Microsoft stunned the security community yesterday with its announcement of 21 serious vulnerabilities in a variety of applications and operating systems. Administrators are scrambling to implement patches to dozens of components and applications to avoid consequences that include denial of service, remote execution of code and complete system takeover. Experts predict that malicious attackers will unleash damaging assaults on millions of vulnerable machines.
Designated MS04-011, MS04-012, MS04-013 and MS04-014, the four announcements of the 21 vulnerabilities impact Microsoft products including Internet Explorer, Office, Outlook, Outlook Express, Visual Studio, Windows 2000, Windows NT 4.0, Windows Server 2003, Windows XP and NetMeeting.
Michael Murray, director of engineering at nCircle, described the avalanche of vulnerabilities as "unprecedented." Murray also warned, "Expect to see widespread exploitation of these vulnerabilities and real pain as corporate IT deals with the repercussions over the next couple of months."
MS04-013 addresses a critical flaw in Outlook that can allow remote system access. Errors in handling MHTML URLs permit an attacker to use Web sites or HTML e-mail to execute arbitrary code in the "Local Machine" security zone with user privileges.
MS04-014 pertains to buffer overflow problems in Microsoft's Jet Database Engine. A specially crafted database query can leverage that buffer overflow to force execution of arbitrary code with the privileges of the affected application. The Jet Database Engine (file "msjet40.dll") is present by default in many versions of Windows, as well as products including Microsoft Office and Visual Studio.
MS04-012 describes a handful of problems with RPC (remote procedure call) and DCOM (distributed component object model) processing in Windows. One flaw involves possible race conditions in the RPC Runtime Library that attackers can manipulate with specially crafted messages to compromise a vulnerable system. Special messages can also take advantage of the failure of an RPCSS service to reclaim discarded memory, eventually causing denial of service. A different denial of service is possible by sending special replies to messages forwarded over HTTP proxy components. Attackers can also cause applications to listen on unexpected ports, possibly bypassing firewall security and permitting exploitation to launch other attacks.
The eEye Digital Security research team disclosed that they had discovered two of the critical vulnerabilities in September 2003, while patches are only now becoming available. "Companies should address these vulnerabilities without delay since they can be exploited remotely," urged Firas Raouf, chief operating officer of eEye.
MS04-011 is comprised of 14 separate vulnerabilities. These include buffer overflows, errors in processing LDAP requests and other problems. These flaws affect components including H.323 protocol implementation, Help and Support Center, Local Security Authority Subsystem Service (LSASS), Microsoft's ASN.1 Library, Negotiate Security Software Provider (SSP) interface, Windows Metafiles (WMF) rendering, Secure Sockets Layer (SSL) library, Utility Manager, Virtual DOS Machine (VDM) subsystem, Windows logon process (Winlogon) and Windows task management. These vulnerabilities can allow execution of arbitrary code with system privileges, reboot, gaining of system privileges and denial of service.
Internet Security Systems' X-Force, which discovered one of the flaws, has suggested that hackers will aggressively target the SSL vulnerability, because of the high-value nature of Web sites protected by SSL.
Stuart McClure, president and chief technology officer for Foundstone Labs, describes the ASN.1 problem it discovered as, "One of the most serious Microsoft flaws this year and critical within the Windows operating system since it can potentially affect millions of systems. Hackers could remotely take control of a computer, cause applications to crash and steal or corrupt confidential information."
While there are some mitigating factors and workarounds, patches must be applied to fix the problems. McAfee and other antivirus vendors are hurrying to prepare for the expected onslaught of malware exploiting the vulnerabilities.