Why you need the latest round of MS security fixes

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/anchordesk/stories/story/0,10738,2875950,00.html

Robert Vamosi,
Senior Associate Editor,
CNET/ZDNet Reviews
Wednesday, July 31, 2002

For anyone keeping track of Microsoft security bulletins, the company
issued numbers 36, 37, 38, and 39--plus an update to number 32--for
2002 last week. That's fewer than the 42 bulletins issued by this time
in 2001, and the 52 issued by July 2000--which I suppose is a good
thing for all of us. The new patches affect Microsoft Exchange Server,
SQL Server, Metadirectory Services, and Windows Media Player.

The recent deluge--in which MS released five bulletins within 24
hours--makes me wonder whether Microsoft should schedule weekly patch
announcements.

FIRST, LET'S LOOK AT one of the more serious flaws to affect Microsoft
Exchange Server, the software that happens to handle most of the
e-mail on the Internet. Dan Ingevaldson, R&D team leader for Internet
Security Systems, discovered the extended Hello (EHLO) protocol
vulnerability during a routine audit of Exchange Server 5.5. He says
the flaw affects the Internet Mail Connector (IMC), a bit of software
that lets an Exchange server talk to other mail servers on the
Internet.

Usually, when a mail server sends a request to an Exchange server, the
latter sends back a message acknowledging the request. However, due to
a vulnerability in Exchange Server 5.5's IMC code, if the total length
of the message exceeds a certain value, a buffer overrun (aka buffer
overflow) occurs. If the buffer is overrun with random data, the
Exchange server will crash. But if the buffer is overrun with
carefully crafted code, a malicious user could take control of the
Exchange server.

A couple of caveats: The attacker would need a fully qualified domain
name that would be listed in a reverse DNS lookup and be long enough
to overrun the EHLO buffer. An attacker could, for instance, set up a
rogue DNS server and provide bogus domain name information with the
intent of creating buffer overruns. But the attacker would also have
to find a means to force IMC to use that rogue DNS server. This would
not be easy, according to Microsoft.

Microsoft's Security Bulletin MS02-037 suggests disabling IMC in cases
where SMTP support is not needed. You can also disable reverse DNS
lookup on EHLO; this can be done using Microsoft's Q190026
instructions. The patch for Exchange Server 5.5 is available here.

ANOTHER OF Microsoft's latest security bulletins advises Windows Media
Player users to download the latest cumulative update. The patch
addresses vulnerabilities in Windows Media Player 6.4 and 7.1, as well
as in Windows Media Player for Windows XP. The patch also includes a
file accidentally omitted from the cumulative update for Windows Media
Player (MS01-059) Microsoft issued last year.

More information, and the cumulative patch for Windows Media Player,
can be found in MS02-032.

MS also issued a cumulative patch for SQL Server 2000, Service Pack 2.  
Called MS02-038, it addresses a buffer overrun vulnerability affecting
Database Consistency Checkers (DBCC) and a SQL injection
vulnerability.

This cumulative patch does not, however, contain the patch for a
buffer overrun in SQL Server 2000 Resolution Service; that patch can
be found in a separate bulletin, MS02-039.

THE FINAL PROBLEM addressed by this batch of security bulletins is an
authentication flaw in Microsoft Metadirectory Services (MMS).  
According to Microsoft, only those familiar with the database of a
particular MMS could exploit this flaw. For more details and the
patch, see MS02-036.

Since Microsoft releases these bulletins with some regularity, often
late in the week, why not designate every Wednesday as Microsoft
Security Bulletin Day? That way system admins and end users alike
could know when to look for patches. It would also allow them to set
aside Thursdays for poring over the details, downloading the files,
and incorporating the patches. We know there are going to be more
patches, so why not find a way to distribute info about them in a more
organized manner?



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.