Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Microsoft Security Bulletins Released for April, ISC Webcast on Wednesday - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Security Bulletins Released for April, ISC Webcast on Wednesday
As expected, Microsoft released several security bulletins today. What was unexpected was the volume of fixes they have been working on. We'll go through these tomorrow in more detail on the ISC webcast. Be sure to join us at 1 pm EST (that's 1700 UTC), http://www.sans.org/webcasts/

The bulletin summary can be found at
http://www.microsoft.com/security/security_bulletins/200404_windows.asp

Because several of these updates address issues that can result in the remote execution of arbitrary code, it is imperative that patches be applied as soon as possible. Recall that only three weeks passed from the July 2003 announcement of the issues in Microsoft's RPC/DCOM module (MS03-026) and the release of the Blaster worm in early August. A similar volatile situation exists today. The amount of time before another significant malware release is never predictable, but what is certain is the fact that efforts are currently underway to write code that exploits one or more of these new vulnerabilities. Considering that an updated version of MetaSploit was recently released; that there is widespread understanding of how Blaster worked (including methods of improving the spreading algorithms); and the fact that there are eight issues in today's basket of patches that allow for remote code execution, we can predict with high confidence that rapidly spreading and potentially damaging malware will appear in the next few days or weeks. Read the updates carefully, and examine all options including the mitigation steps that can be taken before the patches are applied. There have been some early reports that the patches do not install correctly on the first attempt. Patching a test machine is highly recommended before applying patches to a sensitive production computer.

The individual updates are:

MS04-011 Security Update for Microsoft Windows (835732) Critical
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

This one fixes A LOT of problems:

LSASS Vulnerability (Remote Code Execution)

LDAP Vulnerability (Denial Of Service)

PCT Vulnerability (Remote Code Execution)

Winlogon Vulnerability (Remote Code Execution)

Metafile Vulnerability (Remote Code Execution)

Help and Support Center Vulnerability (Remote Code Execution)

Utility Manager Vulnerability (Privilege Elevation)

Windows Management Vulnerability (Privilege Elevation)

Local Descriptor Table Vulnerability (Privilege Elevation)

H.323 Vulnerability (Remote Code Execution)

Virtual DOS Machine Vulnerability (Privilege Elevation)

Negotiate SSP Vulnerability (Remote Code Execution)

SSL Vulnerability (Denial Of Service)

ASN.1 ?Double Free? Vulnerability (Remote Code Execution)




MS04-012 Cumulative Update for Microsoft RPC/DCOM (828741) Critical
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

More problems with RPC/DCOM:

RPC Runtime Library Vulnerability (Remote Code Execution)

RPCSS Service Vulnerability (Denial Of Service)

COM Internet Services (CIS) ? RPC over HTTP Vulnerability (Denial Of Service)

Object Identity Vulnerability (Information Disclosure)



MS04-013 Cumulative Security Update for Outlook Express (837009) Critical
http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx

The details make this one sound like it only applies to Outlook Express, but if you examine the CVE entry (currently a CAN) it appears to be a fix for the ".chm" problem we've been discussing lately.

MHTML URL Processing Vulnerability (Remote Code Execution)


MS04-014 Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) Important
http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx

Jet Vulnerability (Remote Code Execution)


Marcus H. Sachs

Handler on Duty
Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!