Microsoft security alert.
December 14, 2004
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 9 vulnerabilities that were fixed in 5 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 5 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft WordPad Remote Code Execution (MS04-041)
- Severity
- Urgent 5
- Qualys ID
- 90202
- Vendor Reference
- MS04-041
- CVE Reference
- CVE-2004-0571, CVE-2004-0901
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
- A remote code execution vulnerability exists in the Microsoft Word for Windows 6.0 Converter. If a user is logged on with administrative privileges, an attacker who successfully exploits this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability.
- Consequence
- An attacker may take control of the system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=AC2DE442-6C98-4545-8072-2BE4064466CDMicrosoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A49CC5E2-1072-4BF6-A7F3-029957EBB1C2Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=C4B9D079-13F0-4E1E-834B-D2077838B9E1Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=703DE7D8-68D9-4A92-8C59-87221F89EF14Microsoft Windows XP 64 Bit Edition Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A7A5077B-4BF0-441A-AB43-D6A5E1B698E9Microsoft Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=005930C0-4C3F-4FD3-9E08-D586632C5486Microsoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D1747015-10C8-411F-8C26-773B59008FD8Microsoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=005930C0-4C3F-4FD3-9E08-D586632C5486Refer to Micrsoft Security Bulletin MS04-041 for further details.
-
Microsoft DHCP Remote Code Execution and Denial of Service (MS04-042)
- Severity
- Urgent 5
- Qualys ID
- 90203
- Vendor Reference
- MS04-042
- CVE Reference
- CVE-2004-0899, CVE-2004-0900
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
A denial of service vulnerability exists that could allow an attacker to send a specially crafted DHCP message to a DHCP server. An attacker could cause the DHCP service to stop responding.
A remote code execution vulnerability exists that could allow an attacker to send a specially crafted DHCP message to a DHCP server. However, attempts to exploit this vulnerability would most likely result in a denial of service of the DHCP Server service.
- Consequence
- An attacker may take complete control of the system through successful exploitation.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=7CC7F82D-F2A2-49AA-BF33-897498898EADMicrosoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=69F3259F-3004-462C-B2A8-37F65EB78A2DRefer to Micrsoft Security Bulletin MS04-042 for further details.
-
Microsoft HyperTerminal Remote Code Execution (MS04-043)
- Severity
- Critical 4
- Qualys ID
- 115036
- Vendor Reference
- MS04-043
- CVE Reference
- CVE-2004-0568
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
- A remote code execution vulnerability exists in HyperTerminal because of a buffer overrun. An attacker could exploit the vulnerability by constructing a malicious HyperTerminal session file that could potentially allow remote code execution. An attacker could then persuade a user to open this file. This vulnerability could attempt to be exploited through a malicious Telnet URL if HyperTerminal has been set as the default Telnet client.
- Consequence
- An attacker who successfully exploits this vulnerability could take complete control of the affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=4C87AF7B-0EE5-4761-AD58-3698D39B62BEMicrosoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D9F22FA6-1C9B-442A-BA6F-7584DB61C9C2Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA3DD6C9-DB7E-40A6-AFD0-5ED87C42190DMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=96BBD220-5E2A-43AD-B8B7-54EC608BD8BEMicrosoft Windows XP 64 Bit Edition Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=4970DA24-8C3B-4D99-8F89-13E8AF2E4382Microsoft Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=06662D6D-E397-40F7-A7A6-9330FBA17EBFMicrosoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=3A36E94B-A39F-4B56-8A2D-42F1089DD158Microsoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=06662D6D-E397-40F7-A7A6-9330FBA17EBFRefer to Micrsoft Security Bulletin MS04-043 for further details.
-
Microsoft Windows Local Privilege Escalation (MS04-044)
- Severity
- Critical 4
- Qualys ID
- 90201
- Vendor Reference
- MS04-044
- CVE Reference
- CVE-2004-0893, CVE-2004-0894
- CVSS Scores
- Base 7.2 / Temporal 5.6
- Description
- Two local privilege escalation vulnerabilities were reported for Microsoft Windows. These include a Windows kernel bug that involves an unchecked LPC buffer, and another in LSASS that involves insufficient logon-credentials validation. Check Microsoft Security Bulletin MS04-044 for details of these vulnerabilities.
- Consequence
- Local authenticated users could gain elevated privileges and take control of the system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=325EAA8F-AF09-4839-B9E8-BB218C7A8564Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=9823A61F-C69F-403A-BD6A-EF3984BFA2B8Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=EFDEA122-DDA4-40B8-A7AF-9DDCC3870C38Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=27115D5C-3E4A-4F41-B81E-376AA1CD204FMicrosoft Windows XP 64 Bit Edition Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1649AE1E-0ABF-4D31-BE12-3982C5146AE8Microsoft Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=95849AB9-36BF-4A90-BC37-3B4FB6DCDF9AMicrosoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=AACB97CB-E8F0-461F-B2D2-F1065229B64EMicrosoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=95849AB9-36BF-4A90-BC37-3B4FB6DCDF9ARefer to Microsoft Security Bulletin MS04-044 for further details.
-
Microsoft Windows WINS Replication Buffer Overflow Vulnerability (MS04-045)
- Severity
- Urgent 5
- Qualys ID
- 90199
- Vendor Reference
- MS04-045
- CVE Reference
- CVE-2004-0567, CVE-2004-1080
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Microsoft Windows Internet Name Service (WINS) allows the mapping of NetBIOS names to IP addresses and vice versa. WINS servers allow users to browse for local resources on the network using computer names.
A remote code execution vulnerability exists in WINS because of the way that it handles computer name validation due to an unchecked buffer in the method that WINS uses to validate the Name value in a specially-crafted packet.
The second remote code execution vulnerability exists due to the method used by WINS to validate association context data.
Note that WINS is not installed by default.
- Consequence
- This issue could potentially be exploited remotely by a WINS client to execute arbitrary code with SYSTEM level privileges on a target WINS server.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=38E9DB8C-5C43-4E9A-9DC9-97C2686A45F1Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D7AB3F6F-26FE-4AE8-A07A-481D772D03A6Microsoft Windows 2000 Server Service Pack 3 and Microsoft Windows 2000 Server Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=40146B52-5546-489E-857E-01FE1EF709B2Microsoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=10836F38-A38B-47D5-B87B-18D8E26EEFAAMicrosoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=06CF9E85-C66D-4A7D-B2EB-99DE9423B60FRefer to Micrsoft Security Bulletin MS04-045 for further details.
These new vulnerability checks are included in Qualys vulnerability signature 1.9.114-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90202
- 90203
- 115036
- 90201
- 90199
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.