Microsoft Windows MS04-036 patch is not installed

win-ms04036-patch (17661) The risk level is classified as HighHigh Risk

Description:

The patch specified in Microsoft Security Bulletin MS04-036 is not installed, which could allow a remote attacker to execute arbitrary code on the system.

Microsoft Windows is vulnerable to a buffer overflow in the Network News Transfer Protocol (NNTP) Component, caused by improper bounds checking of user-supplied input. By sending a specially-crafted message to the vulnerable system, a remote attacker could overflow the buffer and execute arbitrary code on the system.

Note: By default, the NNTP component is not installed on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003.


Consequences:

Gain Access

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-036. See References.

References:

  • IBM Internet Security Systems X-Force Database: Microsoft Windows NNTP buffer overflow.
  • Microsoft Security Bulletin MS04-036: Vulnerability in NNTP Could Allow Code Execution (883935).
  • BID-11379: Microsoft NNTP Component Heap Overflow Vulnerability
  • CVE-2004-0574: The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an unchecked buffer

Platforms Affected:

  • Microsoft Exchange Server 2000 SP3
  • Microsoft Exchange Server 2003
  • Microsoft Windows 2000 SP3 Server
  • Microsoft Windows 2000 SP4 Server
  • Microsoft Windows 2003 Server
  • Microsoft Windows 2003 Server x64
  • Microsoft Windows NT 4.0 SP6a Server

Reported:

Oct 08, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page