View Source

Original issue date: October 16, 2003<br>
Last revised: October 17, 2003<br>
Source: CERT/CC<br>

<p>
A complete <a href="#revision">revision</a> history is at the end of this file.
</p>

<br>
<h3>Systems Affected</h3>
<ul>
<li>Multiple versions of Microsoft Windows (ME, NT 4.0, NT 4.0 TSE, 2000, XP, Server 2003)</li>
<li>Microsoft Exchange Server 5.5 and Microsoft Exchange Server 2000</li>
</ul>

<br>
<h2>Overview</h2>
<p>
There are multiple vulnerabilities in Microsoft Windows and Microsoft
Exchange, the most serious of which could allow remote attackers to
execute arbitrary code.
</p>

<br>
<h2>I. Description</h2>
<p>
There are a number of vulnerabilities in Microsoft Windows and
Microsoft Exchange that could allow an attacker to gain administrative
control of a vulnerable system.  The most serious of these
vulnerabilities allow an unauthenticated, remote attacker to execute
arbitrary code with no action required on the part of the victim.  For
detailed information, see the following vulnerability notes:
<blockquote>
<p>
<b><a href="http://www.kb.cert.org/vuls/id/575892">VU#575892</a> - Buffer overflow in Microsoft Windows Messenger Service</b><br>
There is a buffer overflow in the Messenger service on most recent versions of Microsoft Windows that could allow an attacker to execute arbitrary code.<br>
<i><small>(Other resources:  <a href="http://www.microsoft.com/technet/security/bulletin/MS03-043.asp">MS03-043</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0717">CAN-2003-0717</a>)</small></i>
</p>
<p>
<b><a href="http://www.kb.cert.org/vuls/id/422156">VU#422156</a> - Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests</b><br>
Microsoft Exchange fails to handle certain SMTP extended verbs correctly.  In Exchange 5.5, this can lead to a denial-of-service condition. In Exchange 2000, this could permit an attacker to run arbitrary code.<br>
<i><small>(Other resources:  <a href="http://www.microsoft.com/technet/security/bulletin/MS03-046.asp">MS03-046</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0714">CAN-2003-0714</a>)</small></i>
</p>
</blockquote>
</p>
<p>
In addition, several other vulnerabilities may permit an attacker to
execute arbitrary code if the attacker can convince the victim to take
some specific action (e.g., viewing a web page or an HTML email message).  For
detailed information, see the following vulnerability notes:
<blockquote>
<p>
<b><a href="http://www.kb.cert.org/vuls/id/467036">VU#467036</a> - Microsoft Windows Help and Support Center contains buffer overflow in code used to handle HCP protocol</b><br>
There is a buffer overflow in the Microsoft Windows Help and Support Center that could permit an attacker to execute arbitrary code with SYSTEM privileges.<br>
<i><small>(Other resources:  <a href="http://www.microsoft.com/technet/security/bulletin/MS03-044.asp">MS03-044</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0711">CAN-2003-0711</a>)</small></i>
</p>
<p>
<b><a href="http://www.kb.cert.org/vuls/id/989932">VU#989932</a> - Microsoft Windows contains buffer overflow in Local Troubleshooter ActiveX control (Tshoot.ocx)</b><br>
Microsoft Windows ships with a troubleshooting application to assist users with problems. A vulnerability in this application may permit a remote attacker to execute arbitrary code with the privileges of the current user.<br>
<i><small>(Other resources:  <a href="http://www.microsoft.com/technet/security/bulletin/MS03-042.asp">MS03-042, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0662">CAN-2003-0662</a></a>)</small></i>
</p>
<p>
<b><a href="http://www.kb.cert.org/vuls/id/838572">VU#838572</a> - Microsoft Windows Authenticode mechanism installs ActiveX controls without prompting user</b><br>
A vulnerability in Microsoft's Authenticode could allow a remote attacker to install an untrusted ActiveX control on the victim's system.  The ActiveX control could run code of the attacker's choice.<br>
<i><small>(Other resources:  <a href="http://www.microsoft.com/technet/security/bulletin/MS03-041.asp">MS03-041</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0660">CAN-2003-0660</a>)</small></i>
</p>
<p>
<b><a href="http://www.kb.cert.org/vuls/id/435444">VU#435444</a> - Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form</b><br>
There is a cross-site scripting vulnerability in Microsoft Outlook Web Access.<br>
<i><small>(Other resources:  <a href="http://www.microsoft.com/technet/security/bulletin/MS03-047.asp">MS03-047</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0712">CAN-2003-0712</a>)</small></i>
</p>
</blockquote>
</p>
<p>
Finally, there is a vulnerability in ListBox and ComboBox controls
that could allow a local user to gain elevated privileges. For
detailed information, see
<blockquote>
<p>
<b><a href="http://www.kb.cert.org/vuls/id/967668">VU#967668</a> - Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message</b><br>
There is a buffer overflow in a function called by the Microsoft Windows ListBox and ComboBox controls that could allow a local attacker to execute arbitrary code with privileges of the process hosting the controls.<br>
<i><small>(Other resources:  <a href="http://www.microsoft.com/technet/security/bulletin/MS03-045.asp">MS03-045</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0659">CAN-2003-0659</a>)</small></i>
</p>
</blockquote>
</p>

<br>
<h2>II. Impact</h2>
<p>
The impact of these vulnerabilities ranges from denial of service to
the ability to execute arbitrary code.
</p>

<br>
<h2>III. Solution</h2>

<h4>Disable the Messenger Service</h4>
<p>
For <a href="http://www.kb.cert.org/vuls/id/575892">VU#575892</a>,
Microsoft recommends first disabling the Messenger service and then
evaluating the need to apply the patch.  If the Messenger service is
not required, leave it in the disabled state.  Apply the patch to make
sure that systems are protected, especially if the Messenger service is
re-enabled.  Instructions for disabling the Messenger service can be
found in <a href="http://www.kb.cert.org/vuls/id/575892">VU#575892</a>
and <a
href="http://www.microsoft.com/technet/security/bulletin/MS03-043.asp">MS03-043</a>.
</p>

<h4>Apply patches</h4>
<p>
Microsoft has provided patches for these problems.  Details can be
found in the relevant <a href="#microsoft">Microsoft Security
Bulletins</a>.  For many home users, the simplest way to obtain these
patches will be by running <a
href="http://windowsupdate.microsoft.com/">Windows Update</a>.
</p>

<br>
<a name="vendors"></a>
<h2>Appendix A.  Vendor Information</h2>

<p>
This appendix contains information provided by vendors.  When vendors
report new information, this section is updated, and the changes are
noted in the revision history.  If a vendor is not listed below, we
have not received their authenticated, direct statement.  Further
vendor information is available in the Systems Affected sections of
the vulnerability notes listed above.
</p>

<a name="microsoft">
<h4><a href="http://www.microsoft.com/">Microsoft Corporation</a></h4>
<blockquote>
<p>
Please see the following Microsoft Security Bulletins:  

<a href="http://www.microsoft.com/technet/security/bulletin/MS03-041.asp">MS03-041</a>,
<a href="http://www.microsoft.com/technet/security/bulletin/MS03-042.asp">MS03-042</a>,
<a href="http://www.microsoft.com/technet/security/bulletin/MS03-043.asp">MS03-043</a>,
<a href="http://www.microsoft.com/technet/security/bulletin/MS03-044.asp">MS03-044</a>,
<a href="http://www.microsoft.com/technet/security/bulletin/MS03-045.asp">MS03-045</a>,
<a href="http://www.microsoft.com/technet/security/bulletin/MS03-046.asp">MS03-046</a>, and
<a href="http://www.microsoft.com/technet/security/bulletin/MS03-047.asp">MS03-047</a>.
</p>
</blockquote>
<!-- end vendor -->

<br>
<a name="references"></a>
<h2>Appendix B.  References</h2>
<ul>
<li>CERT/CC Vulnerability Note VU#575892 - <a href="http://www.kb.cert.org/vuls/id/575892">http://www.kb.cert.org/vuls/id/575892</a></li>
<li>CERT/CC Vulnerability Note VU#422156 - <a href="http://www.kb.cert.org/vuls/id/422156">http://www.kb.cert.org/vuls/id/422156</a></li>
<li>CERT/CC Vulnerability Note VU#467036 - <a href="http://www.kb.cert.org/vuls/id/467036">http://www.kb.cert.org/vuls/id/467036</a></li>
<li>CERT/CC Vulnerability Note VU#989932 - <a href="http://www.kb.cert.org/vuls/id/989932">http://www.kb.cert.org/vuls/id/989932</a></li>
<li>CERT/CC Vulnerability Note VU#838572 - <a href="http://www.kb.cert.org/vuls/id/838572">http://www.kb.cert.org/vuls/id/838572</a></li>
<li>CERT/CC Vulnerability Note VU#435444 - <a href="http://www.kb.cert.org/vuls/id/435444">http://www.kb.cert.org/vuls/id/435444</a></li>
<li>CERT/CC Vulnerability Note VU#967668 - <a href="http://www.kb.cert.org/vuls/id/967668">http://www.kb.cert.org/vuls/id/967668</a></li>
<li>Microsoft Security Bulletin MS03-041 - <a href="http://www.microsoft.com/technet/security/bulletin/MS03-041.asp">http://www.microsoft.com/technet/security/bulletin/MS03-041.asp</a></li>
<li>Microsoft Security Bulletin MS03-042 - <a href="http://www.microsoft.com/technet/security/bulletin/MS03-042.asp">http://www.microsoft.com/technet/security/bulletin/MS03-042.asp</a></li>
<li>Microsoft Security Bulletin MS03-043 - <a href="http://www.microsoft.com/technet/security/bulletin/MS03-043.asp">http://www.microsoft.com/technet/security/bulletin/MS03-043.asp</a></li>
<li>Microsoft Security Bulletin MS03-044 - <a href="http://www.microsoft.com/technet/security/bulletin/MS03-044.asp">http://www.microsoft.com/technet/security/bulletin/MS03-044.asp</a></li>
<li>Microsoft Security Bulletin MS03-045 - <a href="http://www.microsoft.com/technet/security/bulletin/MS03-045.asp">http://www.microsoft.com/technet/security/bulletin/MS03-045.asp</a></li>
<li>Microsoft Security Bulletin MS03-046 - <a href="http://www.microsoft.com/technet/security/bulletin/MS03-046.asp">http://www.microsoft.com/technet/security/bulletin/MS03-046.asp</a></li>
<li>Microsoft Security Bulletin MS03-047 - <a href="http://www.microsoft.com/technet/security/bulletin/MS03-047.asp">http://www.microsoft.com/technet/security/bulletin/MS03-047.asp</a></li>
</ul>

<hr noshade>
<p>
Our thanks to Microsoft Corporation for the information contained in
their security bulletins. Microsoft has credited the following people
for their help in discovering and responding to these issues: Greg
Jones of KPMG UK and Cesar Cerrudo, The Last Stage of Delirium
Research Group, David Litchfield of Next Generation Security Software
Ltd., Brett Moore of Security-Assessment.com, Joao Gouveia, and Ory
Segal of Sanctum Inc.
</p>
<hr noshade>
<p>
Feedback can be directed to the authors, <a href="mailto:cert@cert.org?subject=CA-2003-27%20VU%23575892%20Feedback">Shawn V. Hernan and Art Manion</a>.
</p>

<!--#include virtual="/include/footer_nocopyright2.html" -->

<p>Copyright 2003 Carnegie Mellon University.</p>

<p><a name="revision">Revision History</a>
<p>
<small>
October 16, 2003:  Initial release, added CAN-2003-0662 reference<br>
October 17, 2003:  Fixed MS bulletin references<br>
</small>
</p>