Microsoft Windows MS04-011 patch is not installed

win-ms04011-patch (15818) The risk level is classified as HighHigh Risk

Description:

The patch specified in Microsoft Security Bulletin MS04-011 is not installed, which could allow a remote attacker to exploit the following fourteen vulnerabilities:

  • Microsoft Windows 2000, XP, Windows Server 2003, and Windows XP 64-Bit Edition 2003 are vulnerable to a buffer overflow in the Local Security Authority Subsystem Service (LSASS), caused by improper bounds checking. LSASS is a management interface for local security, domain authentication, and Active Directory processes. By sending a specially-crafted message to the affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system. Note: Only a local administrator could exploit this vulnerability on Microsoft Windows Server 2003 and Windows XP 64-Bit Edition 2003.
  • Microsoft Windows 2000 Servers serving as Domain Controllers are vulnerable to a denial of service attack. LSASS is a management interface for local security, domain authentication, and Active Directory processes. By sending a specially-crafted LDAP (Lightweight Directory Access Protocol) message to the affected domain controller, a remote attacker could cause the system to restart and the Local Security Authority Subsystem Service (LSASS) service to stop responding to authentication requests.
  • Multiple vendor applications are vulnerable to a buffer overflow in the Private Communications Transport (PCT) protocol of the Secure Sockets Layer (SSL) library. PCT is a legacy protocol and is no longer commonly used. If SSL is enabled, a remote attacker could send a specially-crafted TCP message to the vulnerable system to overflow a buffer and execute arbitrary code on the system. Note: Microsoft Windows Server 2003 and Internet Information Services 6.0 are only affected by this issue if PCT is also enabled.
  • Microsoft Windows NT 4.0, Windows 2000, and Windows XP, which are members of an Active Directory Domain, are vulnerable to a buffer overflow in the Windows logon process (winlogon), caused by improper bounds checking of data from the Active Directory. A remote attacker, with permissions to modify user objects within Active Directory, could embed malicious data into a Active Directory attribute, which would overflow a buffer and execute arbitrary code on the system, once winlogon is passed the malicious attribute.
  • Microsoft Windows XP is vulnerable to a heap-based buffer overflow in the shimgvw.dll file in the Windows shell (Explorer.exe). shimgvw.dll allows users to preview images. By creating a malicious .emf (Enhanced Metafile) or .wmf (Windows Media Player) file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the Windows shell to crash, once the file is viewed as a thumbnail using Explorer or the picture preview window for the file is opened. An attacker could exploit this vulnerability by creating a malicious Web page or by sending the URL to a victim in a malicious email.
  • Microsoft Windows XP and Windows Server 2003 could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of Help Center and Support (HCP) URLs. By creating a specially-crafted hcp:// URL, a remote attacker could execute arbitrary code on the victim's computer, with privileges of the victim, once the URL is clicked. An attacker could exploit this vulnerability by creating a malicious Web page and hosting it on a Web site or by sending it to a victim as an HTML email.
  • Microsoft Windows 2000 Utility Manager could allow a local attacker to gain elevated privileges on the system. By default, Utility Manager is installed on the system, but is not running. A local attacker could start Utility Manager and run a specially-crafted program that exploits a vulnerability in the Utility Manger to execute arbitrary code on the system with system LEVEL privileges.
  • Microsoft Windows XP could allow a local attacker to gain elevated privileges on the system. Under specific conditions, a local attacker could create a task that would execute with system privileges.
  • Microsoft Windows NT 4.0 and 2000 could allow a local attacker to gain elevated privileges on the system, caused by a vulnerability in the Local Descriptor Table (LDT) programming interface. A local attacker could create a malicious entry in the LDT and gain elevated privileges including administrator privileges.
  • Microsoft Windows 2000, Windows XP and Windows 2003 are vulnerable to a buffer overflow. A remote attacker could send a specially-crafted request to the target system to cause a buffer overflow within Microsoft's H.323 implementation. A remote attacker could use this vulnerability to execute arbitrary code on the system. Note: A number of Microsoft Windows operating system components as well as applications are vulnerable to this exploit. Service or applications that are vulnerable include Telephony Application Programming Interface-based applications (TAPI), NetMeeting, Internet Connection Firewall (ICF), Internet Connection Sharing (ICS), and Microsoft Routing and Remote Access Service (RRAS).
  • Microsoft Windows NT 4.0 and Windows 2000 could allow a local attacker to gain elevated privileges, caused by a vulnerability in the Virtual DOS Machine subsystem component. The Virtual DOS Machine (VDM) subsystem imitates MS-DOS and DOS-based Windows in Windows NT platforms. A local attacker, who is authenticated, could create an application to access protected kernel memory and execute arbitrary code with elevated privileges, including administrative privileges.
  • Microsoft Windows 2000, Windows XP, and Windows 2003 are vulnerable to a buffer overflow in the Negotiate Security Software Provider (SSP). The Negotiate SSP Interface is the component that negotiates the authentication method used when a client connects to a server. A remote attacker could send a specially-crafted network message to the victim's system to overflow a buffer and cause a denial of service or possibly execute arbitrary code on the system.
  • Multiple vendor applications are vulnerable to a denial of service attack. The Secure Sockets Layer (SSL) library fails to properly check user-supplied input in SSL messages. If SSL is enabled, a remote attacker could send a specially-crafted SSL message to the vulnerable system to cause a denial of service. Note: On Microsoft Windows 2000 and Windows XP, an attacker could cause the system to stop accepting SSL connections. On Microsoft Windows Server 2003, an attacker could cause the affected system to restart automatically.
  • Microsoft Windows could allow a remote attacker to execute code on the system, caused by a double-free condition in the Abstract Syntax Notation 1 (ASN.1) Library. ASN.1 is the language used to standardize data across multiple platforms. By sending a specially-crafted authentication request, a remote attacker could cause the vulnerable system to free memory that has already been freed, which could result in memory corruption. An attacker could exploit this vulnerability to execute arbitrary code with system privileges or cause a denial of service.

Platforms Affected:

  • Microsoft, NetMeeting
  • Microsoft, Windows 2000 SP2
  • Microsoft, Windows 2000 SP3
  • Microsoft, Windows 2000 SP4
  • Microsoft, Windows 2003 Server
  • Microsoft, Windows 2003 Server x64
  • Microsoft, Windows 98
  • Microsoft, Windows 98SE
  • Microsoft, Windows Me
  • Microsoft, Windows NT 4.0 SP6a Workstation
  • Microsoft, Windows NT 4.0 SP6a Server
  • Microsoft, Windows XP 2003 64-bit
  • Microsoft, Windows XP SP1
  • Microsoft, Windows XP SP1 64-bit
  • Microsoft, Windows XP

Remedy:

Apply the appropriate patch for your system, as listed in the Microsoft Security Bulletin MS04-011. See References.

Consequences:

Gain Access

References:

  • CIAC Information Bulletin O-114, Microsoft Security Update for Microsoft Windows [REVISED 25 Jun 2004] at http://www.ciac.org/ciac/bulletins/o-114.shtml.
  • CIAC Information Bulletin O-114, Microsoft Security Update for Microsoft Windows at http://www.ciac.org/ciac/bulletins/o-114.shtml.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows LSASS buffer overflow at http://xforce.iss.net/xforce/xfdb/15699.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows Negotiate Security Software Provider buffer overflow at http://xforce.iss.net/xforce/xfdb/15715.
  • IBM Internet Security Systems X-Force Database, Secure Sockets Layer PCT1 buffer overflow at http://xforce.iss.net/xforce/xfdb/12380.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows ASN.1 Library buffer overflow at http://xforce.iss.net/xforce/xfdb/15039.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows XP Windows shell shimgvw.dll buffer overflow at http://xforce.iss.net/xforce/xfdb/15284.
  • IBM Internet Security Systems X-Force Database, LDAP large filter field has been detected at http://xforce.iss.net/xforce/xfdb/15483.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows 2000 Utility Manger allows privilege escalation at http://xforce.iss.net/xforce/xfdb/15632.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows XP task creation allows privilege escalation at http://xforce.iss.net/xforce/xfdb/15678.
  • IBM Internet Security Systems X-Force Database, email attachment file extension potential buffer overflow has been detected at http://xforce.iss.net/xforce/xfdb/16685.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows 2000 Domain Controller LSASS LDAP message denial of service at http://xforce.iss.net/xforce/xfdb/15700.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows winlogon buffer overflow at http://xforce.iss.net/xforce/xfdb/15702.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows XP and Windows Server 2003 HCP URL code execution at http://xforce.iss.net/xforce/xfdb/15704.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows Local Descriptor Table allows privilege escalation at http://xforce.iss.net/xforce/xfdb/15707.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows H.323 buffer overflow at http://xforce.iss.net/xforce/xfdb/15710.
  • IBM Internet Security Systems X-Force Database, Secure Sockets Layer message denial of service at http://xforce.iss.net/xforce/xfdb/15712.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows ASN.1 double-free at http://xforce.iss.net/xforce/xfdb/15713.
  • IBM Internet Security Systems X-Force Database, Microsoft Windows Virtual DOS Machine allows elevated privileges at http://xforce.iss.net/xforce/xfdb/15714.
  • Internet Security Systems Security Alert, April 13, 2004, Multiple Vulnerabilities in Microsoft Products at http://xforce.iss.net/xforce/alerts/id/169.
  • Microsoft Security Bulletin MS04-011, Security Update for Microsoft Windows (835732) at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.
  • CVE-2003-0533: Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
  • CVE-2003-0663: Unknown vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message.
  • CVE-2003-0719: Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.
  • CVE-2003-0806: Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.
  • CVE-2003-0818: Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
  • CVE-2003-0906: Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image.
  • CVE-2003-0907: Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.
  • CVE-2003-0908: The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a Shatter style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213.
  • CVE-2003-0909: Windows XP allows local users to execute arbitrary programs by creating a task at an elevated privilege level through the eventtriggers.exe command-line tool or the Task Scheduler service, aka Windows Management Vulnerability.
  • CVE-2003-0910: The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.
  • CVE-2004-0117: Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.
  • CVE-2004-0118: The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.
  • CVE-2004-0119: The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.
  • CVE-2004-0120: The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.
  • CVE-2004-0123: Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.

Reported:

Apr 09, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page