw, Microsoft warns. The service does not accurately validate the length of a message before it sends the message to the buffer. Attackers exploiting this flaw could run code with local privileges or crash the service. Successful exploits could enable an outsider to install malicious programs, change or view data and create new accounts.
Microsoft said Messenger Service messages are delivered via NetBIOS or RPC, and blocking those ports (137-139) could mitigate damage. Also, admins could disable the Messenger Service, which is disabled by default on Windows Server 2003.
The final critical alert concerns Windows Help and Support Center, a function that ships with Windows XP and Windows Server 2003. The vulnerability occurs because a file associated with the HCP protocol contains an unchecked buffer. Attackers could create a malicious URL that, when clicked on by a user, could execute code in the local security context. The URL could be hosted on a Web page or sent via e-mail.
Microsoft recommends deregistering the HCP protocol as a workaround.
Microsoft also issued an "important" alert regarding a buffer overflow in Windows ListBox and ComboBox. Neither control, which are located in the User32.dll file, correctly validates Windows messages. Exploits could elevate user privileges and enable an attacker to remotely control a system.
FOR MORE INFORMATION: