Information About Microsoft’s August 2004 Security Bulletins August 13, 2004

  • View

  • Download

Embed Size (px)


Information About Microsoft’s August 2004 Security Bulletins August 13, 2004. Feliciano Intini, CISSP, MCSE Security Advisor Premier Security Center Microsoft Services - ITALY. What we will cover. Security Bulletins: MS04-025 - Windows Internet Explorer - PowerPoint PPT Presentation

Text of Information About Microsoft’s August 2004 Security Bulletins August 13, 2004

  • Information About Microsofts August 2004Security Bulletins

    August 13, 2004Feliciano Intini, CISSP, MCSE Security AdvisorPremier Security CenterMicrosoft Services - ITALY

  • What we will coverSecurity Bulletins:MS04-025 - Windows Internet ExplorerMS04-026 - Microsoft Exchange Server 5.5Other Security Topics:Security ToolsReminder: Defense In Depth Configuration ChangesWindows XP Service Pack 2ResourcesQuestions & Answers

  • Review of August Security BulletinsOverview of vulnerability for risk assessmentWorkarounds you can implement while deploying the security updatesHow to determine what systems the available security updates apply toHow you can deploy the security updates to your systems

  • August 2004 Security Bulletins

  • MS04-025: OverviewCumulative Security Update for Internet Explorer (867801)Impact: Remote Code ExecutionMaximum Severity: CriticalAffected Software: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003 Critical for Windows 98, Windows 98 Second Edition, Windows Millennium EditionAffected Components: Internet Explorer 5.01 Service Packs 2, 3 and 4Internet Explorer 5.5 Service Pack 2 Internet Explorer 6.0 Internet Explorer 6.0 Service Pack 1,Internet Explorer 6 Service Pack 1 (64-Bit Edition)Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)

  • MS04-025: Understanding the VulnerabilitiesNavigation Method Cross-Domain Vulnerability - CAN-2004-0549:A vulnerability in how Navigation Methods are validated that can enable code executionMalformed BMP File Buffer Overrun Vulnerability - CAN-2004-0566:A buffer overrun vulnerability in how BMP files are rendered that can enable code executionMalformed GIF File Double Free Vulnerability - CAN-2003-1048:A double free vulnerability in how GIF files are handled that can enable a denial of service or potentially code execution

  • MS04-025: Risk AssessmentPossible Attack VectorsMalicious HTML page Hosted on a Web siteSent as e-mailImpact of Successful AttackAttackers code would run in users contextMitigating FactorsWeb page and e-mail vectors require user actionsAttackers code limited by users privileges

  • MS04-025: Risk Assessment (2)Mitigating Factors (cont)HTML e-mail in the Restricted sites zone helps reduce attacks Outlook Express 6, Outlook 2002, and Outlook 2003 by defaultOutlook 98 and Outlook 2000 with Outlook E-mail Security Update (OESU) Outlook Express 5.5 with MS04-018Also, risk from HTML e-mail vector significantly if both:Latest Cumulative Security Update for IE installed (change introduced in MS03-040)Using IE 6.0 or later

  • MS04-025: UpdatesTwo updates available867801 contains only security fixes and publicly available updatesAvailable on Windows Update, Software Update Services, Download Center871260 (update rollup) contains security fixes, publicly available updates AND hotfixesAvailable only on the Download CenterTo reduce risk of problems in deployment customers should apply 867801 by default

  • MS04-026: OverviewVulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842463) Impact: Remote Code ExecutionMaximum Severity: ModerateAffected Software: Microsoft Exchange Server 5.5 SP4Affected Components:Outlook Web Access (OWA)

  • MS04-026: Understanding the VulnerabilityCross-site Scripting and Spoofing Vulnerability CAN-2004-0203A cross-site scripting and spoofing vulnerability that could cause a user to run script on the attacker's behalf or a user to view spoofed content.

  • MS04-026: Risk AssessmentPossible Attack VectorsSending a specially-crafted HTTP request to the Outlook Web Access serverImpact of Successful AttackExecute script in the users contextPut spoofed content in Web browser and intermediate proxy server caches Mitigating FactorsAn attacker must have valid logon credentials for the Outlook Web Access serverLimitations on users account apply to attackers scriptDo not save encrypted pages to disk option prevents attempts to put spoofed content into client cacheSSL-protected connections protect against intermediate proxy vectorDifficult for an attacker to predict what users would be served spoofed cached content from intermediate proxy server

  • MS04-020 Re-ReleaseRe-issued to advise on the availability of a security update for Microsoft INTERIX 2.2 Customers who are not using Microsoft INTERIX 2.2 and have previously installed the security updates provided as part of the original release of this bulletin do not need to install the new security updateCustomers using Microsoft INTERIX 2.2 should apply the new update

  • WorkaroundsHost-based workarounds:MS04-025Set Internet and Local Intranet security zone settings to HighRestrict Web sites to only trusted Web sitesStrengthen the security settings for the Local Machine zoneKnowledge Base article 833633.Read e-mail messages in plain text format MS04-026Disable Outlook Web Access for Each Exchange Site

  • Determining Systems for DeploymentMBSA: Use MBSA to determine systems that require MS04-025, MS04-026MBSA will identify systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup)As of 8/10, MBSA will not raise a warning regarding greater-than-expected file versions on systems with 871260 (update rollup)SUS: The SUS Client (the Automatic Updates Client) will automatically detect systems that require MS04-025The SUS Client (the Automatic Updates Client) will identify systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup)Cannot use SUS to determine systems that require MS04-026

  • Determining Systems for Deployment (2)SMS 2.0 / 2003:SMS 2003 to identify systems that need MS04-025, MS04-026SMS will identify systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup)To limit the deployment of the update rollup to only those computers running post-MS04-004 hotfixesUse software inventory to detect systems based on the hotfix affected filesFor more information see Deploying Software Updates Using the SMS Software Distribution regarding SMS and MBSA:Proxy caching at ISP or Intranet may delay the availability of detection catalog mssecure.cabFile uses Cache-Control: must-revalidate most proxy servers honor thisRefer to KB 842432 to diagnose delays

  • Deploying the UpdatesSUS: Use the SUS Client (the Automatic Updates Client) to deploy MS04-025SUS can only be used to deploy 867801, it will not deploy 871260 (update rollup)SMS:Use SMS 2.0 with the SMS SUS Feature Pack or SMS 2003 to deploy MS04-025, MS04-026Can deploy 871260 (update rollup) using import feature documented in SMS documentation

  • Deploying the Updates (2)RestartsMS04-025: RequiredMS04-026: Not required but will restart these servicesMicrosoft Internet Information Services (IIS)Exchange StoreExchange System AttendantUninstallMS04-025: Can be uninstalledMS04-026: Can be uninstalled

  • Deploying the Updates (3)Notes for MS04-026:Version Requirements for Dependent Components: Microsoft Outlook Web Access (OWA) server must have one of the following:Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4Internet Explorer 6 Service Pack 1 on current supported operating systems Apply update to Exchange 5.5 Servers running Outlook Web Access only.

  • Security Tools: MBSA ReminderMBSA 1.1.1 no longer supportedAs of April 20, 2004 mssecure.xml file used by versions earlier than MBSA 1.2 is no longer updatedScans performed with MBSA 1.1.1 or earlier versions will not detect the Security Bulletins released since AprilWhen using SMS, MBSA GUI and mbsacli, scan results will include an update, e.g.:

    Obtain Upgrades:SMS 2.0 SUS Feature Pack and SMS 2003 users:SMS downloads page Users:MBSA homepage

  • Security Tools: MBSA & XP SP2New version of MBSA (1.2.1) needed for Windows XP SP2 compatibility!Needed to provide compatibility and better support for Windows XP SP2 security improvements Will be available in mid-AugustUsers running MBSA 1.2 will be automatically notified when they run the tool with an Internet

  • Security Tools: MyDoom Cleaner ToolNew variant, MyDoom.O, discovered on Monday, July 26 2004Zindos.A worm, discovered on Tuesday, July 27 2004, uses backdoor opened by MyDoom.OCleaner tool was updated to clean for all known MyDoom variants and Zindos.AMore information:

  • Reminder: Deploy Defense in Depth Configuration ChangesThree configuration changes released in July to enhance resiliency of Internet Explorer 6.0 and Outlook Express 5.5 SP2Disable in Windows ActiveX Control (July 2 2004)Knowledge Base Article 870669 ( Limit functionality of Shell.application (July 13 2004)Fix is included in MS04-024Change HTML viewing in Outlook Express 5.5 SP2 (July 13 2004)Change included in MS04-018

  • Windows XP Service Pack 2Proactive protection technologies block malicious code at the point of entry

  • Application Compatibility SnapshotThe vast majority of application compatibility issues are mitigated through configuration of SP2 security optionsVery few issues require code changes

  • Windows XP SP2 TimelineAugust 6: Release to manufacturing for SP2 English and German (Remaining 25 languages RTM over 5 weeks)August 9:Release to Microsoft Download Center full network installation packageRele