Title: Buffer Overrun In RPC Interface Could Allow Code
Execution (823980)

Date: 16 July 2003
Software: Microsoft® Windows ® NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-026

Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/...in/MS03-026.asp
http://www.microsoft.com/security/security...ns/MS03-026.asp
- - ---------------------------------------------------------------

Issue:
======

Remote Procedure Call (RPC) is a protocol used by the Windows
operating system. RPC provides an inter-process communication
mechanism that allows a program running on one computer to
seamlessly execute code on a remote system. The protocol itself
is derived from the OSF (Open Software Foundation) RPC protocol,
but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with
message exchange over TCP/IP. The failure results because of
incorrect handling of malformed messages. This particular
vulnerability affects a Distributed Component Object Model (DCOM)
interface with RPC, which listens on TCP/IP port 135. This
interface handles DCOM object activation requests sent by client
machines (such as Universal Naming Convention (UNC) paths) to the
server.

To exploit this vulnerability, an attacker would need to send a
specially formed request to the remote computer on port 135.


Mitigating factors:
====================

- To exploit this vulnerability, the attacker would require the
ability to send a specially crafted request to port 135 on the
remote machine. For intranet environments, this port would
normally be accessible, but for Internet connected machines, the
port 135 would normally be blocked by a firewall. In the case
where this port is not blocked, or in an intranet configuration,
the attacker would not require any additional privileges.

- Best practices recommend blocking all TCP/IP ports that are
not actually being used. For this reason, most machines attached
to the Internet should have port 135 blocked. RPC over TCP is not
intended to be used in hostile environments such as the internet.
More robust protocols such as RPC over HTTP are provided for
hostile environments.

Risk Rating:
============
Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at

http://www.microsoft.com/technet/security/...in/ms03-026.asp
http://www.microsoft.com/security/security...ns/ms03-026.asp

for information on obtaining this patch.




- - ---------------------------------------------------------------
Title: Unchecked Buffer in Windows Shell Could Enable System
Compromise (821557)
Date: 16 July 2003
Software: Microsoft® Windows ® XP
Impact: Run code of attacker's choice
Max Risk: Important
Bulletin: MS03-027

Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/...in/MS03-027.asp
http://www.microsoft.com/security/security...ns/MS03-027.asp
- - ---------------------------------------------------------------

Issue:
======

The Windows shell is responsible for providing the basic
framework of the Windows user interface experience. It is most
familiar to users as the Windows desktop. It also provides a
variety of other functions to help define the user's computing
session, including organizing files and folders, and providing
the means to start programs.

An unchecked buffer exists in one of the functions used by the
Windows shell to extract custom attribute information from
certain folders. A security vulnerability results because it is
possible for a malicious user to construct an attack that could
exploit this flaw and execute code on the user's system.

An attacker could seek to exploit this vulnerability by creating
a Desktop.ini file that contains a corrupt custom attribute, and
then host it on a network share. If a user were to browse the
shared folder where the file was stored, the vulnerability could
then be exploited. A successful attack could have the effect of
either causing the Windows shell to fail, or causing an
attacker's code to run on the user's computer in the security
context of the user.

Mitigating factors:
====================

- In the case where an attacker's code was executed, the code
would run in the security context of the user. As a result, any
limitations on the user's ability would also restrict the actions
that an attacker's code could take.

- An attacker could only seek to exploit this vulnerability by
hosting a malicious file on a share.

- This vulnerability only affects Windows XP Service Pack 1.
Users running Windows XP Gold are not affected.

Risk Rating:
============
Important

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at

http://www.microsoft.com/technet/security/...in/ms03-027.asp
http://www.microsoft.com/security/security...ns/ms03-027.asp

for information on obtaining this patch.




- - ---------------------------------------------------------------
Title: Flaw in ISA Server Error Pages Could Allow Cross-Site
Scripting Attack (816456)
Date: 16 July 2003
Software: Microsoft® ISA Server
Max Risk: Important
Bulletin: MS03-028

Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/...in/MS03-028.asp
http://www.microsoft.com/security/security...ns/ms03-028.asp
- - ---------------------------------------------------------------

Issue:
======

ISA Server contains a number of HTML-based error pages that allow
the server to respond to a client requesting a Web resource with
a customized error. A cross-site scripting vulnerability exists
in many of these error pages that are returned by ISA Server
under specific error conditions.

To exploit this flaw, an attacker would have to first be aware of
a specific ISA server and its access policies or host an ISA
server of their own and create specific access policies designed
to exploit this vulnerability. The attacker could then craft a
request to trigger a page refusal. Once the attack was crafted,
the attacker would have to host a Web site containing the link,
or send the link to the user in the form of an HTML e-mail. After
the user previewed or opened the e-mail, the malicious site could
be visited automatically without further user interaction. In the
Web-based attack scenario, an attacker would have no way to force
a user to visit the Web site.

Mitigating factors:
====================

- The vulnerability could only be exploited if the attacker
could entice another user into visiting a Web page and clicking a
link on it, or opening an HTML-based e-mail.

- The request must be one that would cause the ISA server to
respond with one of several affected error pages.

- The vulnerability would not normally enable an attacker to
gain any privileges on an affected ISA Server computer, breach
the firewall, or compromise any cached content, unless the user
is operating on the ISA server itself and is using the Web Proxy
service to access the Internet.

Risk Rating:
============
Important

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at

http://www.microsoft.com/technet/security/...in/ms03-028.asp
http://www.microsoft.com/security/security...ns/ms03-028.asp

for information on obtaining this patch.

- ----------------------------------------------------------------------
Title: Unchecked Buffer in DirectX Could Enable System
Compromise (819696)
Date: July 23, 2003
Software: Microsoft DirectX® 5.2 on Windows 98
Microsoft DirectX 6.1 on Windows 98 SE
Microsoft DirectX 7.0a on Windows Millennium Edition
Microsoft DirectX 7.0 on Windows 2000
Microsoft DirectX 8.1 on Windows XP
Microsoft DirectX 8.1 on Windows Server 2003
Microsoft DirectX 9.0a when installed on Windows 98
Microsoft DirectX 9.0a when installed on Windows 98 SE
Microsoft DirectX 9.0a when installed on Windows
Millennium Edition
Microsoft DirectX 9.0a when installed on Windows 2000
Microsoft DirectX 9.0a when installed on Windows XP
Microsoft DirectX® 9.0a when installed on Windows
Server 2003
Microsoft Windows NT 4.0 Server with either Windows
Media Player 6.4 or Internet Explorer 6 Service Pack 1
installed.
Microsoft Windows NT 4.0, Terminal Server Edition with
either Windows Media Player 6.4 or Internet Explorer 6
Service Pack 1 installed.

Impact: Allow an attacker to execute code on a user's system
Max Risk: Critical
Bulletin: MS03-030

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/...in/MS03-030.asp
http://www.microsoft.com/security/security...ns/ms03-030.asp
- ----------------------------------------------------------------------

Issue:
======
DirectX consists of a set of low-level Application Programming
Interfaces (APIs) that are used by Windows programs for multimedia
support. Within DirectX, the DirectShow technology performs client-
side audio and video sourcing, manipulation, and rendering.

There are two buffer overruns with identical effects in the
function used by DirectShow to check parameters in a Musical
Instrument Digital Interface (MIDI) file. A security vulnerability
results because it would be possible for a malicious user to
attempt to exploit these flaws and execute code in the security
context of the logged-on user.

An attacker could seek to exploit this vulnerability by creating a
specially crafted MIDI file designed to exploit this vulnerability
and then host it on a Web site or on a network share, or send it by
using an HTML-based e-mail. In the case where the file was hosted
on a Web site or network share, the user would need to open the
specially crafted file. If the file was embedded in a page the
vulnerability could be exploited when a user visited the Web page.
In the HTML-based e-mail case, the vulnerability could be exploited
when a user opened or previewed the HTML-based e-mail. A successful
attack could cause DirectShow, or an application making use of
DirectShow, to fail. A successful attack could also cause an
attacker's code to run on the user's computer in the security
context of the user.

Mitigating Factors:
====================
- - By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of
Internet Explorer blocks the e-mail-based vector of this attack
because Microsoft Outlook Express running on Windows Server 2003 by
default reads e-mail in plain text. If Internet Explorer Enhanced
Security Configuration were disabled, the protections put in place
that prevent this vulnerability from being exploited would be
removed.
- - In the Web-based attack scenario, the attacker would have to host
a Web site that contained a Web page used to exploit these
vulnerabilities. An attacker would have no way to force users to
visit a malicious Web site outside the HTML-based e-mail vector.
Instead, the attacker would need to lure them there, typically by
getting them to click a link that would take them to the attacker's
site.
- -The combination of the above means that on Windows Server 2003 an
administrator browsing only to trusted sites should be safe from
this vulnerability.
- - Code executed on the system would only run under the privileges
of the logged-on user.

Risk Rating:
============
- Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/...in/ms03-030.asp
http://www.microsoft.com/security/security...ns/ms03-030.asp
for information on obtaining this patch.

- ----------------------------------------------------------------------
Title: Flaw in Windows Function Could Allow Denial of Service
(823803)
Date: 23 July 2003
Software: Microsoft Windows NT 4.0 Server
Impact: Denial of service
Max Risk: Moderate
Bulletin: MS03-029

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/...in/MS03-029.asp
http://www.microsoft.com/security/security...ns/ms03-029.asp
- ----------------------------------------------------------------------

Issue:
======
A flaw exists in a Windows NT 4.0 Server file management function
that can cause a denial of service vulnerability. The flaw results
because the affected function can cause memory that it does not own
to be freed when a specially crafted request is passed to it. If
the application making the request to the function does not carry
out any user input validation and allows the specially crafted
request to be passed to the function, the function may free memory
that it does not own. As a result, the application passing the
request could fail.

By default, the affected function is not accessible remotely,
however applications installed on the operating system that are
available remotely may make use of the affected function.
Application servers or Web servers are two such applications that
may access the function. Note that Internet Information Server 4.0
(IIS 4.0) does not, by default, make use of the affected function.

Mitigating Factors:
====================
- -The default installation of Windows NT 4.0 Server is not
vulnerable to a remote denial of service. Additional software that
makes use of the affected file management function must be
installed on the system to expose the vulnerability remotely.
- -If the application calling the affected file management function
carries out input validation, the specially crafted request may not
be passed to the vulnerable function.
- -The vulnerability cannot be used to cause Windows NT 4.0 Server
itself to fail. Only the application that makes the request may
fail.

Risk Rating:
============
-Moderate

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/...in/ms03-029.asp
http://www.microsoft.com/security/security...ns/ms03-029.asp
for information on obtaining this patch

- -----------------------------------------------------------------
Title: Cumulative Patch for Microsoft SQL Server (815495)

Date: 23 July 2003
Software:
- Microsoft SQL Server 7.0
- Microsoft Data Engine (MSDE) 1.0
- Microsoft SQL Server 2000
- Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)
- Microsoft SQL Server 2000 Desktop Engine (Windows)

Impact: Run code of attacker's choice
Max Risk: Important
Bulletin: MS03-031

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/...in/MS03-031.asp
http://www.microsoft.com/security/security...ns/ms03-031.asp
- -----------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, MSDE
1.0, and MSDE 2000. In addition, it eliminates three newly discovered
vulnerabilities.

- Named Pipe Hijacking -
Upon system startup, SQL Server creates and listens on a specific
named pipe for incoming connections to the server. A named pipe is a
specifically named one-way or two-way channel for communication
between a pipe server and one or more pipe clients. The named pipe is
checked for verification of which connection attempts can log on to
the system running SQL Server to execute queries against data that is
stored on the server.

A flaw exists in the checking method for the named pipe that could
allow an attacker local to the system running SQL Server to hijack
(gain control of) the named pipe during another client's
authenticated logon password. This would allow the attacker to gain
control of the named pipe at the same permission level as the user
who is attempting to connect. If the user who is attempting to
connect remotely has a higher level of permissions than the attacker,
the attacker will assume those rights when the named pipe is
compromised.

- Named Pipe Denial of Service -
In the same named pipes scenario that is mentioned in the "Named Pipe
Hijacking" section of this bulletin, it is possible for an
unauthenticated user who is local to the intranet to send a very
large packet to a specific named pipe on which the system running SQL
Server is listening and cause it to become unresponsive.

This vulnerability would not allow an attacker to run arbitrary code
or elevate their permissions, but it may still be possible for a
denial of service condition to exist that would require that the
server be restarted to restore functionality.

- SQL Server Buffer Overrun -
A flaw exists in a specific Windows function that may allow an
authenticated user-with direct access to log on to the system running
SQL Server-the ability create a specially crafted packet that, when
sent to the listening local procedure call (LPC) port of the system,
could cause a buffer overrun.
If successfully exploited, this could allow a user with limited
permissions on the system to elevate their permissions to the level
of the SQL Server service account, or cause arbitrary code to run.

Mitigating Factors:
====================
Named Pipe Hijacking:
- To exploit this flaw, the attacker would need to be an
authenticated user local to the system.
- This vulnerability provides no way for an attacker to remotely
usurp control over the named pipe.

Named Pipe Denial of Service:
- Although it is unnecessary that the attacker be authenticated,
to exploit this flaw the attacker would require access to the
local intranet.
- Restarting the SQL Server Service will reinstate normal
operations
- This flaw provides no method by which an attacker can gain
access to the system or information contained in the database.

SQL Server Buffer Overrun:
- To exploit this flaw, the attacker would need to be an
authenticated user local to the system.
- This vulnerability cannot be remotely exploited.

Risk Rating:
============
- Important

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/...in/ms03-031.asp
http://www.microsoft.com/security/security...ns/ms03-031.asp

for information on obtaining this patch.