The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Malformed RPC Request Can Cause Service Failure
Date: 26 July 2001
Software: Exchange Server 5.5, Exchange Server 2000,
SQL Server 7.0, SQL Server 2000, Windows NT 4.0,
Windows 2000
Impact: Denial of service
Bulletin: MS01-041
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-041.asp
- ----------------------------------------------------------------------
Issue:
======
Several of the RPC servers associated with system services in
Microsoft
Exchange, SQL Server, Windows NT 4.0 and Windows 2000 do not
adequately
validate inputs, and in some cases will accept invalid inputs that
prevent normal processing. The specific input values at issue here
vary
from RPC server to RPC server.
An attacker who sent such inputs to an affected RPC server could
disrupt its service. The precise type of disruption would depend on
the
specific service, but could range in effect from minor (e.g., the
service temporarily hanging) to major (e.g., the service failing in a
way that would require the entire system to be restarted).
Mitigating Factors:
====================
- Proper firewalling would help minimize an affected system's
exposure to attack by Internet-based users. In general, a
firewall should block access to all RPC services except
those that are specifically intended for use by untrusted users.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-041.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Bindview's Razor Team (http://razor.bindview.com)
socalgal
07-26-2001, 07:32 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Windows Media Player .NSC Processor Contains Unchecked
Buffer
Date: 26 July 2001
Software: Windows Media Player 6.4, 7, and 7.1
Impact: Run code of attacker's choice.
Bulletin: MS01-042
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-042.asp
- ----------------------------------------------------------------------
Issue:
======
Windows Media Player provides support for audio and video streaming.
Streaming media channels can be configured by using Windows Media
Station (.NSC) files. An unchecked buffer exists in the functionality
used to process Windows Media Station files. This unchecked buffer
could potentially allow an attacker to run code of his choice on the
machine of another user. The attacker could either send a specially
malformed file to another user and entice her to run or preview it,
or
he could host such a file on a web site and cause it to launch
automatically whenever a user visited the site. The code could take
any action on the machine that the legitimate user himself could
take.
Mitigating Factors:
====================
- Customers who have applied the Outlook E-mail Security Update
(OESU) for Outlook 2000 or are running Outlook XP, which has the
OESU functionality built-in, are automatically protected against
HTML e-mail based attempts to exploit this vulnerability.
- For others not in the above categories, the attacker would have to
entice the potential victim to visit a web site he controlled, or
to
open an HTML e-mail he had sent.
- The attacker would need to know the specific operating system that
the user was running in order to tailor the attack code properly;
if
the attacker made an incorrect guess about the user's operating
system platform, the attack would crash the user's Windows Media
Player session, but not run code of the attacker's choice.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-042.asp
for information on obtaining this patch.
socalgal
07-30-2001, 03:45 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
The Microsoft Security Response Center, along with other
organizations listed below, is jointly publishing this alert that
ALL IIS ADMINISTRATORS ARE ASKED TO READ
A Very Real and Present Threat to the Internet:
July 31 Deadline For Action
Summary:
The Code Red Worm and mutations of the worm pose a
continued and serious threat to Internet users. Immediate action
is required to combat this threat. Users who have deployed
software that is vulnerable to the worm (Microsoft IIS
Versions 4.0 and 5.0) must install, if they have not done so
already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems
in just 9 hours. The worm scans the Internet, identifies
vulnerable systems, and infects these systems by installing
itself. Each newly installed worm joins all the others causing
the rate of scanning to grow rapidly. This uncontrolled growth
in scanning directly decreases the speed of the Internet and
can cause sporadic but widespread outages among all types of
systems. Code Red is likely to start spreading again on
July 31st, 2001 8:00 PM EDT and has mutated so that it may be
even more dangerous. This spread has the potential to disrupt
business and personal use of the Internet for applications such
as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000
systems AND the IIS web server software may be vulnerable.
IIS is installed automatically for many applications. If you
are not certain, follow the instructions attached to determine
whether you are running IIS 4.0 or 5.0. If you are using
Windows 95, Windows 98, or Windows Me, there is no action that
you need to take in response to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
- - Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
- - Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Step-by-step instructions for these actions are posted at http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/itsolutions/security/topics/codeptch.asp
Microsoft's description of the patch and its installation,
and the vulnerability it addresses is posted at:
* Microsoft Security Bulletin MS01-033 (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp)
Because of the importance of this threat, this alert is
being made jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
[This message has been edited by socalgal (edited 07-30-2001).]
nodnerb2
07-30-2001, 06:13 PM
When I tried to get the upgrade for Media Player I get an error message/warning saying Vers 7.1 is only for Win 98, 98SE and 2000 but no mention of ME even though it says in the drop down box next to the Download Windows ME. Has anyone else seen this. If I knew how to post a picture in my message I could have shown yous
Nodnerb2
socalgal
08-14-2001, 07:04 PM
Hi nodnerb2
If you're still having an issue with mplayer, please post in the Tech Support Section. You'll get more help there.
Thanks.
+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: NNTP Service in Windows NT 4.0 and Windows 2000
Contains Memory Leak
Date: 14 August 2001
Software: Windows NT 4.0, Windows 2000
Impact: Denial of service
Bulletin: MS01-043
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-043.asp
- ----------------------------------------------------------------------
Issue:
======
The NNTP (Network News Transport Protocol) service in Windows NT 4.0
and Windows 2000 contains a memory leak in a routine that processes
news postings. Each time such a posting is processed that contains a
particular construction, the memory leak causes a small amount of
memory to no longer be available for use. If an attacker sent a large
number of posts, the server memory could be depleted to the point at
which normal service would be disrupted. An affected server could be
restored to normal service by rebooting.
Mitigating Factors:
====================
- Windows NT 4.0 does not contain a native NNTP service. NNTP
is only available on the system if the Windows NT 4.0 Option
Pack has been installed.
- The default configuration of NNTP is not affected by the
vulnerability, as no newsgroups are configured by default.
- The vulnerability would not enable an attacker to usurp any
administrative control or compromise data on the machine.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-043.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Aiden ORawe
[This message has been edited by socalgal (edited 08-15-2001).]
socalgal
08-15-2001, 11:12 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: 15 August 2001 Cumulative Patch for IIS
Date: 15 August 2001
Software: IIS 4.0 and 5.0
Impact: Five vulnerabilities resulting in either denial of
service or privilege elevation
Bulletin: MS01-044
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
- ----------------------------------------------------------------------
Issue:
======
This patch is a cumulative patch that includes the functionality of
all security patches released to date for IIS 5.0, and all patches
released for IIS 4.0 since Windows NT(r) 4.0 Service Pack 5. A
complete listing of the patches superseded by this patch is provided
below, in the section titled "Additional information about this
patch". Before applying the patch, system administrators should take
note of the caveats discussed in the same section.
In addition to including all previously released security patches,
this patch also includes fixes for five newly discovered security
vulnerabilities affecting IIS 4.0 and 5.0:
- A denial of service vulnerability that could enable an attacker
to cause the IIS 4.0 service to fail, if URL redirection has
been enabled. The "Code Red" worm generates traffic that can in
some cases exploit this vulnerability, with the result that an
IIS 4.0 machine that wasn't susceptible to infection via the
worm could nevertheless have its service disrupted by the worm.
- A denial of service vulnerability that could enable an attacker
to temporarily disrupt service on an IIS 5.0 web server. WebDAV
doesn't correctly handle particular type of very long, invalid
request. Such a request would cause the IIS 5.0 service to fail;
by default, it would automatically restart.
- A denial of service vulnerability involving the way IIS 5.0
interprets content containing a particular type of invalid MIME
header. If an attacker placed content containing such a defect
onto a server and then requested it, the IIS 5.0 service would
be unable to serve any content until a spurious entry was removed
from the File Type table for the site.
- A buffer overrun vulnerability involving the code that performs
server-side include (SSI) directives. An attacker who had the
ability to place content onto a server could include a malformed
SSI directive that, when the content was processed, would result
in code of the attacker's choice running in Local System context.
- A privilege elevation vulnerability that results because of a flaw
in a table that IIS 5.0 consults when determining whether a
process
should in-process or out-of-process. IIS 5.0 contains a table that
lists the system files that should always run in-process. However,
the list provides the files using relative as well as absolute
addressing, with the result that any file whose name matched that
of a file on the list would run in-process.
In addition, this patch eliminates a side effect of the previous IIS
cumulative patch (discussed in the Caveats section of Microsoft
Security Bulletin MS01-026) by restoring proper functioning of
UPN-style logons via FTP and W3SVC.
Mitigating Factors:
====================
URL Redirection denial of service:
- This vulnerability only affects IIS 4.0. IIS 5.0 is not
affected.
- The vulnerability only occurs if URL redirection is enabled.
- The vulnerability does not provide any capability to compromise
data on the server or gain administrative control over it.
WebDAV request denial of service:
- The vulnerability only affects IIS 5.0. IIS 4.0 is not affected.
- The effect of an attack via this vulnerability would be temporary.
The server would automatically resume normal service as soon as
the malformed requests stopped arriving.
- The vulnerability does not provide an attacker with any capability
to carry out WebDAV requests.
- The vulnerability does not provide any capability to compromise
data on the server or gain administrative control over it.
MIME header denial of service:
- The vulnerability only affects IIS 5.0. IIS 4.0 is not affected.
- In order to exploit this vulnerability, the attacker would need
to have the ability to install content on the server. However,
by default, unprivileged users do not have this capability, and
best practices strongly recommend against granting it to untrusted
users.
SSI privilege elevation vulnerability:
- In order to exploit this vulnerability, the attacker would need
to have the ability to install content on the server. However,
by default, unprivileged users do not have this capability, and
best practices strongly recommend against granting it to untrusted
users.
System file listing privilege elevation vulnerability:
- The vulnerability only affects IIS 5.0. IIS 4.0 is not affected.
- In order to exploit this vulnerability, the attacker would need
to have the ability to install content on the server. However,
by default, unprivileged users do not have this capability, and
best practices strongly recommend against granting it to untrusted
users.
Patch Availability:
===================
- A patch is available to fix these vulnerabilities. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
for information on obtaining this patch.
Acknowledgment:
===============
- John Waters of Deloitte and Touche for reporting the MIME type
denial of service vulnerability.
- The NSFocus Security Team (http://www.nsfocus.com) for reporting
the SSI privilege elevation vulnerability.
- Oded Horovitz of Entercept(tm) Security Technologies
(http://www.entercept.com) for reporting the system file listing
privilege elevation vulnerability.
socalgal
08-16-2001, 03:03 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: ISA Server H.323 Gatekeeper Service Contains Memory Leak
Date: 16 August 2001
Software: ISA Server 2000
Impact: Denial of service, cross-site scripting
Bulletin: MS01-045
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-045.asp
- ----------------------------------------------------------------------
Issue:
======
This bulletin discusses three security vulnerabilities that are
unrelated except in the sense that both affect ISA Server 2000:
- A denial of service vulnerability involving the H.323 Gatekeeper
Service, a service that supports the transmission of voice-over-IP
traffic through the firewall. The service contains a memory leak
that is triggered by a particular type of malformed H.323 data.
Each time such data is received, the memory available on the
server is depleted by a small amount; if an attacker repeatedly
sent such data, the performance of the server could deteriorate to
the point where it would effectively disrupt all communications
across the firewall. A server administrator could restore normal
service by cycling the H.323 service.
- A denial of service vulnerability in the in the Proxy service.
Like the vulnerability above, this one is caused by a memory leak,
and could be used to degrade the performance of the server to
the point where is disrupted communcations.
- A cross-site scripting vulnerability affecting the error page
that ISA Server 2000 generates in response to a failed request
for a web page. An attacker could exploit the vulnerability by
tricking a user into submitting to ISA Server 2000 an URL that
has the following characteristics: (a) it references a valid
web site; (b)it requests a page within that site that can't be
retrieved - that is, a non-existent page or one that generates
an error; and (c) it contains script within the URL. The error
page generated by ISA Server 2000 would contain the embedded
script commands, which would execute when the page was displayed
in the user's browser. The script would run in the security domain
of the web site referenced in the URL, and would be able to access
any cookies that site has written to the user's machine.
Mitigating Factors:
====================
H.323 Denial of service vulnerability:
- The vulnerability could only be exploited if the H.323 Gatekeeper
Service was installed. It is only installed by default if "Full
Installation" is chosen; if "Typical Installation" is selected,
it is not installed.
- The vulnerability would not enable an attacker to gain any
privileges on an affected server or add any traffic to an existing
voice-over-IP session. It is strictly a denial of service
vulnerability.
Proxy Service Denial of service vulnerability:
- The vulnerability could only be exploited by an internal user; it
could not be exploited by an Internet user.
- The vulnerability would not enable an attacker to gain any
privileges on an affected server or compromise any cached content
on the server. It is strictly a denial of service vulnerability.
Cross-site scripting vulnerability:
- In order to run script in the security domain of a trusted site,
the attacker would need to know which sites, if any, a user
trusted. Most users use the default security settings for all web
sites, which would effectively deny an attacker any gain in
exploiting the vulnerability for the purposes of running script.
- An attacker who wished to read other sites' cookies on a user's
machine would have no way to know which sites had placed cookies
there. The attacker would need to exploit the vulnerability once
for every web site whose cookies she wished to access.
- Even if the attacker correctly guessed which sites had placed
cookies on a user's machine, there should be no sensitive
information in the cookies, if best practices have been followed.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-045.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Peter Grundl for reporting the memory leaks in the H.323
Gatekeeper Service and the Proxy Service.
- Dr. Hiromitsu Takagi for reporting the cross-site scripting
vulnerability.
socalgal
08-16-2001, 07:01 PM
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Outlook View Control Exposes Unsafe Functionality
Released: 12 July 2001
Revised: 16 August 2001 (version 2.0)
Software: Outlook 2002, 2000, and 98
Impact: Run code of attacker's choice
Bulletin: MS01-038
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-038.asp
- ----------------------------------------------------------------------
Reason for Revision:
====================
The original version of the bulletin advised customers of a
workaround procedure that could be used while a patch was under
development. We have now completed the patch, and have re-released
this bulletin to advise customers of its availability.
Issue:
======
On July 12, 2001, Microsoft released the original version of this
bulletin, to advise customers of a vulnerability affecting Microsoft
Outlook and to recommend that they temporarily use an administrative
procedure to protect their systems. A patch that eliminates the
vulnerability is now available. An updated version of the bulletin
was released on August 16, 2001, to announce the availability of the
patch and to advise customers that the administrative procedure is no
longer needed.
The Microsoft Outlook View Control is an ActiveX control that allows
Outlook mail folders to be viewed via web pages. The control should
only allow passive operations such as viewing mail or calendar data.
In reality, though, it exposes a function that could allow the web
page to manipulate Outlook data. This could enable an attacker to
delete mail, change calendar information, or take virtually any other
action through Outlook including running arbitrary code on the user's
machine.
Hostile web sites would pose the greatest threat with respect to this
vulnerability. If a user could be enticed into visiting a web page
controlled by an attacker, script or HTML on the page could invoke
the control when the page was opened. The script or HTML could then
use the control to take whatever action the attacker desired on the
user's Outlook data.
It also would be possible for the attacker to send an HTML e-mail to
a user, with the intent of invoking the control when the recipient
opened the mail. However, the Outlook E-mail Security Update, that
automatically installs as part of Outlook 2002 would thwart such an
attack. The Update causes HTML e-mails to be opened in the Restricted
Sites Zone, where ActiveX controls are disabled by default.
Mitigating Factors:
====================
- The newly-released Outlook E-mail Security Update that is
integrated
into Outlook 2002 would also prevent this vulnerability from being
exploited via e-mail in all affected Outlook versions.
- The vulnerability provides no capability for the attacker to force
a
user to visit a web page that exploits it.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-038.asp
for information on obtaining this patch.
socalgal
08-21-2001, 01:39 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Access Violation in Windows 2000 IRDA Driver Can Cause
System to Restart
Date: 21 August 2001
Software: Windows 2000
Impact: Denial of Service
Bulletin: MS01-046
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-046.asp
- ----------------------------------------------------------------------
Issue:
======
Microsoft Windows 2000 provides support for infrared-based
connectivity. This support is provided through protocols
developed by the Infrared Data Association (IRDA).
Because of this, they are often called IRDA devices. These
devices can be used to share files and printers with other
IRDA-device capable systems. The software which handles
IRDA devices in Windows 2000 contains an unchecked buffer
in the code which handles certain IRDA packets.
A security vulnerability results because it is possible
for a malicious user to send a specially crafted IRDA packet
to the victim's system. This could enable the attacker to conduct
a buffer overflow attack and cause an access violation
on the system, forcing a reboot. To be best of our knowledge,
it cannot be used to run malicious code on the user's system
Mitigating Factors:
====================
- The attack would require that an attacker's machine be within
range of the victim's IRDA device, usually within arm's length.
- The attack would require that an attacker's machine's IRDA port
have either a direct line of sight to the victim's machine, or
be able to transmit the IRDA packets through reflection directly
to the victim's IRDA port.
- To the best of our knowledge, this cannot be used to run
malicious code on the user's system.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-046.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Paul Millar ( paulm@astro.gla.ac.uk )
Cody
08-21-2001, 04:34 PM
I'm getting darn sick of this stereotyping
Notice in a good amount of the documents, the hacker "he" is enticing the user "she"..
Jeez
Barney
08-21-2001, 04:57 PM
Errr... you're not supposed to reply to this.
Don't you think it would get confusing if they have to put he/she, him/her, etc. everywhere?
Socalgal, please delete my (and Cody's) message after you've read it. I noticed you're an Administrator again. http://www.sysopt.com/forum/wink.gif
socalgal
09-06-2001, 07:46 PM
Nbd, but questions or comments should be started in a new thread for the greatest exposure; these MS Security Bulletin threads are for the latest alerts and anyone posting otherwise here will not get maximum forum exposure. http://www.sysopt.com/forum/wink.gif
==============
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: OWA Function Allows Unauthenticated User to Enumerate
Global Address List
Date: 06 September 2001
Software: Exchange 5.5
Impact: Information Disclosure
Bulletin: MS01-047
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-047.asp
- ----------------------------------------------------------------------
Issue:
======
Among the functions Outlook Web Access (OWA) in Exchange 5.5 offers
is the ability to search the global address list (GAL). By design,
this is an authenticated function, implemented as a two-tier
architecture - a front tier that provides a user interface and a
back-end tier that actually performs the search. However, only the
front tier actually checks authentication. An attacker who sent a
properly formatted request to the back-end function that actually
performs the search could enumerate the GAL without authenticating.
Mitigating Factors:
====================
- The vulnerability would only allow the attacker to learn
users' email aliases. It would not provide any other
capabilities. Specifically, it would not give the attacker
any way to create or send mail as a user; to read, change
or delete mail; or to perform any other functions on the
server.
- The vulnerability is only exploitable via OWA. Exchange
servers that are not configured to offer OWA are not affected
by the vulnerability.
- The vulnerability does not affect Exchange 2000, even when
offering OWA.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-047.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Noam Rathaus from SecuriTeam.com ( http://www.SecuriTeam.com )
[This message has been edited by socalgal (edited 09-07-2001).]
socalgal
09-10-2001, 03:04 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Malformed Request to RPC Endpoint Mapper can Cause RPC
Service to Fail
Date: 10 September 2001
Software: Microsoft(r) Windows NT(r) 4.0
Impact: Denial of service
Bulletin: MS01-048
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-048.asp
- ----------------------------------------------------------------------
Issue:
======
The RPC endpoint mapper allows RPC clients to determine the port
number currently assigned to a particular RPC service. The Windows NT
4.0 endpoint mapper contains a flaw that causes it to fail upon
receipt of a request that contains a particular type of malformed
data.
Because the endpoint mapper runs within the RPC service itself,
exploiting this vulnerability would cause the RPC service itself to
fail, with the attendant loss of any RPC-based services the server
offers, as well as potential loss of some COM functions. Normal
service could be restored by rebooting the server.
Mitigating Factors:
====================
- Standard security recommendations call for port 135 - the port
on which the RPC endmapper operates - to be blocked at the
firewall. If this were done, Internet-based attackers would not
be able to exploit this vulnerability.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-048.asp
for information on obtaining this patch.
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Deeply-nested OWA Request Can Consume Server CPU
Availability
Date: 26 September 2001
Software: Exchange 2000
Impact: Denial of Service
Bulletin: MS01-049
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-049.asp
- ----------------------------------------------------------------------
Issue:
======
A security vulnerability exists in Exchange 2000 Outlook Web Access,
because it will accept and process a request for an item in an
authenticated user's mailbox without verifying first that the
folder structure is valid. An attacker could mount a denial of
service attack by repeatedly levying a request for a non-existent
but deeply nested folder in his own mailbox.
Exploiting the vulnerability wouldn't necessarily affect the OWA
server itself. The effect of the vulnerability would be to
cause the process servicing the attacker's mailbox to consume most
or all of the CPU availability on the server it was running on.
In may cases, this process would run on the OWA server,
and thus the effects would be seen there. However, if the process
servicing the attacker's mailbox ran on a back-end server, the
effect of exploiting the vulnerability would be seen there.
In any event, the affected server would resume normal service
once the request was handled.
Mitigating Factors:
====================
- Only users who could authenticate to the server could exploit
this vulnerability.
- The attacker would need to have permissions on at least one
mailbox in order to exploit the vulnerability.
- The user can only perform this task against mailboxes to which
they have permission.
- The vulnerability could not be used to cause the mailbox store
to fail, or to corrupt mailbox data.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-049.asp
for information on obtaining this patch.
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Malformed Excel or PowerPoint Document Can Bypass Macro
Security
Date: 04 October 2001
Software: Microsoft Excel or PowerPoint for Windows or Macintosh
Impact: Run Code Of Attacker's Choice
Bulletin: MS01-050
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-050.asp
- ----------------------------------------------------------------------
Issue:
======
Excel and PowerPoint have a macro security framework that controls
the execution of macros and prevents macros from running
automatically. Under this framework, any time a user opens a
document the document is scanned for the presence of macros.
If a document contains macros, the user is notified and asked
if he wants to run the macros or the macros are disabled entirely,
depending on the security setting. A flaw exists in the way macros
are detected that can allow a malicious user to bypass macro
checking.
A malicious attacker could attempt to exploit this vulnerability
by crafting a specially formed Excel or PowerPoint document with
macro code that would run automatically when the user opened it.
The attacker could carry out this attack by hosting the malicious
file on a web site, a file share, or by sending it through email.
Mitigating Factors:
====================
- The macro code could not execute without the user's
first opening the document.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-050.asp
for information on obtaining this patch.