[ISN] Why you need the latest round of MS security fixes

From: InfoSec News (isnat_private)
Date: Wed Jul 31 2002 - 00:06:30 PDT

  • Next message: InfoSec News: "[ISN] Recording industry Web site swamped after anti-pirating proposal"

    Robert Vamosi,
    Senior Associate Editor,
    CNET/ZDNet Reviews
    Wednesday, July 31, 2002
    For anyone keeping track of Microsoft security bulletins, the company
    issued numbers 36, 37, 38, and 39--plus an update to number 32--for
    2002 last week. That's fewer than the 42 bulletins issued by this time
    in 2001, and the 52 issued by July 2000--which I suppose is a good
    thing for all of us. The new patches affect Microsoft Exchange Server,
    SQL Server, Metadirectory Services, and Windows Media Player.
    The recent deluge--in which MS released five bulletins within 24
    hours--makes me wonder whether Microsoft should schedule weekly patch
    FIRST, LET'S LOOK AT one of the more serious flaws to affect Microsoft
    Exchange Server, the software that happens to handle most of the
    e-mail on the Internet. Dan Ingevaldson, R&D team leader for Internet
    Security Systems, discovered the extended Hello (EHLO) protocol
    vulnerability during a routine audit of Exchange Server 5.5. He says
    the flaw affects the Internet Mail Connector (IMC), a bit of software
    that lets an Exchange server talk to other mail servers on the
    Usually, when a mail server sends a request to an Exchange server, the
    latter sends back a message acknowledging the request. However, due to
    a vulnerability in Exchange Server 5.5's IMC code, if the total length
    of the message exceeds a certain value, a buffer overrun (aka buffer
    overflow) occurs. If the buffer is overrun with random data, the
    Exchange server will crash. But if the buffer is overrun with
    carefully crafted code, a malicious user could take control of the
    Exchange server.
    A couple of caveats: The attacker would need a fully qualified domain
    name that would be listed in a reverse DNS lookup and be long enough
    to overrun the EHLO buffer. An attacker could, for instance, set up a
    rogue DNS server and provide bogus domain name information with the
    intent of creating buffer overruns. But the attacker would also have
    to find a means to force IMC to use that rogue DNS server. This would
    not be easy, according to Microsoft.
    Microsoft's Security Bulletin MS02-037 suggests disabling IMC in cases
    where SMTP support is not needed. You can also disable reverse DNS
    lookup on EHLO; this can be done using Microsoft's Q190026
    instructions. The patch for Exchange Server 5.5 is available here.
    ANOTHER OF Microsoft's latest security bulletins advises Windows Media
    Player users to download the latest cumulative update. The patch
    addresses vulnerabilities in Windows Media Player 6.4 and 7.1, as well
    as in Windows Media Player for Windows XP. The patch also includes a
    file accidentally omitted from the cumulative update for Windows Media
    Player (MS01-059) Microsoft issued last year.
    More information, and the cumulative patch for Windows Media Player,
    can be found in MS02-032.
    MS also issued a cumulative patch for SQL Server 2000, Service Pack 2.  
    Called MS02-038, it addresses a buffer overrun vulnerability affecting
    Database Consistency Checkers (DBCC) and a SQL injection
    This cumulative patch does not, however, contain the patch for a
    buffer overrun in SQL Server 2000 Resolution Service; that patch can
    be found in a separate bulletin, MS02-039.
    THE FINAL PROBLEM addressed by this batch of security bulletins is an
    authentication flaw in Microsoft Metadirectory Services (MMS).  
    According to Microsoft, only those familiar with the database of a
    particular MMS could exploit this flaw. For more details and the
    patch, see MS02-036.
    Since Microsoft releases these bulletins with some regularity, often
    late in the week, why not designate every Wednesday as Microsoft
    Security Bulletin Day? That way system admins and end users alike
    could know when to look for patches. It would also allow them to set
    aside Thursdays for poring over the details, downloading the files,
    and incorporating the patches. We know there are going to be more
    patches, so why not find a way to distribute info about them in a more
    organized manner?
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 02:41:53 PDT