http://www.zdnet.com/anchordesk/stories/story/0,10738,2875950,00.html Robert Vamosi, Senior Associate Editor, CNET/ZDNet Reviews Wednesday, July 31, 2002 For anyone keeping track of Microsoft security bulletins, the company issued numbers 36, 37, 38, and 39--plus an update to number 32--for 2002 last week. That's fewer than the 42 bulletins issued by this time in 2001, and the 52 issued by July 2000--which I suppose is a good thing for all of us. The new patches affect Microsoft Exchange Server, SQL Server, Metadirectory Services, and Windows Media Player. The recent deluge--in which MS released five bulletins within 24 hours--makes me wonder whether Microsoft should schedule weekly patch announcements. FIRST, LET'S LOOK AT one of the more serious flaws to affect Microsoft Exchange Server, the software that happens to handle most of the e-mail on the Internet. Dan Ingevaldson, R&D team leader for Internet Security Systems, discovered the extended Hello (EHLO) protocol vulnerability during a routine audit of Exchange Server 5.5. He says the flaw affects the Internet Mail Connector (IMC), a bit of software that lets an Exchange server talk to other mail servers on the Internet. Usually, when a mail server sends a request to an Exchange server, the latter sends back a message acknowledging the request. However, due to a vulnerability in Exchange Server 5.5's IMC code, if the total length of the message exceeds a certain value, a buffer overrun (aka buffer overflow) occurs. If the buffer is overrun with random data, the Exchange server will crash. But if the buffer is overrun with carefully crafted code, a malicious user could take control of the Exchange server. A couple of caveats: The attacker would need a fully qualified domain name that would be listed in a reverse DNS lookup and be long enough to overrun the EHLO buffer. An attacker could, for instance, set up a rogue DNS server and provide bogus domain name information with the intent of creating buffer overruns. But the attacker would also have to find a means to force IMC to use that rogue DNS server. This would not be easy, according to Microsoft. Microsoft's Security Bulletin MS02-037 suggests disabling IMC in cases where SMTP support is not needed. You can also disable reverse DNS lookup on EHLO; this can be done using Microsoft's Q190026 instructions. The patch for Exchange Server 5.5 is available here. ANOTHER OF Microsoft's latest security bulletins advises Windows Media Player users to download the latest cumulative update. The patch addresses vulnerabilities in Windows Media Player 6.4 and 7.1, as well as in Windows Media Player for Windows XP. The patch also includes a file accidentally omitted from the cumulative update for Windows Media Player (MS01-059) Microsoft issued last year. More information, and the cumulative patch for Windows Media Player, can be found in MS02-032. MS also issued a cumulative patch for SQL Server 2000, Service Pack 2. Called MS02-038, it addresses a buffer overrun vulnerability affecting Database Consistency Checkers (DBCC) and a SQL injection vulnerability. This cumulative patch does not, however, contain the patch for a buffer overrun in SQL Server 2000 Resolution Service; that patch can be found in a separate bulletin, MS02-039. THE FINAL PROBLEM addressed by this batch of security bulletins is an authentication flaw in Microsoft Metadirectory Services (MMS). According to Microsoft, only those familiar with the database of a particular MMS could exploit this flaw. For more details and the patch, see MS02-036. Since Microsoft releases these bulletins with some regularity, often late in the week, why not designate every Wednesday as Microsoft Security Bulletin Day? That way system admins and end users alike could know when to look for patches. It would also allow them to set aside Thursdays for poring over the details, downloading the files, and incorporating the patches. We know there are going to be more patches, so why not find a way to distribute info about them in a more organized manner? - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 02:41:53 PDT