Information About Information About Microsoft’s August 2004Microsoft’s August 2004Security BulletinsSecurity Bulletins August 13, 2004August 13, 2004

Feliciano Intini, Feliciano Intini, CISSP, MCSECISSP, MCSE

Security AdvisorSecurity AdvisorPremier Security CenterPremier Security CenterMicrosoft Services - ITALYMicrosoft Services - ITALY

What we will coverWhat we will cover

Security Bulletins:Security Bulletins: MS04-025 - Windows Internet ExplorerMS04-025 - Windows Internet Explorer MS04-026 - Microsoft Exchange Server 5.5MS04-026 - Microsoft Exchange Server 5.5

Other Security Topics:Other Security Topics: Security ToolsSecurity Tools Reminder: Defense In Depth Configuration Reminder: Defense In Depth Configuration

ChangesChanges Windows XP Service Pack 2Windows XP Service Pack 2

ResourcesResources Questions & AnswersQuestions & Answers

Review of August Security Review of August Security BulletinsBulletins Overview of vulnerability for risk Overview of vulnerability for risk

assessmentassessment Workarounds you can implement while Workarounds you can implement while

deploying the security updatesdeploying the security updates How to determine what systems the How to determine what systems the

available security updates apply toavailable security updates apply to How you can deploy the security How you can deploy the security

updates to your systemsupdates to your systems

August 2004 Security BulletinsAugust 2004 Security Bulletins

MAXIMUM SEVERITY

BULLETIN NUMBER

PRODUCTS AFFECTED

IMPACT

Critical MS04-025 Microsoft Windows Remote Code Execution

Moderate MS04-026 Microsoft Exchange Remote Code Execution

MS04-025: OverviewMS04-025: Overview Cumulative Security Update for Internet Explorer (867801)Cumulative Security Update for Internet Explorer (867801) Impact: Remote Code ExecutionImpact: Remote Code Execution Maximum Severity: CriticalMaximum Severity: Critical Affected Software: Affected Software:

Windows NT 4.0, Windows 2000, Windows XP, Windows Server Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003 2003

Critical for Windows 98, Windows 98 Second Edition, Critical for Windows 98, Windows 98 Second Edition, Windows Millennium EditionWindows Millennium Edition

Affected Components: Affected Components: Internet Explorer 5.01 Service Packs 2, 3 and 4Internet Explorer 5.01 Service Packs 2, 3 and 4 Internet Explorer 5.5 Service Pack 2 Internet Explorer 5.5 Service Pack 2 Internet Explorer 6.0 Internet Explorer 6.0 Internet Explorer 6.0 Service Pack 1,Internet Explorer 6 Service Internet Explorer 6.0 Service Pack 1,Internet Explorer 6 Service

Pack 1 (64-Bit Edition)Pack 1 (64-Bit Edition) Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6 Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6

for Windows Server 2003 (64-Bit Edition)for Windows Server 2003 (64-Bit Edition)

MS04-025: Understanding the MS04-025: Understanding the VulnerabilitiesVulnerabilities Navigation Method Cross-Domain Vulnerability - Navigation Method Cross-Domain Vulnerability -

CAN-2004-0549:CAN-2004-0549: A vulnerability in how Navigation Methods are A vulnerability in how Navigation Methods are

validated that can enable code executionvalidated that can enable code execution

Malformed BMP File Buffer Overrun Malformed BMP File Buffer Overrun Vulnerability - CAN-2004-0566:Vulnerability - CAN-2004-0566: A buffer overrun vulnerability in how BMP files are A buffer overrun vulnerability in how BMP files are

rendered that can enable code executionrendered that can enable code execution

Malformed GIF File Double Free Vulnerability - Malformed GIF File Double Free Vulnerability - CAN-2003-1048:CAN-2003-1048: A double free vulnerability in how GIF files are A double free vulnerability in how GIF files are

handled that can enable a denial of service or handled that can enable a denial of service or potentially code executionpotentially code execution

MS04-025: Risk AssessmentMS04-025: Risk Assessment

Possible Attack VectorsPossible Attack Vectors Malicious HTML page Malicious HTML page

Hosted on a Web siteHosted on a Web site Sent as e-mailSent as e-mail

Impact of Successful AttackImpact of Successful Attack Attacker’s code would run in user’s contextAttacker’s code would run in user’s context

Mitigating FactorsMitigating Factors Web page and e-mail vectors require user Web page and e-mail vectors require user

actionsactions Attacker’s code limited by user’s privilegesAttacker’s code limited by user’s privileges

MS04-025: Risk Assessment MS04-025: Risk Assessment (2)(2)

Mitigating Factors (con’t)Mitigating Factors (con’t) HTML e-mail in the Restricted sites zone HTML e-mail in the Restricted sites zone

helps reduce attacks helps reduce attacks Outlook Express 6, Outlook 2002, and Outlook Outlook Express 6, Outlook 2002, and Outlook

2003 by default2003 by default Outlook 98 and Outlook 2000 with Outlook E-mail Outlook 98 and Outlook 2000 with Outlook E-mail

Security Update (OESU) Security Update (OESU) Outlook Express 5.5 with MS04-018Outlook Express 5.5 with MS04-018 Also, risk from HTML e-mail vector significantly if Also, risk from HTML e-mail vector significantly if

both:both: Latest Cumulative Security Update for IE Latest Cumulative Security Update for IE

installed (change introduced in MS03-040)installed (change introduced in MS03-040) Using IE 6.0 or laterUsing IE 6.0 or later

MS04-025: UpdatesMS04-025: Updates

Two updates availableTwo updates available 867801 contains only security fixes and publicly 867801 contains only security fixes and publicly

available updatesavailable updates Available on Windows Update, Software Update Available on Windows Update, Software Update

Services, Download CenterServices, Download Center

871260 (update rollup) contains security fixes, 871260 (update rollup) contains security fixes, publicly available updates AND hotfixespublicly available updates AND hotfixes Available only on the Download CenterAvailable only on the Download Center

To reduce risk of problems in deployment To reduce risk of problems in deployment customers should apply 867801 by defaultcustomers should apply 867801 by default

MS04-026: OverviewMS04-026: Overview

Vulnerability in Exchange Server 5.5 Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks Site Scripting and Spoofing Attacks (842463) (842463)

Impact: Remote Code ExecutionImpact: Remote Code Execution Maximum Severity: ModerateMaximum Severity: Moderate Affected Software: Affected Software:

Microsoft Exchange Server 5.5 SP4Microsoft Exchange Server 5.5 SP4

Affected Components:Affected Components: Outlook Web Access (OWA)Outlook Web Access (OWA)

MS04-026: Understanding the MS04-026: Understanding the VulnerabilityVulnerability

Cross-site Scripting and Spoofing Cross-site Scripting and Spoofing Vulnerability CAN-2004-0203Vulnerability CAN-2004-0203 A cross-site scripting and spoofing A cross-site scripting and spoofing

vulnerability that could cause a user to run vulnerability that could cause a user to run script on the attacker's behalf or a user to script on the attacker's behalf or a user to view spoofed content.view spoofed content.

MS04-026: Risk AssessmentMS04-026: Risk Assessment Possible Attack VectorsPossible Attack Vectors

Sending a specially-crafted HTTP request to the Outlook Web Sending a specially-crafted HTTP request to the Outlook Web Access serverAccess server

Impact of Successful AttackImpact of Successful Attack Execute script in the user’s contextExecute script in the user’s context Put spoofed content in Web browser and intermediate proxy Put spoofed content in Web browser and intermediate proxy

server caches server caches Mitigating FactorsMitigating Factors

An attacker must have valid logon credentials for the Outlook An attacker must have valid logon credentials for the Outlook Web Access serverWeb Access server

Limitations on user’s account apply to attacker’s scriptLimitations on user’s account apply to attacker’s script ““Do not save encrypted pages to disk” option prevents Do not save encrypted pages to disk” option prevents

attempts to put spoofed content into client cacheattempts to put spoofed content into client cache SSL-protected connections protect against intermediate proxy SSL-protected connections protect against intermediate proxy

vectorvector Difficult for an attacker to predict what users would be served Difficult for an attacker to predict what users would be served

spoofed cached content from intermediate proxy serverspoofed cached content from intermediate proxy server

MS04-020 Re-ReleaseMS04-020 Re-Release

Re-issued to advise on the availability of a Re-issued to advise on the availability of a security update for Microsoft INTERIX 2.2 security update for Microsoft INTERIX 2.2

Customers who are not using Microsoft Customers who are not using Microsoft INTERIX 2.2 and have previously installed the INTERIX 2.2 and have previously installed the security updates provided as part of the original security updates provided as part of the original release of this bulletin do not need to install the release of this bulletin do not need to install the new security updatenew security update

Customers using Microsoft INTERIX 2.2 should Customers using Microsoft INTERIX 2.2 should apply the new updateapply the new update

WorkaroundsWorkarounds

Host-based workarounds:Host-based workarounds: MS04-025MS04-025

Set Internet and Local Intranet security zone Set Internet and Local Intranet security zone settings to “High”settings to “High”

Restrict Web sites to only trusted Web sitesRestrict Web sites to only trusted Web sites Strengthen the security settings for the Local Strengthen the security settings for the Local

Machine zoneMachine zone Knowledge Base article 833633.Knowledge Base article 833633.

Read e-mail messages in plain text format Read e-mail messages in plain text format

MS04-026MS04-026 Disable Outlook Web Access for Each Exchange Disable Outlook Web Access for Each Exchange

SiteSite

Determining Systems for Determining Systems for DeploymentDeployment MBSA: MBSA:

Use MBSA to determine systems that require MS04-025, MS04-Use MBSA to determine systems that require MS04-025, MS04-026026 MBSA will identify systems that require MS04-025 but cannot MBSA will identify systems that require MS04-025 but cannot

determine systems that might require 871260 (update rollup)determine systems that might require 871260 (update rollup) As of 8/10, MBSA will not raise a warning regarding greater-than-As of 8/10, MBSA will not raise a warning regarding greater-than-

expected file versions on systems with 871260 (update rollup)expected file versions on systems with 871260 (update rollup)

SUS: SUS: The SUS Client (the Automatic Updates Client) will The SUS Client (the Automatic Updates Client) will

automatically detect systems that require MS04-025automatically detect systems that require MS04-025 The SUS Client (the Automatic Updates Client) will identify The SUS Client (the Automatic Updates Client) will identify

systems that require MS04-025 but cannot determine systems that systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup)might require 871260 (update rollup)

Cannot use SUS to determine systems that require MS04-026Cannot use SUS to determine systems that require MS04-026

Determining Systems for Determining Systems for Deployment Deployment (2)(2)

SMS 2.0 / 2003:SMS 2.0 / 2003: SMS 2003 to identify systems that need MS04-025, MS04-026SMS 2003 to identify systems that need MS04-025, MS04-026

SMS will identify systems that require MS04-025 but cannot SMS will identify systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup)determine systems that might require 871260 (update rollup)

To limit the deployment of the update rollup to only those To limit the deployment of the update rollup to only those computers running post-MS04-004 hotfixescomputers running post-MS04-004 hotfixes Use software inventory to detect systems based on the hotfix Use software inventory to detect systems based on the hotfix

affected filesaffected files For more information see Deploying Software Updates Using For more information see Deploying Software Updates Using

the SMS Software Distribution Feature:the SMS Software Distribution Feature: www.microsoft.com/technet/prodtechnol/sms/sms2003/www.microsoft.com/technet/prodtechnol/sms/sms2003/

patchupdate.mspxpatchupdate.mspx Note regarding SMS and MBSA:Note regarding SMS and MBSA:

Proxy caching at ISP or Intranet may delay the availability of Proxy caching at ISP or Intranet may delay the availability of detection catalog mssecure.cabdetection catalog mssecure.cab File uses “Cache-Control: must-revalidate” most proxy servers File uses “Cache-Control: must-revalidate” most proxy servers

honor thishonor this Refer to KB 842432 to diagnose delaysRefer to KB 842432 to diagnose delays

Deploying the UpdatesDeploying the Updates

SUS: SUS: Use the SUS Client (the Automatic Updates Use the SUS Client (the Automatic Updates

Client) to deploy MS04-025Client) to deploy MS04-025 SUS can only be used to deploy 867801, it will not SUS can only be used to deploy 867801, it will not

deploy 871260 (update rollup)deploy 871260 (update rollup)

SMS:SMS: Use SMS 2.0 with the SMS SUS Feature Pack Use SMS 2.0 with the SMS SUS Feature Pack

or SMS 2003 to deploy MS04-025, MS04-026or SMS 2003 to deploy MS04-025, MS04-026 Can deploy 871260 (update rollup) using “import” Can deploy 871260 (update rollup) using “import”

feature documented in SMS documentationfeature documented in SMS documentation

Deploying the Updates Deploying the Updates (2)(2)

RestartsRestarts MS04-025: RequiredMS04-025: Required MS04-026: Not required but will restart these MS04-026: Not required but will restart these

servicesservices Microsoft Internet Information Services (IIS)Microsoft Internet Information Services (IIS) Exchange StoreExchange Store Exchange System AttendantExchange System Attendant

UninstallUninstall MS04-025: Can be uninstalledMS04-025: Can be uninstalled MS04-026: Can be uninstalledMS04-026: Can be uninstalled

Deploying the Updates Deploying the Updates (3)(3)

Notes for MS04-026:Notes for MS04-026: Version Requirements for Dependent Version Requirements for Dependent

Components: Microsoft Outlook Web Access Components: Microsoft Outlook Web Access (OWA) server must have one of the following:(OWA) server must have one of the following: Internet Explorer 5.01 Service Pack 3 on Windows Internet Explorer 5.01 Service Pack 3 on Windows

2000 Service Pack 32000 Service Pack 3 Internet Explorer 5.01 Service Pack 4 on Windows Internet Explorer 5.01 Service Pack 4 on Windows

2000 Service Pack 42000 Service Pack 4 Internet Explorer 6 Service Pack 1 on current Internet Explorer 6 Service Pack 1 on current

supported operating systems supported operating systems

Apply update to Exchange 5.5 Servers Apply update to Exchange 5.5 Servers running Outlook Web Access only.running Outlook Web Access only.

Security Tools: MBSA ReminderSecurity Tools: MBSA Reminder MBSA 1.1.1 no longer supportedMBSA 1.1.1 no longer supported As of April 20, 2004 mssecure.xml file used by versions As of April 20, 2004 mssecure.xml file used by versions

earlier than MBSA 1.2 is no longer updatedearlier than MBSA 1.2 is no longer updated Scans performed with MBSA 1.1.1 or earlier versions Scans performed with MBSA 1.1.1 or earlier versions

will not detect the Security Bulletins released since will not detect the Security Bulletins released since AprilApril

When using SMS, MBSA GUI and mbsacli, scan results When using SMS, MBSA GUI and mbsacli, scan results will include an ‘update’, e.g.:will include an ‘update’, e.g.:

Obtain Upgrades:Obtain Upgrades: SMS 2.0 SUS Feature Pack and SMS 2003 users:SMS 2.0 SUS Feature Pack and SMS 2003 users:

SMS downloads page www.microsoft.com/smserver/downloadsSMS downloads page www.microsoft.com/smserver/downloads MBSA Users:MBSA Users:

MBSA homepage www.microsoft.com/mbsa MBSA homepage www.microsoft.com/mbsa

Security Tools: MBSA & XP SP2Security Tools: MBSA & XP SP2

New version of MBSA (1.2.1) needed New version of MBSA (1.2.1) needed for Windows XP SP2 compatibility!for Windows XP SP2 compatibility! Needed to provide compatibility and better Needed to provide compatibility and better

support for Windows XP SP2 security support for Windows XP SP2 security improvements  improvements 

Will be available in mid-AugustWill be available in mid-August Users running MBSA 1.2 will be Users running MBSA 1.2 will be

automatically notified when they run the automatically notified when they run the tool with an Internet connectiontool with an Internet connection

www.microsoft.com/mbsa www.microsoft.com/mbsa

New variant, MyDoom.O, discovered on New variant, MyDoom.O, discovered on Monday, July 26 2004Monday, July 26 2004

Zindos.A worm, discovered on Tuesday, Zindos.A worm, discovered on Tuesday, July 27 2004, uses backdoor opened by July 27 2004, uses backdoor opened by MyDoom.OMyDoom.O

Cleaner tool was updated to clean for all Cleaner tool was updated to clean for all known MyDoom variants and Zindos.Aknown MyDoom variants and Zindos.A

More information: More information: www.microsoft.com/security/incident/mydoom.mspxwww.microsoft.com/security/incident/mydoom.mspx

Security Tools: MyDoom Security Tools: MyDoom Cleaner ToolCleaner Tool

Three configuration changes released in Three configuration changes released in July to enhance resiliency of Internet July to enhance resiliency of Internet

Explorer 6.0 and Outlook Express 5.5 SP2Explorer 6.0 and Outlook Express 5.5 SP2

Disable ADODB.stream in Windows ActiveX Control Disable ADODB.stream in Windows ActiveX Control (July (July 2 2004)2 2004) Knowledge Base Article 870669 Knowledge Base Article 870669

(http://support.microsoft.com/default.aspx?kbid=870669)(http://support.microsoft.com/default.aspx?kbid=870669) Limit functionality of Shell.application Limit functionality of Shell.application (July 13 2004)(July 13 2004)

Fix is included in MS04-024Fix is included in MS04-024 Change HTML viewing in Outlook Express 5.5 SP2 Change HTML viewing in Outlook Express 5.5 SP2 (July (July

13 2004)13 2004) Change included in MS04-018Change included in MS04-018

Reminder: Deploy Defense in Reminder: Deploy Defense in Depth Configuration ChangesDepth Configuration Changes

Proactive protection technologies block Proactive protection technologies block malicious code at the “point of entry”malicious code at the “point of entry”

Enhance Enhance SecuritySecurity

Increase Increase ManageabilityManageability

Improve Improve ExperienceExperience

NetworkNetwork

Email & IMEmail & IM

Web BrowsingWeb Browsing

MemoryMemory

Att

ack V

ecto

rsA

ttack V

ecto

rsWindows XP Service Pack 2Windows XP Service Pack 2

Functional AreaFunctional Area Compatibility StatusCompatibility Status

Attachment HandlerAttachment HandlerUser experience modifiedUser experience modified

NX & /GSNX & /GS

Windows FirewallWindows Firewall

Few apps Few apps proper configuration required proper configuration requiredDCOM & RPCDCOM & RPC

Other componentsOther components

Internet ExplorerInternet Explorer Some apps Some apps proper configuration required proper configuration required

The vast majority of application compatibility issues are The vast majority of application compatibility issues are mitigated through configuration of SP2 security optionsmitigated through configuration of SP2 security options

Very few issues require code changesVery few issues require code changes

Application Compatibility SnapshotApplication Compatibility Snapshot

August 6: August 6: Release to manufacturing for SP2 English and German Release to manufacturing for SP2 English and German

(Remaining 25 languages RTM over 5 weeks)(Remaining 25 languages RTM over 5 weeks) August 9:August 9:

Release to Microsoft Download Center – full network Release to Microsoft Download Center – full network installation packageinstallation package

Release to MSDN – CD ISO imageRelease to MSDN – CD ISO image August 10: August 10:

Release to Automatic Updates - for machines running pre-Release to Automatic Updates - for machines running pre-release versions of Windows XP SP2 onlyrelease versions of Windows XP SP2 only

August 16:August 16: Release to Automatic Updates - for machines Release to Automatic Updates - for machines notnot running pre- running pre-

releases versions of Windows XP SP2releases versions of Windows XP SP2 Release to SUSRelease to SUS

August TBD: August TBD: Release to Windows Update for interactive user installationsRelease to Windows Update for interactive user installations

Windows XP SP2 – TimelineWindows XP SP2 – Timeline

SP2 Delivery via Automatic UpdateSP2 Delivery via Automatic Update

SP2 is categorized as a critical updateSP2 is categorized as a critical update Unlike previous critical updates, SP2 requires Unlike previous critical updates, SP2 requires

interactive installationinteractive installation Some customer have requested a mechanism to Some customer have requested a mechanism to

temporarily block SP2 delivery via AUtemporarily block SP2 delivery via AU Allow all other critical security updates via AUAllow all other critical security updates via AU

Registry based solution temporarily prevents Registry based solution temporarily prevents Automatic Update and Windows Update from Automatic Update and Windows Update from downloading SP2 - and only SP2downloading SP2 - and only SP2 AU and WU search for existence of new registry AU and WU search for existence of new registry

settingsetting Other downloads unaffectedOther downloads unaffected Registry setting is the only change required on local Registry setting is the only change required on local

machinemachine

Automatic Update Blocking Automatic Update Blocking MechanismMechanism Tools for implementing solutionTools for implementing solution

ADM file to control registry setting via Active Directory Group ADM file to control registry setting via Active Directory Group PolicyPolicy

Microsoft signed executable that will set the registry setting on Microsoft signed executable that will set the registry setting on local machinelocal machine

Script file to execute the tool remotelyScript file to execute the tool remotely E-mail message point users to a script file hosted on E-mail message point users to a script file hosted on

Microsoft.comMicrosoft.com All of these tools allow for disabling the registry settingAll of these tools allow for disabling the registry setting This solution expires after 120 daysThis solution expires after 120 days

AU and WU will ignore registry key after December 14, 2004AU and WU will ignore registry key after December 14, 2004 Scripts and documentation posted on TechNetScripts and documentation posted on TechNet

www.microsoft.com/technet/winxpsp2 www.microsoft.com/technet/winxpsp2 Best solution is Software Update ServicesBest solution is Software Update Services

www.microsoft.com/sus www.microsoft.com/sus

Windows XP SP2 SummaryWindows XP SP2 Summary

More secureMore secure ““Shields-up” approachShields-up” approach Reduced attack surface areaReduced attack surface area

Improved manageability of security settingsImproved manageability of security settings More granular controlMore granular control Improved support for Active Directory Group PolicyImproved support for Active Directory Group Policy Reduced urgency for patching vulnerabilitiesReduced urgency for patching vulnerabilities

Better user experienceBetter user experience More and better security informationMore and better security information Applications function while remaining secure Applications function while remaining secure

A major step forward on a long journey

http://www.microsoft.com/technet/winxpsp2

ResourcesResources September Security Bulletins Webcast: il nostro September Security Bulletins Webcast: il nostro

prossimo appuntamento è prossimo appuntamento è venerdì 17 settembre – 10:30venerdì 17 settembre – 10:30http://www.microsoft.com/italy/securityhttp://www.microsoft.com/italy/security

Security Bulletins Search Security Bulletins Search www.microsoft.com/www.microsoft.com/technet/security/current.aspxtechnet/security/current.aspx

Windows XP Service Pack 2 Windows XP Service Pack 2 www.microsoft.com/technet/winxpsp2www.microsoft.com/technet/winxpsp2

Information on MyDoom and its variants Information on MyDoom and its variants www.microsoft.com/security/incident/www.microsoft.com/security/incident/mydoom.mspxmydoom.mspx

Security Newsletter Security Newsletter www.microsoft.com/www.microsoft.com/technet/security/secnews/default.mspxtechnet/security/secnews/default.mspx

Security Guidance Center Security Guidance Center www.microsoft.com/italy/security/guidancewww.microsoft.com/italy/security/guidance