Aggregator

Systems Affected  

• Microsoft Windows systems

  Overview  

Microsoft Internet Explorer (IE) contains a flaw that could allow attackers to run programs of their choice on your computer.

  Description  

Microsoft IE uses a cross-domain security model to separate content from different sources. A flaw in the model makes IE vulnerable to a cross-domain violation. Attackers could exploit this flaw to execute programs on your computer.

Resolution Apply a patch

Micrososft has released a patch to resolve this issue. It is available from Microsoft Windows Update or Microsoft Security Bulletin MS04-025.

Disable Active scripting and ActiveX controls

Instructions for disabling Active scripting and ActiveX controls in the Internet Zone can be found in the Malicious Web Scripts FAQ.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.

Run and maintain an antivirus product

It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

References

• US-CERT Technical Alert TA04-163A - <http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
• Vulnerability Note VU#713878 - <http://www.kb.cert.org/vuls/id/713878>
• Microsoft Windows Update - <http://windowsupdate.microsoft.com/>
• Microsoft Security Bulletin MS04-025 - <http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx>
• Malicious Web Scripts FAQ - <http://www.cert.org/tech_tips/malicious_code_FAQ.html>
• Protect Your PC - <http://www.microsoft.com/security/protect/default.asp>
• Increase Your Browsing and E-Mail Safety - <http://www.microsoft.com/security/incident/settings.mspx>

Author: Michael Durkota

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• June 11, 2004: Initial release
  July 30, 2004: Added patch information and links to MS04-025
   

Last updated 

Systems Affected  

• Microsoft Windows systems

  Overview  

A cross-domain vulnerability in Internet Explorer (IE) could allow an attacker to execute arbitrary code with the privileges of the user running IE.

  Description  

There is a cross-domain vulnerability in the way IE determines the security zone of a browser frame that is opened in one domain then redirected by a web server to a different domain. A complex set of conditions is involved, including a delayed HTTP response (3xx status code) to change the content of the frame to the new domain. Vulnerability Note VU#713878 describes this vulnerability in more technical detail and will be updated as further information becomes available.

Other programs that host the WebBrowser ActiveX control or use the MSHTML rendering engine, such as Outlook and Outlook Express, may also be affected.

This issue has been assigned CVE CAN-2004-0549.

Impact

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.

Publicly available exploit code exists for this vulnerability, and US-CERT has monitored incident reports that indicate that this vulnerability is being actively exploited.

Solution Apply a patch

 

Microsoft has released a cumulative patch (867801) in Security Bulletin MS04-025 which addresses this issue.

Workarounds Disable Active scripting and ActiveX controls

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently at RC1) includes these and other security enhancements for IE.
 

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

 

Appendix B. References

• Microsoft Security Bulletin MS04-025 - <http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx>
• Vulnerability Note VU#713878 - <http://www.kb.cert.org/vuls/id/713878>
• US-CERT Technical Cyber Security Alert TA04-212A - <http://www.us-cert.gov/cas/techalerts/TA04-212A.html>
• Malicious Web Scripts FAQ - <http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>
• Computer Virus Resources - <http://www.us-cert.gov/reading_room/virus.html>
• CVE CAN-2004-0549 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>
• Microsoft Knowledge Base Article 833633 - <http://support.microsoft.com/default.aspx?scid=833633>
• Windows XP Service Pack 2 RC1 - <http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx>
• Increase Your Browsing and E-Mail Safety - <http://www.microsoft.com/security/incident/settings.mspx>
• Working with Internet Explorer 6 Security Settings - <http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx>

 

Public incidents related to this vulnerability were reported by Rafel Ivgi. Thanks to Jelmer for further research and analysis.

Feedback can be directed to the author: Art Manion.

Revision History

• June 11, 2004: Initial release
  July 30, 2004: Added links to MS04-025
  December 3, 2004: Added reference to TA04-212A
   

  Last updated 

Systems Affected

• Oracle Applications 11.0 (all releases)
• Oracle E-Business Suite 11i, 11.5.1 through 11.5.8

Overview

A vulnerability in the Oracle's E-Business Suite allows a remote
attacker to execute arbitrary script on a vulnerable database system.
Exploitation may lead to compromise of the database application, data
integrity, or underlying operating system.

Description

Oracle E-Business Suite is a set of applications and modules that
enables an organization to manage customer interactions, deliver services,
manufacture products, ship orders, collect payments, and other tasks using
a single database model.

According to the Oracle
Security Alert 67, Oracle Applications 11.0 (all releases) and Oracle
E-Business Suite Release 11i, 11.5.1 through 11.5.8 are vulnerable to SQL
injection vulnerabilities. Oracle E-Business Suite Release 11.5.9 and
later are not vulnerable. This vulnerability is not platform specific.
Integrigy Corporation has also released an alert
about these vulnerabilities.

Note that no authentication mechanisms of Oracle E-Business Suite will
mitigate exploitation of the attack.

US-CERT is tracking this issue as VU#961579.

Impact

An unauthenticated attacker could exploit this vulnerability to execute
arbitrary SQL statements on the vulnerable system with the privileges of
the Oracle server process. In addition to compromising the integrity of
the database information, this may lead to the compromise of the database
application and the underlying operating system.

Solution

Apply Patch or Upgrade

According to the Oracle Security
Alert 67, patches and related information are available from:

http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=274375.1

Note that the above link requires registration to Oracle Metalink. To
register for support, please visit:

http://metalink.oracle.com/register/pls/registration.step_1

Appendix B. References

• http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
  
• http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
  
• http://www.kb.cert.org/vuls/id/961579
  

US-CERT thanks Stephen Kost of Integrigy Corporation for reporting this
problem and for information used to construct this advisory.

Feedback can be directed to the author: Jason
A. Rafail

Revision History

• June 8, 2004: Initial release
  
  June 9, 2004: Added Oracle support registration link
  

  Last updated

Systems Affected  

• Concurrent Versions System (CVS) versions prior to 1.11.16
• CVS Features versions prior to 1.12.8

  Overview  

A heap overflow vulnerability in the Concurrent Versions System (CVS) could allow a remote attacker to execute arbitrary code on a vulnerable system.

  Description  

CVS is a source code maintenance system that is widely used by open-source software development projects. There is a heap memory overflow vulnerability in the way CVS handles the insertion of modified and unchanged flags within entry lines. When processing an entry line, an additional byte of memory is allocated to flag the entry as modified or unchanged. There is a failure to check if a byte has been previously allocated for the flag, which creates an off-by-one buffer overflow. By calling a vulnerable function several times and inserting specific characters into the entry lines, a remote attacker could overwrite multiple blocks of memory. In some environments, the CVS server process is started by the Internet services daemon (inetd) and may run with root privileges.

An authenticated client could exploit this vulnerability to execute arbitrary code, execute commands, modify sensitive information, or cause a denial of service. Note that if a CVS server is configured to permit anonymous read-only access, then this provides sufficient access to exploit a vulnerable server, as anonymous users are authenticated through the cvspserver process.

US-CERT is tracking this issue as VU#192038. This reference number corresponds to CVE candidate CAN-2004-0396.

Impact

An authenticated client could exploit this vulnerability to execute arbitrary code on the vulnerable system with the privileges of the CVS server process. It is possible for an anonymous user with read-only access to exploit a vulnerable server as they are authenticated through the cvspserver process.

In addition to compromising the system running CVS, there is a significant secondary impact in that source code maintained in CVS repositories could be modified to include Trojan horses, backdoors, or other malicious code.

Solution

Apply Patch or Upgrade

Apply the appropriate patch or upgrade as specified by your vendor. For vendor specific responses, please see your vendor's website or Vulnerability Note VU#192038.

 

This issue has been resolved in Stable CVS Version 1.11.16 and CVS Feature Version 1.12.8.

Disable CVS Server
 

Until a patch or upgrade can be applied, consider disabling the CVS server.
 

 

Block or Restrict Access
 

Block or restrict access to the CVS server from untrusted hosts and networks. The CVS server typically listens on 2401/tcp, but may use another port or protocol.

Limit CVS Server Privileges

• Configure CVS server to run in a restricted (chroot) environment.
• Run CVS servers with the minimum set of privileges required on the host file system.
• Provide separate systems for development (write) and public/anonymous (read-only) CVS access.
• Host public/anonymous CVS servers on single-purpose, secured systems.

Note that some of these workarounds will only limit the scope and impact of possible attacks. Note also that anonymous (read-only) access is sufficent to exploit this vulnerability.

 

 

Appendix B. References

• http://security.e-matters.de/advisories/072004.html
   
• http://secunia.com/advisories/11641/
   
• http://www.securitytracker.com/alerts/2004/May/1010208.html
   
• http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt

 

US-CERT thanks Stefan Esser of e-matters for reporting this problem and for information used to construct this advisory.

Feedback can be directed to the authors: Jason A. Rafail and Damon Morda

Revision History

• May 26, 2004: Initial release
   

  Last updated 

Systems Affected

• Cisco routers and switches running vulnerable versions of IOS.



Vulnerable IOS versions known to be affected include:

• 12.0(23)S4, 12.0(23)S5
• 12.0(24)S4, 12.0(24)S5
• 12.0(26)S1
• 12.0(27)S
• 12.0(27)SV, 12.0(27)SV1
• 12.1(20)E, 12.1(20)E1, 12.1(20)E2
• 12.1(20)EA1
• 12.1(20)EW, 12.1(20)EW1
• 12.1(20)EC, 12.1(20)EC1
• 12.2(12g), 12.2(12h)
• 12.2(20)S, 12.2(20)S1
• 12.2(21), 12.2(21a)
• 12.2(23)
• 12.3(2)XC1, 12.3(2)XC2
• 12.3(5), 12.3(5a), 12.3(5b)
• 12.3(6)
• 12.3(4)T, 12.3(4)T1, 12.3(4)T2, 12.3(4)T3
• 12.3(5a)B
• 12.3(4)XD, 12.3(4)XD1

Overview

There is a vulnerability in Cisco's Internetwork Operating System (IOS) SNMP service. When vulnerable Cisco routers or switches process specific SNMP requests, the system may reboot. If repeatedly exploited, this vulnerability could result in a sustained denial of service (DoS).

This vulnerability is distinct from the vulnerability described in US-CERT Technical Alert TA04-111A issued earlier today. Cisco has published an advisory about this distinct SNMP issue at the following location:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml

Description

The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. There are several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send both solicited and unsolicited alerts. These messages use UDP to communicate network information between SNMP agents and managers.

There is a vulnerability in Cisco's IOS SNMP service in which attempts to process specific SNMP messages are handled incorrectly. This may potentially cause the device to reload.

Typically, ports 161/udp and 162/udp are used during SNMP operations to communicate. In addition to these well-known ports, Cisco IOS uses a randomly selected UDP port in the range from 49152/udp to 59152/udp (and potentially up to 65535) to listen for other types of SNMP messages. While SNMPv1 and SNMPv2c formatted messages can trigger this vulnerability, the greatest risk is exposed when any SNMPv3 solicited operation is sent to a vulnerable port.

Cisco notes in their advisory:

SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will perform an authentication check against the SNMP community string, which may be used to mitigate attacks. Through best practices of hard to guess community strings and community string ACLs, this vulnerability may be mitigated for both SNMPv1 and SNMPv2c. However, any SNMPv3 solicited operation to the vulnerable ports will reset the device. If configured for SNMP, all affected versions will process SNMP version 1, 2c and 3 operations.

Cisco is tracking this issue as CSCed68575. US-CERT is tracking this issue as VU#162451.

Impact

A remote, unauthenticated attacker could cause the vulnerable device to reload. Repeated exploitation of this vulnerability could lead to a sustained denial of service condition.

Solution Upgrade to fixed versions of IOS

Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory.

Workarounds

Cisco recommends a number of workarounds, including disabling SNMP processing on affected devices. For a complete list of workarounds, see the Cisco Security Advisory.

Appendix A. Vendor Information

This appendix contains information provided by vendors for this
advisory. As vendors report new information to US-CERT, we will update
this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.

Cisco Systems

Please refer to Cisco Security Advisory: "Vulnerabilities in SNMP Message Processing".
Cisco has published their advisory at the following location:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml

US-CERT thanks Cisco Systems for notifying us about
this problem.

Feedback can be directed to the authors: Jeff Havrilla, Shawn Hernan, Damon Morda

The latest version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA04-111B.html

Copyright 2004 Carnegie Mellon University. Terms of use: http://www.us-cert.gov/legal.html

Revision History

• April 20, 2004: Initial release
  

  Last updated

Systems Affected

• Systems that rely on persistent TCP connections, for example
  routers supporting BGP

Overview

Most implementations of the Border Gateway Protocol (BGP) rely on the
Transmission Control Protocol (TCP) to maintain persistent
unauthenticated network sessions. There is a vulnerability in TCP
which allows remote attackers to terminate network sessions. Sustained
exploitation of this vulnerability could lead to a denial of service
condition; in the case of BGP systems, portions of the Internet
community may be affected. Routing operations would recover quickly
after such attacks ended.

Description

In 2001, the CERT Coordination Center released CA-2001-09,
describing statistical weaknesses in various TCP/IP Initial Sequence
generators. In that document, it was noted by Tim Newsham:

[I]f a sequence number within the receive window is known,
an attacker can inject data into the session stream or terminate the
connection. If the ISN value is known and the number of bytes sent
already sent is known, an attacker can send a simple packet to inject
data or kill the session. If these values are not known exactly, but
an attacker can guess a suitable range of values, he can send out a
number of packets with different sequence numbers in the range until
one is accepted. The attacker need not send a packet for every
sequence number, but can send packets with sequence numbers a
window-size apart. If the appropriate range of sequence numbers is
covered, one of these packets will be accepted. The total number of
packets that needs to be sent is then given by the range to be
covered divided by the fraction of the window size that is used as an
increment.

Paul Watson has performed the statistical analysis of this attack when the
ISN is not known and has pointed out that such an attack could be viable
when specifically taking into account the TCP Window size. He has also
created a proof-of-concept tool demonstrating the practicality of the
attack. The National Infrastructure Security Co-Ordination Centre (NISCC)
has published an advisory summarizing Paul Watson's analysis in NISCC Vulnerability Analysis 236929.

Since TCP is an insecure protocol, it is possible to inject
transport-layer packets into sessions between hosts given the right
preconditions. The TCP/IP Initial Sequence
Number vulnerability (VU#498440) referenced in CA-2001-09 is one
example of how an attacker could inject TCP packets into a session. If
an attacker were to send a Reset (RST) packet for example, they would
cause the TCP session between two endpoints to terminate without any
further communication.

The Border Gateway Protocol (BGP) is used to exchange routing
information for the Internet and is primarily used by Internet Service
Providers (ISPs). For detailed information about BGP and some tips for
securing it, please see Cisco
System's documentation or Team
Cymru. A vulnerable situation arises due to the fact that BGP relies on
long-lived persistent TCP sessions with larger window sizes to
function. When a BGP session is disrupted, the BGP application
restarts and attempts to re-establish a connection to its peers. This
may result in a brief loss of service until the fresh routing tables
are created.

In a TCP session, the endpoints can negotiate a TCP Window size. When
this is taken into account, instead of attempting to send a spoofed
packet with all potential sequence numbers, the attacker would only
need to calculate a valid sequence number that falls within the next
expected ISN plus or minus half the window size. Therefore, the larger
the TCP Window size, the the larger the range of sequence numbers that
will be accepted in the TCP stream. According to Paul Watson's report,
with a typical xDSL data connection (80 Kbps, upstream) capable of
sending of 250 packets per second (pps) to a session with a TCP Window
size of 65,535 bytes, it would be possible to inject a TCP packet
approximately every 5 minutes. It would take approximately 15 seconds
with a T-1 (1.544 Mbps) connection. These numbers are significant when
large numbers of compromised machines (often called "botnets" or
"zombies") can be used to generate large amounts of packets that can
be directed at a particular host.

To protect against such injections, RFC 2385 provides a method of
using MD5 signatures on the TCP Headers. If this form of verification
is supported and enabled between two peers, then an attacker would
have to obtain the key used to transmit the packet in order to
successfully inject a packet into the TCP session. Another alternative
would be to tunnel BGP over IPSec. Again, this would provide a form of
authentication between the BGP peers and the data that they transmit.
The lack of authentication when using TCP for BGP makes this type of
attack more viable.

US-CERT is tracking this issue as VU#415294. This
reference number corresponds to CVE candidate CAN-2004-0230.

NISCC is tracking this issue as Vulnerability Advisory 236929.

Impact

Sustained exploitation of the TCP injection vulnerability with regard to
the BGP vulnerability could lead to a denial-of-service condition that
could affect a large segment of the Internet community. Normal operations
would most likely resume shortly after the attack stopped.

Since the TCP/IP Initial
Sequence Number vulnerability (VU#498440) has been proven more viable
of an attack, any services or sites that rely on persistent TCP sessions
could also be affected by this vulnerability. Impacts could range from
data corruption or session hijacking to a denial-of-service condition.

Solution Apply a patch from your vendor

Please see your vendor's statement regarding the availability of
patches, updates and mitigation strategies.

Workaround Deploy and Use Cryptographically Secure Protocols

TCP initial sequence numbers were not designed to provide proof against
TCP connection attacks. The lack of cryptographically-strong security
options for the TCP header itself is a deficiency that technologies like
IPSec try to address. It must be
noted that in the final analysis that if an attacker has the ability to
see unencrypted TCP traffic generated from a site, that site is vulnerable
to various TCP attacks - not just those mentioned here. A stronger measure
that would aid in protecting against such TCP attacks is end-to-end
cryptographic solutions like those outlined in various IPSec documents.

The key idea with an
end-to-end cryptographic solution is that there is some secure
verification that a given packet belongs in a particular stream.
However, the communications layer at which this cryptography is
implemented will determine its effectiveness in repelling ISN based
attacks. Solutions that operate above the Transport Layer (OSI Layer 4),
such as SSL/TLS and SSH1/SSH2, only prevent arbitrary packets from being
inserted into a session. They are unable to prevent a connection reset
(denial of service) since the connection handling will be done by a lower
level protocol (i.e., TCP). On the other hand, Network Layer (OSI Layer
3) cryptographic solutions such as IPSec prevent both arbitrary packets
entering a transport-layer stream and connection resets because connection
management is directly integrated into the secure Network Layer security
model.

The solutions presented above have the desirable attribute of not
requiring any changes to the TCP protocol or implementations to be made.
Some sites may want to investigate hardening the TCP transport layer
itself. RFC2385 ("Protection of
BGP Sessions via the TCP MD5 Signature Option") and other technologies
provide options for adding cryptographic protection within the TCP header
at the cost of some potential denial of service, interoperability, and
performance issues.

Ingress filtering

Ingress filtering manages
the flow of traffic as it enters a network under your administrative
control.

You can configure your BGP routers to only accept packets on a specific
network connection.

Servers are typically the only machines that need to accept inbound
connections from the public Internet.

In the network usage policy of many sites, there are few reasons for
external hosts to initiate inbound connections to machines that provide no
public services.

Thus, ingress filtering should be performed at the border to prohibit
externally initiated inbound connections to non-authorized services.

In this fashion, the effectiveness of many intruder scanning techniques
can be dramatically reduced.

Network Isolation

Complex networks can benefit by separating data channels and control
channels, such as BGP, into different logical or physical
networks. Technologies such as VLANs, VPNs, leased links, and NAT may all
be able to contribute to separating the tranmission of control
information from the transmission of the data stream.

Egress filtering

Egress filtering manages the flow of traffic as it leaves a network
under your administrative control.

There is typically limited need for machines providing public services to
initiate outbound connections to the Internet.

In the case of BGP, only your BGP routers should be establishing
connections to your peers. Other BGP traffic generated on your network
could be a sign of an attempted attack.

Appendix A. Vendor Information

For vendor information, please see NISCC Vulnerability Advisory 236929
or US-CERT Vulnerability Note VU#415294. As
vendors report new information to US-CERT, we will update the
vulnerability note. If a particular vendor is not listed in either
the NISCC advisory, or the vulnerability, we recommend that you
contact them for their comments.

US-CERT thanks Paul Watson, Cisco Systems and NISCC for notifying us
about this problem and for helping us to construct this advisory.

Feedback can be directed to the US-CERT
Technical Staff.

Revision History

• April 20, 2004: Initial release
  
  September 9, 2005: Updated NISCC references
  

  Last updated

Systems Affected  

Systems running Microsoft Windows

  Overview  

There are multiple vulnerabilities in Microsoft Windows that could allow attackers to take control of your computer.

  Description  

Microsoft has released Windows Security Updates for April 2004, which addresses multiple vulnerabilities in the Microsoft Windows operating system. Three of the four updates are considered critical, so users should apply the updates as soon as possible.

A technical description of these vulnerabilities is available from US-CERT in TA04-104A and from Microsoft in MS04-011, MS04-012, MS04-013, and MS04-014.

Resolution Apply a patch

Follow the procedures outlined in Microsoft's Windows Security Updates for April 2004.

References

• US-CERT Technical Alert TA04-104A: Multiple Vulnerabilities in Microsoft Products - <http://www.us-cert.gov/cas/techalerts/TA04-104A.html>
• Microsoft's Windows Security Update for April 2004 - <http://www.microsoft.com/security/security_bulletins/200404_windows.asp>
• Microsoft Security Bulletin MS04-011 - <MS04-011>
• Microsoft Security Bulletin MS04-012 - < MS04-012>
• Microsoft Security Bulletin MS04-013 - <MS04-013>
• Microsoft Security Bulletin MS04-014 - <MS04-014>

Feedback about this alert should be sent to the author, Mindi McDowell, at "US-CERT Security Alerts" at <mailto:[email protected]>. Please include the Subject line "SA04-104A Feedback VU#667571".

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• April 13, 2004: Initial release

  Last updated 

Systems Affected  

• Microsoft Windows Operating Systems
• Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) subsystems
• Microsoft Windows MHTML Protocol Handler
• Microsoft Jet Database Engine

  Overview  

Microsoft Corporation has released a series of security bulletins affecting most users of the Microsoft Windows operating system. Users of systems running Microsoft Windows are strongly encouraged to visit the Windows Security Updates for April 2004 and take actions appropriate to their system configurations.

  Description  

Microsoft has released four security bulletins listing a number of vulnerabilities which affect a variety of Microsoft Windows software packages. The following section summarizes the issues identified in their bulletins.

Summary of Microsoft Bulletins for April 2004 Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)

This bulletin addresses 14 vulnerabilities affecting the systems listed below. There are several new vulnerabilities address by this bulletin, and several updates to previously reported vulnerabilities.

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

Vulnerability identifiers 

The following table outlines these issues and is based on Microsoft's Security Bulletin:

 

Vulnerability Title US-CERT ID CVE ID Impact of Vulnerability LSASS Vulnerability VU#753212

CAN-2003-0533

 

Remote Code Execution LDAP Vulnerability VU#639428

CAN-2003-0663

 

Denial of Service PCT Vulnerability VU#586540

CAN-2003-0719

 

Remote Code Execution Winlogon Vulnerability VU#471260

CAN-2003-0806

 

Remote Code Execution Metafile Vulnerability VU#547028

CAN-2003-0906

 

Remote Code Execution Help and Support Center Vulnerability VU#260588

CAN-2003-0907

 

Remote Code Execution Utility Manager Vulnerability VU#526084

CAN-2003-0908

 

Privilege Elevation Windows Management Vulnerability VU#206468

CAN-2003-0909

 

Privilege Elevation Local Descriptor Table Vulnerability VU#122076

CAN-2003-0910

 

Privilege Elevation H.323 Vulnerability VU#353956

CAN-2004-0117

 

Remote Code Execution Virtual DOS Machine Vulnerability VU#783748

CAN-2004-0118

 

Privilege Elevation Negotiate SSP Vulnerability VU#638548

CAN-2004-0119

 

Remote Code Execution SSL Vulnerability VU#150236

CAN-2004-0120

 

Denial of Service ASN.1 "Double Free" Vulnerability VU#255924

CAN-2004-0123

 

Remote Code Execution  

 

Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741)

This bulletin addresses several new vulnerabilities affecting the systems listed below. These vulnerabilities are in Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM).

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

Vulnerability identifiers 

The following table outlines these issues and is based on Microsoft's Security Bulletin:

 

Vulnerability Title US-CERT ID CVE ID Impact of Vulnerability RPC Runtime Library Vulnerability VU#547820

CAN-2003-0813

 

Remote Code Execution RPCSS Service Vulnerability VU#417052

CAN-2004-0116

 

Denial of Service COM Internet Services (CIS) -- RPC over HTTP Vulnerability VU#698564

CAN-2003-0807

 

Denial of Service Object Identity Vulnerability VU#212892

CAN-2004-0124

 

Information Disclosure   Security Bulletin MS04-013:Cumulative Security Update for Outlook Express (837009)

This bulletin addresses a vulnerability affecting the systems listed below. The vulnerability affects the Microsoft Windows MHTML Protocol handler and any applications that use it, including Microsoft Outlook and Internet Explorer. This vulnerability has been assigned VU#323070 and CAN-2004-0380. 

Note: MS04-013 includes patches remediating the vulnerability described in TA04-099A.
 

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003
• Windows 98
• Windows 98 Second Edition (SE)
• Windows Millennium Edition (Windows Me)

 

Note: This issue affects systems with Outlook Express installed. Outlook Express is installed by default on most (if not all) current versions of Microsoft Windows.

Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)

This bulletin addresses a vulnerability affecting the systems listed below. There is a buffer overflow vulnerability in Microsoft's Jet Database Engine (Jet). An attacker could take control of a vulnerable system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. This vulnerability has been assigned VU#740716 and CAN-2004-0197.

Impact

Remote attackers could execute arbitrary code on vulnerable systems.

 

Systems affected

• Windows NT Workstation 4.0
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition
• Windows 2000
• Windows XP
• Windows Server 2003

 

 

Update to TA04-099A

Microsoft has released a patch that addresses the cross-domain vulnerability discussed in TA04-099A: Vulnerability in Internet Explorer ITS Protocol Handler. US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380.

The patches and further information about the vulnerability are available in Microsoft Security Bulletin MS04-013. MS04-013 is titled Cumulative Security Update for Outlook Express. Since most (if not all) current Windows systems have Outlook Express installed by default, and the MHTML protocol handler is part of the Outlook Express software package, most (if not all) Windows systems should be considered vulnerable.

TA04-099A and VU#323070 focused on the ITS protocol handlers; however, the latent vulnerability appears to be in the MHTML handler shipped as part of Outlook Express. These documents have been updated.

Impact

Several of the issues identified by Microsoft have been described as Critical in nature. Each bulletin contains at least one vulnerability which may allow remote attackers to execute arbitrary code on affected systems. The privileges gained would depend on the security context of the software and vulnerability exploited.

Solution Apply an appropriate set of updates from Microsoft

Please see the following site for more information about appropriate remediation.

Windows Security Updates for April 2004

Appendix A. Vendor Information

This appendix contains information provided by vendors for this technical alert. As vendors report new information to US-CERT, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Microsoft Corporation

Windows Security Updates for April 2004
Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732)
Microsoft Security Bulletin MS04-012 - Cumulative Update for Microsoft RPC/DCOM (828741)
Microsoft Security Bulletin MS04-013 - Cumulative Security Update for Outlook Express (837009)
Microsoft Security Bulletin MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)

 

Appendix B. References

• Technical Cyber Security Alert TA04-099A: Cross-Domain Vulnerability in Outlook Express MHTML Protocol Handler - http://www.us-cert.gov/cas/techalerts/TA04-099A.html
• US-CERT Cyber Security Alert SA04-104A: Summary of Windows Security Updates for April 2004 - http://www.us-cert.gov/cas/alerts/SA04-104A.html
• Windows Security Updates for April 2004 - http://www.microsoft.com/security/security_bulletins/200404_windows.asp
• Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732) - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
• Microsoft Security Bulletin MS04-012 - Cumulative Update for Microsoft RPC/DCOM (828741) - http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
• Microsoft Security Bulletin MS04-013 - Cumulative Security Update for Outlook Express (837009) - http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
• Microsoft Security Bulletin MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) - http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx
• Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002) - http://www.microsoft.com/technet/security/bulletin/rating.mspx
• Vulnerability Note VU#323070: Outlook Express MHTML protocol handler does not properly validate location of alternate data - http://www.kb.cert.org/vuls/id/323070
• Vulnerability Note VU#547820: Microsoft Windows DCOM/RPC vulnerability - http://www.kb.cert.org/vuls/id/547820
• Vulnerability Note VU#740716: Microsoft Jet Database Engine database request handling buffer overflow - http://www.kb.cert.org/vuls/id/740716

 

Feedback: US-CERT Technical Alerts

Revision History

• April 13, 2004: Initial release
  April 14, 2004: Updated Vulnerability Note links
   

  Last updated 

Systems Affected  

• Microsoft Windows systems

  Overview  

A cross-domain vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler could allow an attacker to execute arbitrary code with the privileges of the user invoking the handler. The attacker may also be able to read and manipulate data on web sites in other domains or zones.

  Description  

There is a cross-domain vulnerability in the way the Outlook Express MHTML protocol handler (mhtml:) determines the security domain of data referenced by a URL that specifies an alternate location. When the MHTML handler references an inaccessible or non-existent file, the handler can access a file from an alternate location. The MHTML handler incorrectly treats the file from the alternate location as if it were in the same domain as the unavailable file.

The MHTML protocol handler is considered to be part of Outlook Express and is installed by default on all current Windows systems. The MHTML protocol handler is effectively a shared Windows component. Any program that exposes an MHTML protocol reference to the operating system will invoke the handler, typically using Internet Explorer (IE).

Programs that use the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Internet Explorer, Outlook, and Outlook Express are all examples of such programs.

 

US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380.

Impact

By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could access data or execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user invoking the MHTML handler. The attacker may also be able to read or modify data in other web sites (including reading cookies or content and modifying or creating content).

Publicly available exploit code exists for this vulnerability. US-CERT has monitored incident reports that indicate that this vulnerability is being exploited. The Ibiza trojan, variants of W32/Bugbear, and BloodHound.Exploit.6 are some examples of malicious code that exploit this vulnerability. Any arbitrary payload could be delivered via this vulnerability, and different anti-virus vendors may identify malicious code with different names.

Most of the observed exploit code uses InfoTech Storage (ITS) protocol handlers and Compiled HTML Help (CHM) files to parse an HTML file in the Local Machine Zone. CHM files use the InfoTech Storage (ITS) format to store components such as HTML files, graphic files, and ActiveX objects, and Windows provides several protocol handlers that can access ITS files and individual CHM components: its:, ms-its:, ms-itss:, and mk:@MSITStore:.

When referencing an inaccessible or non-existent MHTML file using the ITS and mhtml: protocols, IE can access a CHM file from an alternate location. Because of the vulnerability in the MHTML handler, IE incorrectly treats the CHM file as if it were in the same domain as the unavailable MHTML file. Using a specially crafted URL, an attacker can cause arbitrary script in a CHM file to be executed in a different domain, violating the cross-domain security model.

Any programs, including other web browsers, that use the Windows protocol handlers (URL monikers) for ITS or MHTML protocols could function as attack vectors. Also, due to the way that IE determines MIME types, HTML and CHM files may not have the expected file name extensions (.htm/.html and .chm respectively).

 

A malicious web site or email message may contain HTML similar to the following:

ms-_its:_mhtml:_file://C:\nosuchfile.mht!_http://www.example.com//exploit._chm::exploit.html 
(This URL is intentionally modified to avoid detection by anti-virus software.)

In this example, HTML and script in exploit.html will be executed in the security context of the Local Machine Zone. It is common practice for exploit.html to either contain or download an executable payload such as a backdoor, trojan horse, virus, bot, or other malicious code.

Note that it is possible to encode a URL in an attempt to bypass HTTP content inspection or anti-virus software.

 

Solution

Install a patch

Install the appropriate cumulative patch for Outlook Express according to Microsoft Security Bulletin MS04-013.

Disable ITS and MHTML protocol handlers

Disabling the ITS and MHTML protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk,mhtml}

Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.

 

Follow good Internet security practices

These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities. Additional recommendations can be found under Mitigating factors and Workarounds in the Vulnerability Details section of MS04-013.

• Disable Active scripting and ActiveX controls
  
  NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
  
  Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
  
  Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.

   

• Do not follow unsolicited links

  Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.

• Maintain updated anti-virus software

  Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see Microsoft Security Bulletin MS04-013.

 

Appendix B. References

• Vulnerability Note VU#323070 - <http://www.kb.cert.org/vuls/id/323070>
• US-CERT Computer Virus Resources - <http://www.us-cert.gov//reading_room/virus.html>
• CVE CAN-2004-0380 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
• Microsoft Security Bulletin MS04-013 - <http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx>
• Introduction to URL Security Zones - <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp>
• About Cross-Frame Scripting and Security - <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp>
• MIME Type Determination in Internet Explorer - <http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>
• URL Monikers - <http://msdn.microsoft.com/workshop/networking/moniker/monikers.asp>
• Asynchronous Pluggable Protocols - <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable.asp>
• Microsoft HTML Help 1.4 SDK - <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Start.asp>
• Microsoft Knowledge Base Article 182569 - <http://support.microsoft.com/default.aspx?scid=182569>
• Microsoft Knowledge Base Article 174360 - <http://support.microsoft.com/default.aspx?scid=174360>
• Microsoft Knowledge Base Article 833633 - <http://support.microsoft.com/default.aspx?scid=833633>
• Windows XP Service Pack 2 Technical Preview - <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx>
• AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>

 

This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.

Feedback can be directed to the author: Art Manion.

Revision History

• April 8, 2004: Initial release
  April 13, 2004: Added patch and vendor information (MS04-013), credited Liu Die Yu, updated vulnerability, impact, and workaround information about MHTML
  April 23. 2004: Thanked http-equiv April 26, 2004: Further modified sample exploit URL to minimize AV detection

  Last updated 

Systems Affected  

Continuing Threats to Home Users

View Previous Alerts

Alert (SA04-079A)

Continuing Threats to Home Users

Original Release date: March 19, 2004 | Last revised: --

Overview  

There are a number of pieces of malicious code spreading on the Internet through email attachments, peer-to-peer file sharing networks and known software vulnerabilities.

Intruders target home users who have cable modem and DSL connections because many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Everyone should take precautions, patch vulnerabilities, and recover if you have been compromised.

Current Threats

US-CERT is currently tracking the incident activity related to several pieces of malicious code - Phatbot, W32/Beagle, W32/Netsky and W32/MyDoom.

• Phatbot Trojan Horse

  The Phatbot Trojan Horse is a piece of malicious code that allows a remote attacker to control a large number of systems. Phatbot attempts to propagate by exploiting vulnerabilities in the Microsoft Windows operating system for which users have not applied the available patches. If your computer is infected a remote attacker will have access to your files and programs.

• W32/Beagle Virus

  The W32/Beagle virus is a mass-mailing virus that arrives as an attachment to an email message. To be infected, a user must open the attachment. There are many variants of this virus. Some may require a password which is included in the email message.

• W32/Netsky Virus

  The Netsky.B virus, described in IN-2004-02, is a mass-mailing virus that attempts to propagate either as an attachment to an email message or by copying itself to Windows network shares.

• W32/MyDoom Virus

  The MyDoom virus, described in TA04-028A, is a mass-mailing virus that attempts to propagate as an attachment to an email message.

Protective Measures

There are steps you can take to better protect your system from these attacks:

1. Apply Patches

   Many viruses spread by exploiting known vulnerabilities in unpatched systems. It is very important for users to apply security-related patches to their operating systems and applications.

2. Install and Maintain Anti-Virus Software

   US-CERT strongly recommends using anti-virus software. Most current anti-virus software products detect and alert the user of viruses. It is important to keep them up to date with current virus and attack signatures supplied by the software vendor. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

3. Deploy a Firewall

   US-CERT also recommends using a firewall product. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices.

4. Follow Best Practices

   The technical measures listed above do not provide a complete solution for securing a system. There are some best practices you can follow:

   • Do not download, install, or run a program unless you know it was written by a person or company that you trust.
   • Email users should be wary of unexpected attachments. Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. Many viruses spread precisely because they originate from a familiar email address.
   • Users should also be wary of URLs in email or instant messages. URLs can link to malicious content that in some cases may be executed without user intervention. A common social engineering technique known as "phishing" uses misleading URLs to entice users to visit malicious web sites. These sites spoof legitimate web sites to solicit sensitive information such as passwords or account numbers.
   • In addition, users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly careful of following links or running software sent to them by other users. These are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.

   For additional information about securing home systems and networks, please see the references below.

Recovery

If the protective measures above, or other indicators, reveal that a system has already been compromised, more drastic steps need to be taken to recover. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install t

  Description  

Continuing Threats to Home Users

View Previous Alerts

Alert (SA04-079A)

Continuing Threats to Home Users

Original Release date: March 19, 2004 

Overview

There are a number of pieces of malicious code spreading on the Internet through email attachments, peer-to-peer file sharing networks and known software vulnerabilities.

Intruders target home users who have cable modem and DSL connections because many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Everyone should take precautions, patch vulnerabilities, and recover if you have been compromised.

Current Threats

US-CERT is currently tracking the incident activity related to several pieces of malicious code - Phatbot, W32/Beagle, W32/Netsky and W32/MyDoom.

• Phatbot Trojan Horse

  The Phatbot Trojan Horse is a piece of malicious code that allows a remote attacker to control a large number of systems. Phatbot attempts to propagate by exploiting vulnerabilities in the Microsoft Windows operating system for which users have not applied the available patches. If your computer is infected a remote attacker will have access to your files and programs.

• W32/Beagle Virus

  The W32/Beagle virus is a mass-mailing virus that arrives as an attachment to an email message. To be infected, a user must open the attachment. There are many variants of this virus. Some may require a password which is included in the email message.

• W32/Netsky Virus

  The Netsky.B virus, described in IN-2004-02, is a mass-mailing virus that attempts to propagate either as an attachment to an email message or by copying itself to Windows network shares.

• W32/MyDoom Virus

  The MyDoom virus, described in TA04-028A, is a mass-mailing virus that attempts to propagate as an attachment to an email message.

Protective Measures

There are steps you can take to better protect your system from these attacks:

1. Apply Patches

   Many viruses spread by exploiting known vulnerabilities in unpatched systems. It is very important for users to apply security-related patches to their operating systems and applications.

2. Install and Maintain Anti-Virus Software

   US-CERT strongly recommends using anti-virus software. Most current anti-virus software products detect and alert the user of viruses. It is important to keep them up to date with current virus and attack signatures supplied by the software vendor. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

3. Deploy a Firewall

   US-CERT also recommends using a firewall product. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices.

4. Follow Best Practices

   The technical measures listed above do not provide a complete solution for securing a system. There are some best practices you can follow:

   • Do not download, install, or run a program unless you know it was written by a person or company that you trust.
   • Email users should be wary of unexpected attachments. Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. Many viruses spread precisely because they originate from a familiar email address.
   • Users should also be wary of URLs in email or instant messages. URLs can link to malicious content that in some cases may be executed without user intervention. A common social engineering technique known as "phishing" uses misleading URLs to entice users to visit malicious web sites. These sites spoof legitimate web sites to solicit sensitive information such as passwords or account numbers.
   • In addition, users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly careful of following links or running software sent to them by other users. These are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.

   For additional information about securing home systems and networks, please see the references below.

Recovery

If the protective measures above, or other indicators, reveal that a system has already been compromised, more drastic steps need to be taken to recover. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install the operating system and install patches before connecting back to the network. Sometimes using an anti-virus software package to "clean" the system may not be enough.

References

• Before You Connect a New Computer to the Internet - http://www.us-cert.gov/reading_room/before_you_plug_in.html
• Home Network Security - http://www.us-cert.gov/reading_room/home-network-security/
• Home Computer Security - http://www.us-cert.gov/reading_room/HomeComputerSecurity/
• Understanding Firewalls - http://www.us-cert.gov/cas/tips/ST04-004.html
• Good Security Habits - http://www.us-cert.gov/cas/tips/ST04-003.html
• Choosing and Protecting Passwords - http://www.us-cert.gov/cas/tips/ST04-002.html

Authors: Brian B. King, Damon Morda

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• March 19, 2004: Initial release
   

Last updated 

Systems Affected  

• Applications and systems that use the OpenSSL SSL/TLS library

  Overview  

Several vulnerabilities in the OpenSSL SSL/TLS library could allow an unauthenticated, remote attacker to cause a denial of service.

  Description  

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications including HTTP, IMAP, POP3, SMTP, and LDAP. OpenSSL is widely deployed across a variety of platforms and systems. In particular, many routers and other types of networking equipment use OpenSSL.

The U.K. National Infrastructure Security Co-ordination Centre (NISCC) and the OpenSSL Project have reported three vulnerabilities in the OpenSSL SSL/TLS library (libssl). Any application or system that uses this library may be affected.

VU#288574 - OpenSSL contains null-pointer assignment in do_change_cipher_spec() function

Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to 0.9.7c inclusive contain a null-pointer assignment in the do_change_cipher_spec() function. By performing a specially crafted SSL/TLS handshake, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application.
(Other resources: OpenSSL Security Advisory (1.), CAN-2004-0079, NISCC/224012/OpenSSL/1)

VU#484726 - OpenSSL does not adequately validate length of Kerberos tickets during SSL/TLS handshake

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS handshake. OpenSSL is not configured to use Kerberos by default. By performing a specially crafted SSL/TLS handshake with an OpenSSL system configured to use Kerberos, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. OpenSSL 0.9.6 is not affected.
(Other resources: OpenSSL Security Advisory (2.), CAN-2004-0112, NISCC/224012/OpenSSL/2)

VU#465542 - OpenSSL does not properly handle unknown message types

OpenSSL prior to version 0.9.6d does not properly handle unknown SSL/TLS message types. An attacker could cause the application using OpenSSL to enter an infinite loop, which may result in a denial of service in the target application. OpenSSL 0.9.7 is not affected.
(Other resources: CAN-2004-0081, NISCC/224012/OpenSSL/3)

Impact

An unauthenticated, remote attacker could cause a denial of service in any application or system that uses a vulnerable OpenSSL SSL/TLS library.

Solution Upgrade or Apply a patch from your vendor

Upgrade to OpenSSL 0.9.6m or 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to the OpenSSL SSL/TLS library.

Appendix A. Vendor Information

Multiple vendors are affected by different combinations of these vulnerabilities. For updated information, please see the Systems Affected sections of VU#288574, VU#484726, and VU#465542.

 

Appendix B. References

• US-CERT Technical Cyber Security Alert TA04-078A - <http://www.us-cert.gov/cas/techalerts/TA04-078A.html>
• Vulnerability Note VU#288574 - <http://www.kb.cert.org/vuls/id/288574>
• Vulnerability Note VU#484726 - <http://www.kb.cert.org/vuls/id/484726>
• Vulnerability Note VU#465542 - <http://www.kb.cert.org/vuls/id/465542>
• OpenSSL Security Advisory [17 March 2004] - <http://www.openssl.org/news/secadv_20040317.txt>
• NISCC Vulnerability Advisory 224012 - <http://www.uniras.gov.uk/vuls/2004/224012/index.htm>
• CAN-2004-0079 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079>
• CAN-2004-0112 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112>
• CAN-2004-0081 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081>
• RFC 2712 Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) - <http://www.ietf.org/rfc/rfc2712.txt>

 

These vulnerabilities were researched and reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC).

Feedback can be directed to the authors: Art Manion and Damon Morda.

Revision History

• March 18, 2004: Initial release
  March 19, 2004: Added CVE CAN references VU# links
   

  Last updated 

Systems Affected  

Systems running Microsoft Office XP and Outlook 2002

  Overview  

There is a vulnerability in Outlook 2002 that could allow attackers to take control of your computer.

  Description  

By taking advantage of the way Outlook interprets email links, an attacker may be able to gain control of your computer.

A technical description of these vulnerabilities is available from US-CERT in TA04-070A and from Microsoft in MS04-009.

Resolution Apply a patch

Microsoft's Office Security Update for March 2004 links to the necessary patches.

References

• US-CERT Technical Alert TA04-070A - <http://www.us-cert.gov/cas/techalerts/TA04-070A.html>
• Microsoft's Office Security Update for March 2004 - <http://www.microsoft.com/security/security_bulletins/20040309_office.asp>
• Microsoft Security Bulletin MS04-009 - <http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-070A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• March 10, 2004: Initial release

  Last updated 

Systems Affected  

Systems running Microsoft Windows

  Overview  

Microsoft Windows contains multiple vulnerabilities, the most serious of which could allow attackers to take control of your computer.

  Description  

Microsoft's updated Home User Security Bulletin for February 2004 describes more vulnerabilities in the Microsoft Windows operating system. Microsoft is tracking these issues as Security Update 828028.

It is unclear at this time how many different ways your computer can be compromised using these vulnerabilities, so we recommend you apply the updates below as soon as possible. A technical description of these vulnerabilities is available from US-CERT in TA04-041A and from Microsoft in MS04-007.

Resolution Apply a patch

Microsoft has released a home user bulletin describing how to determine what patches you will need and how to get them. Follow the procedures outlined in Microsoft's updated Home User Security Bulletin for February 2004.

For additional information, and to receive updates on this alert, go to http://www.us-cert.gov/cas/alerts/SA04-041A.html

References

• US-CERT Technical Alert TA04-041A - <http://www.us-cert.gov/cas/techalerts/TA04-041A.html>
• Microsoft's Updated Home User Security Bulletin for February 2004 - <http://www.microsoft.com/security/security_bulletins/20040210_windows.asp>
• Microsoft Security Bulletin MS04-007 - <http://www.microsoft.com/technet/security/bulletin/MS04-007.asp>
• Microsoft Knowledge Base Article 828028: An ASN.1 vulnerability could allow code execution - <http://support.microsoft.com/?kbid=828028>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-041A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• February 10, 2004: Initial release

  Last updated 

Systems Affected  

• Check Point Firewall-1 NG FCS
• Check Point Firewall-1 NG FP1
• Check Point Firewall-1 NG FP2
• Check Point Firewall-1 NG FP3, HF2
• Check Point Firewall-1 NG with Application Intelligence R54
• Check Point Firewall-1 NG with Application Intelligence R55

 

  Overview  

Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall and the server it runs on.

 

  Description  

The Application Intelligence (AI) component of Check Point Firewall-1 is an application proxy that scans traffic for application layer attacks once it has passed through the firewall at the network level. Earlier versions of Firewall-1 include the HTTP Security Server, which provides similar functionality.

Both the AI and HTTP Security Server features contain an HTTP parsing vulnerability that is triggered by sending an invalid HTTP request through the firewall. When Firewall-1 generates an error message in response to the invalid request, a portion of the input supplied by the attacker is included in the format string for a call to sprintf().

Researchers at Internet Security Systems have determined that it is possible to exploit this format string vulnerability to execute commands on the firewall. The researchers have also determined that this vulnerability can be exploited as a heap overflow, which would allow an attacker to execute arbitrary code. In either case, the commands or code executed by the attacker would run with administrative privileges, typically "SYSTEM" or "root". For more information, please see the ISS advisory at:

http://xforce.iss.net/xforce/alerts/id/162

The CERT/CC is tracking this issue as VU#790771. This reference number corresponds to CVE candidate CAN-2004-0039.

Impact

This vulnerability allows remote attackers to execute arbitrary code on affected firewalls with administrative privileges, typically "SYSTEM" or "root".

Solution Apply the patch from Check Point

Check Point has published a "Firewall-1 HTTP Security Server Update" that modifies the error return strings used when an invalid HTTP request is detected. For more information, please see the Check Point bulletin at:

http://www.checkpoint.com/techsupport/alerts/security_server.html

Disable the affected components

Check Point has reported that their products are only affected by this vulnerability if the HTTP Security Servers feature is enabled. Therefore, affected sites may be able to limit their exposure to this vulnerability by disabling HTTP Security Servers or the Application Intelligence component, as appropriate.

This vulnerability was discovered and researched by Mark Dowd of ISS X-Force.

This document was written by Jeffrey P. Lanza.

This document is available from http://www.us-cert.gov/cas/techalerts/TA04-036A.html

Revision History

• 02/05/2004: Initial release
  02/06/2004: Updated Solution section
  02/06/2004: Updated Overview and Impact sections
   

  Last updated 

Systems Affected  

Microsoft Windows systems running

• Internet Explorer 5.01
• Internet Explorer 5.50
• Internet Explorer 6

Previous versions that are no longer supported may also be affected.

 

  Overview  

Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow attackers in any location to run programs of their choice on your computer using the same privileges as you have.

Quick Links

Patch Information | Problem Description | References 

  Description  

Microsoft's Home User Security Bulletin for February 2004 describes three vulnerabilities in Internet Explorer (IE).

Note that in addition to IE, any applications that use IE to interpret HTML documents, such as email programs, may present additional ways for these vulnerabilities to be used. 

These vulnerabilities have different impacts, ranging from disguising the true location of a URL to executing computer commands or code, essentially taking over control of your computer and any data on it. The attacker could exploit this vulnerability by convincing you, the victim, to access a specially crafted HTML document such as a web page or HTML email message. Your computer can be compromised simply by viewing the attacker's HTML document with Internet Explorer. 

 

A technical description of these vulnerabilities is available from US-CERT in TA04-033A and from Microsoft in MS04-004.

Resolution Apply a patch

Microsoft has released a home user bulletin describing how to determine what patches you will need and how to get them. Follow the procedures outlined in Microsoft's Home User Security Bulletin for February 2004.

For additional information, and to receive updates on this alert, go to http://www.us-cert.gov.

References

• US-CERT Technical Alert TA04-033A - <http://www.us-cert.gov/cas/techalerts/TA04-033A.html>
• Microsoft's Home User Security Bulletin for February 2004 - <http://www.microsoft.com/security/security_bulletins/20040202_windows.asp>
• Microsoft Security Bulletin MS04-004 - <http://www.microsoft.com/technet/security/bulletin/MS04-004.asp>

This document is available from <http://www.us-cert.gov/cas/alerts/SA04-033A.html>

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• February 02, 2004: Initial release

  Last updated 

Systems Affected  

Any system running Microsoft Windows (Windows 95 and newer) that are used for reading email or accessing peer-to-peer file sharing services.

  Overview  

A new variant of the previously discovered MyDoom virus, MyDoom.B, has been identified. In addition to the common traits of email-borne viruses, this virus may prevent your computer from updating anti-virus and other software.

  Description  

 

Quick Links
Protect | Identify | Recover

Protect Your Systems

To protect your systems from infection by this virus, we recommend that you take the following steps. In addition to these steps, US-CERT encourages home users to review the "Home Network Security" and "Home Computer Security" documents.

• Avoid opening attachments from suspicious email messages

Emails sent out by Mydoom.B are generated randomly. The From address may also be spoofed to appear as though the message is from a different address.

The subject of the message will include one of the following:

• Delivery Error
• hello
• Error
• Mail Delivery System
• Mail Transaction Failed

• Returned mail
• Server Report
• Status
• Unable to deliver the message

Not all email messages with these subject lines carry the MyDoom.B virus, some may be legitimate status messages.

The message body will include one of the following:

• RANDOMIZED CHARACTERS
• test
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• sendmail daemon reported: Error #804 occured during SMTP session. Partial message has been received.
• The message contains Unicode characters and has been sent as a binary attachment.
• The message contains MIME-encoded graphics and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

The attachment will have one of the following filenames:

• body
• doc
• text
• document

• data
• file
• readme
• message

The filename also contains an extension (.exe, .bat, .scr, .cmd, or .pif). When the attachment is opened, the MyDoom.B virus is launched and the system is infected.

• Run and maintain an antivirus product

It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

You may wish to read CERT Incident Note IN-2003-01 for more information on anti-virus software and security issues.

• Do not run programs of unknown origin

Do not download, install, or run a program unless it was written by a person or company that you trust.

Email users should be wary of unexpected attachments. Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. The Melissa virus spread precisely because it originated from a familiar email address.

In addition, MyDoom.B attempts to spread through file-sharing services like KaZaA. Peer-to-peer file sharing users should be particularly careful of running software sent to them by other users. This is a commonly used method among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.

• Use a personal firewall

A personal firewall will not necessarily protect your system from an email-borne virus, but a properly configured personal firewall may prevent the virus from downloading additional components or launching attacks against other systems.

How to Identify a MyDoom.B Infection

To confirm that your system has been infected with the MyDoom.B virus, perform the following steps.

• Check the 'hosts' file

MyDoom.B overwrites the Windows 'hosts' file. The file it replaces it with will probably prevent your system from accessing your antivirus vendor's web site as well as some other web sites. You can check your hosts file by following these steps:

Windows NT/2000/XP Systems

1. Click on the Start menu and select Run
2. In the dialog box that appears, type cmd and hit OK (a DOS window should appear)
3. At the prompt in the DOS window type type %windir%\system32\drivers\etc\hosts
4. If you see multiple lines starting with 0.0.0.0, your system is probably infected

Windows 95/98/Me Systems

1. Click on the Start menu and select Run
2. In the dialog box that appears, type command and hit OK (a DOS window should appear)
3. At the prompt in the DOS window type type %windir%\hosts
4. If you see multiple lines starting with 0.0.0.0, your system is probably infected

• Check for files left by the virus

MyDoom.B drops several files on an infected computer. The existence of these files is a good indication of infection. Be aware that thereare legitimate Windows files with names similar to those left by the virus. Only files with these names and in these specific directories indicate an infection.

Windows NT/2000/XP Systems

1. Click on the Start menu, select Search and then select For Files and Folders
2. In the search box type explorer.exe
3. The existence of explorer.exe in the System32 directory (typically C:\Windows\System32) is an indication of infection
4. In the search box type ctfmon.dll
5. The existence of ctfmon.dll in the System32 directory (typically C:\Windows\System32) is another indication of infection

Windows 95/98/Me Systems

1. Click on the Start menu, select Search
2. In the search box type explorer.exe
3. The existence of explorer.exe in the System directory (typically C:\Windows\System) is an indication of infection
4. In the search box type ctfmon.dll
5. The existence of ctfmon.dll in the System directory (typically C:\Windows\System) is another indication of infection

• Examine the Windows Registry

The MyDoom.B virus also makes some changes to the Windows registry. Users who are unfamiliar with the registry should probably skip this step because it may cause serious damage to the operating system if accidental changes are made.

Windows 95/98/Me/NT/2000/XP Systems

1. At a DOS command prompt, type regedit.exe (the registry editor should appear)
2. Search the Registry for the value Explorer=C:\WINDOWS\system32\explorer.exe in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
3. The existence of this value is an indication of MyDoom.B infection

If Your System is Infected

If your system is infected, you will probably be unable to access your antivirus vendor's web site for assistance due to some changes the virus has made to your system. If this is the case, follow these steps to delete a file installed by the virus (do not do this unless you are infected; it may affect the normal operation of your system):

Windows NT/2000/XP Systems

1. Click on the Start menu and select Run
2. In the dialog box that appears, type del %windir%\system32\drivers\etc\hosts

Windows 95/98/Me Systems

1. Click on the Start menu and select Run
2. In the dialog box that appears, type del %windir%\hosts

After deleting this file, you should be able to access your antivirus vendor's web site, obtain the updates to your antivirus software and perform a full scan of your system. Some antivirus vendors may produce a Removal Tool and make it available on their web site. If your vendor provides such a tool, you may want to use it first.

If you are still unsuccessful at removing the virus, contact your antivirus vendor to obtain further assistance with removal and recovery.

Additional Information

For additional technical details about this virus, please see US-CERT Technical Alert TA04-028A.html

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

• January 28, 2004: Initial release
  January 30, 2004: Added formatting, revised content

  Last updated