information about microsoft’s august 2004 security bulletins august 13, 2004
Post on 12-Jan-2016
67 Views
Preview:
DESCRIPTION
TRANSCRIPT
Information About Information About Microsoft’s August 2004Microsoft’s August 2004Security BulletinsSecurity Bulletins August 13, 2004August 13, 2004
Feliciano Intini, Feliciano Intini, CISSP, MCSECISSP, MCSE
Security AdvisorSecurity AdvisorPremier Security CenterPremier Security CenterMicrosoft Services - ITALYMicrosoft Services - ITALY
What we will coverWhat we will cover
Security Bulletins:Security Bulletins: MS04-025 - Windows Internet ExplorerMS04-025 - Windows Internet Explorer MS04-026 - Microsoft Exchange Server 5.5MS04-026 - Microsoft Exchange Server 5.5
Other Security Topics:Other Security Topics: Security ToolsSecurity Tools Reminder: Defense In Depth Configuration Reminder: Defense In Depth Configuration
ChangesChanges Windows XP Service Pack 2Windows XP Service Pack 2
ResourcesResources Questions & AnswersQuestions & Answers
Review of August Security Review of August Security BulletinsBulletins Overview of vulnerability for risk Overview of vulnerability for risk
assessmentassessment Workarounds you can implement while Workarounds you can implement while
deploying the security updatesdeploying the security updates How to determine what systems the How to determine what systems the
available security updates apply toavailable security updates apply to How you can deploy the security How you can deploy the security
updates to your systemsupdates to your systems
August 2004 Security BulletinsAugust 2004 Security Bulletins
MAXIMUM SEVERITY
BULLETIN NUMBER
PRODUCTS AFFECTED
IMPACT
Critical MS04-025 Microsoft Windows Remote Code Execution
Moderate MS04-026 Microsoft Exchange Remote Code Execution
MS04-025: OverviewMS04-025: Overview Cumulative Security Update for Internet Explorer (867801)Cumulative Security Update for Internet Explorer (867801) Impact: Remote Code ExecutionImpact: Remote Code Execution Maximum Severity: CriticalMaximum Severity: Critical Affected Software: Affected Software:
Windows NT 4.0, Windows 2000, Windows XP, Windows Server Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003 2003
Critical for Windows 98, Windows 98 Second Edition, Critical for Windows 98, Windows 98 Second Edition, Windows Millennium EditionWindows Millennium Edition
Affected Components: Affected Components: Internet Explorer 5.01 Service Packs 2, 3 and 4Internet Explorer 5.01 Service Packs 2, 3 and 4 Internet Explorer 5.5 Service Pack 2 Internet Explorer 5.5 Service Pack 2 Internet Explorer 6.0 Internet Explorer 6.0 Internet Explorer 6.0 Service Pack 1,Internet Explorer 6 Service Internet Explorer 6.0 Service Pack 1,Internet Explorer 6 Service
Pack 1 (64-Bit Edition)Pack 1 (64-Bit Edition) Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6 Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6
for Windows Server 2003 (64-Bit Edition)for Windows Server 2003 (64-Bit Edition)
MS04-025: Understanding the MS04-025: Understanding the VulnerabilitiesVulnerabilities Navigation Method Cross-Domain Vulnerability - Navigation Method Cross-Domain Vulnerability -
CAN-2004-0549:CAN-2004-0549: A vulnerability in how Navigation Methods are A vulnerability in how Navigation Methods are
validated that can enable code executionvalidated that can enable code execution
Malformed BMP File Buffer Overrun Malformed BMP File Buffer Overrun Vulnerability - CAN-2004-0566:Vulnerability - CAN-2004-0566: A buffer overrun vulnerability in how BMP files are A buffer overrun vulnerability in how BMP files are
rendered that can enable code executionrendered that can enable code execution
Malformed GIF File Double Free Vulnerability - Malformed GIF File Double Free Vulnerability - CAN-2003-1048:CAN-2003-1048: A double free vulnerability in how GIF files are A double free vulnerability in how GIF files are
handled that can enable a denial of service or handled that can enable a denial of service or potentially code executionpotentially code execution
MS04-025: Risk AssessmentMS04-025: Risk Assessment
Possible Attack VectorsPossible Attack Vectors Malicious HTML page Malicious HTML page
Hosted on a Web siteHosted on a Web site Sent as e-mailSent as e-mail
Impact of Successful AttackImpact of Successful Attack Attacker’s code would run in user’s contextAttacker’s code would run in user’s context
Mitigating FactorsMitigating Factors Web page and e-mail vectors require user Web page and e-mail vectors require user
actionsactions Attacker’s code limited by user’s privilegesAttacker’s code limited by user’s privileges
MS04-025: Risk Assessment MS04-025: Risk Assessment (2)(2)
Mitigating Factors (con’t)Mitigating Factors (con’t) HTML e-mail in the Restricted sites zone HTML e-mail in the Restricted sites zone
helps reduce attacks helps reduce attacks Outlook Express 6, Outlook 2002, and Outlook Outlook Express 6, Outlook 2002, and Outlook
2003 by default2003 by default Outlook 98 and Outlook 2000 with Outlook E-mail Outlook 98 and Outlook 2000 with Outlook E-mail
Security Update (OESU) Security Update (OESU) Outlook Express 5.5 with MS04-018Outlook Express 5.5 with MS04-018 Also, risk from HTML e-mail vector significantly if Also, risk from HTML e-mail vector significantly if
both:both: Latest Cumulative Security Update for IE Latest Cumulative Security Update for IE
installed (change introduced in MS03-040)installed (change introduced in MS03-040) Using IE 6.0 or laterUsing IE 6.0 or later
MS04-025: UpdatesMS04-025: Updates
Two updates availableTwo updates available 867801 contains only security fixes and publicly 867801 contains only security fixes and publicly
available updatesavailable updates Available on Windows Update, Software Update Available on Windows Update, Software Update
Services, Download CenterServices, Download Center
871260 (update rollup) contains security fixes, 871260 (update rollup) contains security fixes, publicly available updates AND hotfixespublicly available updates AND hotfixes Available only on the Download CenterAvailable only on the Download Center
To reduce risk of problems in deployment To reduce risk of problems in deployment customers should apply 867801 by defaultcustomers should apply 867801 by default
MS04-026: OverviewMS04-026: Overview
Vulnerability in Exchange Server 5.5 Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks Site Scripting and Spoofing Attacks (842463) (842463)
Impact: Remote Code ExecutionImpact: Remote Code Execution Maximum Severity: ModerateMaximum Severity: Moderate Affected Software: Affected Software:
Microsoft Exchange Server 5.5 SP4Microsoft Exchange Server 5.5 SP4
Affected Components:Affected Components: Outlook Web Access (OWA)Outlook Web Access (OWA)
MS04-026: Understanding the MS04-026: Understanding the VulnerabilityVulnerability
Cross-site Scripting and Spoofing Cross-site Scripting and Spoofing Vulnerability CAN-2004-0203Vulnerability CAN-2004-0203 A cross-site scripting and spoofing A cross-site scripting and spoofing
vulnerability that could cause a user to run vulnerability that could cause a user to run script on the attacker's behalf or a user to script on the attacker's behalf or a user to view spoofed content.view spoofed content.
MS04-026: Risk AssessmentMS04-026: Risk Assessment Possible Attack VectorsPossible Attack Vectors
Sending a specially-crafted HTTP request to the Outlook Web Sending a specially-crafted HTTP request to the Outlook Web Access serverAccess server
Impact of Successful AttackImpact of Successful Attack Execute script in the user’s contextExecute script in the user’s context Put spoofed content in Web browser and intermediate proxy Put spoofed content in Web browser and intermediate proxy
server caches server caches Mitigating FactorsMitigating Factors
An attacker must have valid logon credentials for the Outlook An attacker must have valid logon credentials for the Outlook Web Access serverWeb Access server
Limitations on user’s account apply to attacker’s scriptLimitations on user’s account apply to attacker’s script ““Do not save encrypted pages to disk” option prevents Do not save encrypted pages to disk” option prevents
attempts to put spoofed content into client cacheattempts to put spoofed content into client cache SSL-protected connections protect against intermediate proxy SSL-protected connections protect against intermediate proxy
vectorvector Difficult for an attacker to predict what users would be served Difficult for an attacker to predict what users would be served
spoofed cached content from intermediate proxy serverspoofed cached content from intermediate proxy server
MS04-020 Re-ReleaseMS04-020 Re-Release
Re-issued to advise on the availability of a Re-issued to advise on the availability of a security update for Microsoft INTERIX 2.2 security update for Microsoft INTERIX 2.2
Customers who are not using Microsoft Customers who are not using Microsoft INTERIX 2.2 and have previously installed the INTERIX 2.2 and have previously installed the security updates provided as part of the original security updates provided as part of the original release of this bulletin do not need to install the release of this bulletin do not need to install the new security updatenew security update
Customers using Microsoft INTERIX 2.2 should Customers using Microsoft INTERIX 2.2 should apply the new updateapply the new update
WorkaroundsWorkarounds
Host-based workarounds:Host-based workarounds: MS04-025MS04-025
Set Internet and Local Intranet security zone Set Internet and Local Intranet security zone settings to “High”settings to “High”
Restrict Web sites to only trusted Web sitesRestrict Web sites to only trusted Web sites Strengthen the security settings for the Local Strengthen the security settings for the Local
Machine zoneMachine zone Knowledge Base article 833633.Knowledge Base article 833633.
Read e-mail messages in plain text format Read e-mail messages in plain text format
MS04-026MS04-026 Disable Outlook Web Access for Each Exchange Disable Outlook Web Access for Each Exchange
SiteSite
Determining Systems for Determining Systems for DeploymentDeployment MBSA: MBSA:
Use MBSA to determine systems that require MS04-025, MS04-Use MBSA to determine systems that require MS04-025, MS04-026026 MBSA will identify systems that require MS04-025 but cannot MBSA will identify systems that require MS04-025 but cannot
determine systems that might require 871260 (update rollup)determine systems that might require 871260 (update rollup) As of 8/10, MBSA will not raise a warning regarding greater-than-As of 8/10, MBSA will not raise a warning regarding greater-than-
expected file versions on systems with 871260 (update rollup)expected file versions on systems with 871260 (update rollup)
SUS: SUS: The SUS Client (the Automatic Updates Client) will The SUS Client (the Automatic Updates Client) will
automatically detect systems that require MS04-025automatically detect systems that require MS04-025 The SUS Client (the Automatic Updates Client) will identify The SUS Client (the Automatic Updates Client) will identify
systems that require MS04-025 but cannot determine systems that systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup)might require 871260 (update rollup)
Cannot use SUS to determine systems that require MS04-026Cannot use SUS to determine systems that require MS04-026
Determining Systems for Determining Systems for Deployment Deployment (2)(2)
SMS 2.0 / 2003:SMS 2.0 / 2003: SMS 2003 to identify systems that need MS04-025, MS04-026SMS 2003 to identify systems that need MS04-025, MS04-026
SMS will identify systems that require MS04-025 but cannot SMS will identify systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup)determine systems that might require 871260 (update rollup)
To limit the deployment of the update rollup to only those To limit the deployment of the update rollup to only those computers running post-MS04-004 hotfixescomputers running post-MS04-004 hotfixes Use software inventory to detect systems based on the hotfix Use software inventory to detect systems based on the hotfix
affected filesaffected files For more information see Deploying Software Updates Using For more information see Deploying Software Updates Using
the SMS Software Distribution Feature:the SMS Software Distribution Feature: www.microsoft.com/technet/prodtechnol/sms/sms2003/www.microsoft.com/technet/prodtechnol/sms/sms2003/
patchupdate.mspxpatchupdate.mspx Note regarding SMS and MBSA:Note regarding SMS and MBSA:
Proxy caching at ISP or Intranet may delay the availability of Proxy caching at ISP or Intranet may delay the availability of detection catalog mssecure.cabdetection catalog mssecure.cab File uses “Cache-Control: must-revalidate” most proxy servers File uses “Cache-Control: must-revalidate” most proxy servers
honor thishonor this Refer to KB 842432 to diagnose delaysRefer to KB 842432 to diagnose delays
Deploying the UpdatesDeploying the Updates
SUS: SUS: Use the SUS Client (the Automatic Updates Use the SUS Client (the Automatic Updates
Client) to deploy MS04-025Client) to deploy MS04-025 SUS can only be used to deploy 867801, it will not SUS can only be used to deploy 867801, it will not
deploy 871260 (update rollup)deploy 871260 (update rollup)
SMS:SMS: Use SMS 2.0 with the SMS SUS Feature Pack Use SMS 2.0 with the SMS SUS Feature Pack
or SMS 2003 to deploy MS04-025, MS04-026or SMS 2003 to deploy MS04-025, MS04-026 Can deploy 871260 (update rollup) using “import” Can deploy 871260 (update rollup) using “import”
feature documented in SMS documentationfeature documented in SMS documentation
Deploying the Updates Deploying the Updates (2)(2)
RestartsRestarts MS04-025: RequiredMS04-025: Required MS04-026: Not required but will restart these MS04-026: Not required but will restart these
servicesservices Microsoft Internet Information Services (IIS)Microsoft Internet Information Services (IIS) Exchange StoreExchange Store Exchange System AttendantExchange System Attendant
UninstallUninstall MS04-025: Can be uninstalledMS04-025: Can be uninstalled MS04-026: Can be uninstalledMS04-026: Can be uninstalled
Deploying the Updates Deploying the Updates (3)(3)
Notes for MS04-026:Notes for MS04-026: Version Requirements for Dependent Version Requirements for Dependent
Components: Microsoft Outlook Web Access Components: Microsoft Outlook Web Access (OWA) server must have one of the following:(OWA) server must have one of the following: Internet Explorer 5.01 Service Pack 3 on Windows Internet Explorer 5.01 Service Pack 3 on Windows
2000 Service Pack 32000 Service Pack 3 Internet Explorer 5.01 Service Pack 4 on Windows Internet Explorer 5.01 Service Pack 4 on Windows
2000 Service Pack 42000 Service Pack 4 Internet Explorer 6 Service Pack 1 on current Internet Explorer 6 Service Pack 1 on current
supported operating systems supported operating systems
Apply update to Exchange 5.5 Servers Apply update to Exchange 5.5 Servers running Outlook Web Access only.running Outlook Web Access only.
Security Tools: MBSA ReminderSecurity Tools: MBSA Reminder MBSA 1.1.1 no longer supportedMBSA 1.1.1 no longer supported As of April 20, 2004 mssecure.xml file used by versions As of April 20, 2004 mssecure.xml file used by versions
earlier than MBSA 1.2 is no longer updatedearlier than MBSA 1.2 is no longer updated Scans performed with MBSA 1.1.1 or earlier versions Scans performed with MBSA 1.1.1 or earlier versions
will not detect the Security Bulletins released since will not detect the Security Bulletins released since AprilApril
When using SMS, MBSA GUI and mbsacli, scan results When using SMS, MBSA GUI and mbsacli, scan results will include an ‘update’, e.g.:will include an ‘update’, e.g.:
Obtain Upgrades:Obtain Upgrades: SMS 2.0 SUS Feature Pack and SMS 2003 users:SMS 2.0 SUS Feature Pack and SMS 2003 users:
SMS downloads page www.microsoft.com/smserver/downloadsSMS downloads page www.microsoft.com/smserver/downloads MBSA Users:MBSA Users:
MBSA homepage www.microsoft.com/mbsa MBSA homepage www.microsoft.com/mbsa
Security Tools: MBSA & XP SP2Security Tools: MBSA & XP SP2
New version of MBSA (1.2.1) needed New version of MBSA (1.2.1) needed for Windows XP SP2 compatibility!for Windows XP SP2 compatibility! Needed to provide compatibility and better Needed to provide compatibility and better
support for Windows XP SP2 security support for Windows XP SP2 security improvements improvements
Will be available in mid-AugustWill be available in mid-August Users running MBSA 1.2 will be Users running MBSA 1.2 will be
automatically notified when they run the automatically notified when they run the tool with an Internet connectiontool with an Internet connection
www.microsoft.com/mbsa www.microsoft.com/mbsa
New variant, MyDoom.O, discovered on New variant, MyDoom.O, discovered on Monday, July 26 2004Monday, July 26 2004
Zindos.A worm, discovered on Tuesday, Zindos.A worm, discovered on Tuesday, July 27 2004, uses backdoor opened by July 27 2004, uses backdoor opened by MyDoom.OMyDoom.O
Cleaner tool was updated to clean for all Cleaner tool was updated to clean for all known MyDoom variants and Zindos.Aknown MyDoom variants and Zindos.A
More information: More information: www.microsoft.com/security/incident/mydoom.mspxwww.microsoft.com/security/incident/mydoom.mspx
Security Tools: MyDoom Security Tools: MyDoom Cleaner ToolCleaner Tool
Three configuration changes released in Three configuration changes released in July to enhance resiliency of Internet July to enhance resiliency of Internet
Explorer 6.0 and Outlook Express 5.5 SP2Explorer 6.0 and Outlook Express 5.5 SP2
Disable ADODB.stream in Windows ActiveX Control Disable ADODB.stream in Windows ActiveX Control (July (July 2 2004)2 2004) Knowledge Base Article 870669 Knowledge Base Article 870669
(http://support.microsoft.com/default.aspx?kbid=870669)(http://support.microsoft.com/default.aspx?kbid=870669) Limit functionality of Shell.application Limit functionality of Shell.application (July 13 2004)(July 13 2004)
Fix is included in MS04-024Fix is included in MS04-024 Change HTML viewing in Outlook Express 5.5 SP2 Change HTML viewing in Outlook Express 5.5 SP2 (July (July
13 2004)13 2004) Change included in MS04-018Change included in MS04-018
Reminder: Deploy Defense in Reminder: Deploy Defense in Depth Configuration ChangesDepth Configuration Changes
Proactive protection technologies block Proactive protection technologies block malicious code at the “point of entry”malicious code at the “point of entry”
Enhance Enhance SecuritySecurity
Increase Increase ManageabilityManageability
Improve Improve ExperienceExperience
NetworkNetwork
Email & IMEmail & IM
Web BrowsingWeb Browsing
MemoryMemory
Att
ack V
ecto
rsA
ttack V
ecto
rsWindows XP Service Pack 2Windows XP Service Pack 2
Functional AreaFunctional Area Compatibility StatusCompatibility Status
Attachment HandlerAttachment HandlerUser experience modifiedUser experience modified
NX & /GSNX & /GS
Windows FirewallWindows Firewall
Few apps Few apps proper configuration required proper configuration requiredDCOM & RPCDCOM & RPC
Other componentsOther components
Internet ExplorerInternet Explorer Some apps Some apps proper configuration required proper configuration required
The vast majority of application compatibility issues are The vast majority of application compatibility issues are mitigated through configuration of SP2 security optionsmitigated through configuration of SP2 security options
Very few issues require code changesVery few issues require code changes
Application Compatibility SnapshotApplication Compatibility Snapshot
August 6: August 6: Release to manufacturing for SP2 English and German Release to manufacturing for SP2 English and German
(Remaining 25 languages RTM over 5 weeks)(Remaining 25 languages RTM over 5 weeks) August 9:August 9:
Release to Microsoft Download Center – full network Release to Microsoft Download Center – full network installation packageinstallation package
Release to MSDN – CD ISO imageRelease to MSDN – CD ISO image August 10: August 10:
Release to Automatic Updates - for machines running pre-Release to Automatic Updates - for machines running pre-release versions of Windows XP SP2 onlyrelease versions of Windows XP SP2 only
August 16:August 16: Release to Automatic Updates - for machines Release to Automatic Updates - for machines notnot running pre- running pre-
releases versions of Windows XP SP2releases versions of Windows XP SP2 Release to SUSRelease to SUS
August TBD: August TBD: Release to Windows Update for interactive user installationsRelease to Windows Update for interactive user installations
Windows XP SP2 – TimelineWindows XP SP2 – Timeline
SP2 Delivery via Automatic UpdateSP2 Delivery via Automatic Update
SP2 is categorized as a critical updateSP2 is categorized as a critical update Unlike previous critical updates, SP2 requires Unlike previous critical updates, SP2 requires
interactive installationinteractive installation Some customer have requested a mechanism to Some customer have requested a mechanism to
temporarily block SP2 delivery via AUtemporarily block SP2 delivery via AU Allow all other critical security updates via AUAllow all other critical security updates via AU
Registry based solution temporarily prevents Registry based solution temporarily prevents Automatic Update and Windows Update from Automatic Update and Windows Update from downloading SP2 - and only SP2downloading SP2 - and only SP2 AU and WU search for existence of new registry AU and WU search for existence of new registry
settingsetting Other downloads unaffectedOther downloads unaffected Registry setting is the only change required on local Registry setting is the only change required on local
machinemachine
Automatic Update Blocking Automatic Update Blocking MechanismMechanism Tools for implementing solutionTools for implementing solution
ADM file to control registry setting via Active Directory Group ADM file to control registry setting via Active Directory Group PolicyPolicy
Microsoft signed executable that will set the registry setting on Microsoft signed executable that will set the registry setting on local machinelocal machine
Script file to execute the tool remotelyScript file to execute the tool remotely E-mail message point users to a script file hosted on E-mail message point users to a script file hosted on
Microsoft.comMicrosoft.com All of these tools allow for disabling the registry settingAll of these tools allow for disabling the registry setting This solution expires after 120 daysThis solution expires after 120 days
AU and WU will ignore registry key after December 14, 2004AU and WU will ignore registry key after December 14, 2004 Scripts and documentation posted on TechNetScripts and documentation posted on TechNet
www.microsoft.com/technet/winxpsp2 www.microsoft.com/technet/winxpsp2 Best solution is Software Update ServicesBest solution is Software Update Services
www.microsoft.com/sus www.microsoft.com/sus
Windows XP SP2 SummaryWindows XP SP2 Summary
More secureMore secure ““Shields-up” approachShields-up” approach Reduced attack surface areaReduced attack surface area
Improved manageability of security settingsImproved manageability of security settings More granular controlMore granular control Improved support for Active Directory Group PolicyImproved support for Active Directory Group Policy Reduced urgency for patching vulnerabilitiesReduced urgency for patching vulnerabilities
Better user experienceBetter user experience More and better security informationMore and better security information Applications function while remaining secure Applications function while remaining secure
A major step forward on a long journey
http://www.microsoft.com/technet/winxpsp2
ResourcesResources September Security Bulletins Webcast: il nostro September Security Bulletins Webcast: il nostro
prossimo appuntamento è prossimo appuntamento è venerdì 17 settembre – 10:30venerdì 17 settembre – 10:30http://www.microsoft.com/italy/securityhttp://www.microsoft.com/italy/security
Security Bulletins Search Security Bulletins Search www.microsoft.com/www.microsoft.com/technet/security/current.aspxtechnet/security/current.aspx
Windows XP Service Pack 2 Windows XP Service Pack 2 www.microsoft.com/technet/winxpsp2www.microsoft.com/technet/winxpsp2
Information on MyDoom and its variants Information on MyDoom and its variants www.microsoft.com/security/incident/www.microsoft.com/security/incident/mydoom.mspxmydoom.mspx
Security Newsletter Security Newsletter www.microsoft.com/www.microsoft.com/technet/security/secnews/default.mspxtechnet/security/secnews/default.mspx
Security Guidance Center Security Guidance Center www.microsoft.com/italy/security/guidancewww.microsoft.com/italy/security/guidance
top related