|
|
|
|
| |
| A remote code execution vulnerability exists in the NetDDE services because of an unchecked buffer. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, the NetDDE services are not started by default and would have to be manually started for an attacker to attempt to remotely exploit this vulnerability. This vulnerability could also be used to attempt to perform a local elevation of privilege or remote denial of service. |
| |
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS04-031.mspx
|
| |
Affected Software:
* Microsoft Windows NT Server 4.0 Service Pack 6a Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 Download the update
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 Download the update
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1 Download the update
* Microsoft Windows XP 64-Bit Edition Service Pack 1 Download the update
* Microsoft Windows XP 64-Bit Edition Version 2003 Download the update
* Microsoft Windows Server 2003 Download the update
* Microsoft Windows Server 2003 64-Bit Edition Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Review the FAQ section of this bulletin for details about these operating systems.
Non-Affected Software:
* Microsoft Windows XP Service Pack 2
The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.
CVE Information:
CAN-2004-0206
Frequently asked questions (FAQ) related to this security update:
I am still using Windows XP, but extended security update support ended on September 30th, 2004. However, this bulletin has a security update for this operating system version. Why is that?
The original version of Windows XP, commonly known as Windows XP Gold or Windows XP Release to Manufacturing (RTM) version, reached the end of its extended security update support life cycle on September 30, 2004. However, the end-of-life occurred very recently. In this case, the majority of the steps that are required to address this vulnerability were completed before this date. Therefore, we have decided to release a security update for this operating system version as part of this security bulletin.
We do not anticipate doing this for future vulnerabilities that may affect this operating system version, but we reserve the right to produce updates and to make these updates available when necessary. It should be a priority for customers who have this operating system version to migrate to supported operating system versions to prevent potential exposure to vulnerabilities. For more information about the Windows Service Pack Product Life Cycle, visit the Microsoft Support Lifecycle Web site. For more information about the Windows Product Life Cycle, visit the Microsoft Support Lifecycle Web site.
I am still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or Windows 2000 Service Pack 2, but extended security update support ended on June 30, 2004. What should I do?
Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 have reached the end of their life cycles as previously documented, and Microsoft extended this support to June 30, 2004.
It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Life Cycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.
I am still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or Windows 2000 Service Pack 2, but extended security update support ended on June 30, 2004. What should I do?
Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 have reached the end of their life cycles as previously documented, and Microsoft extended this support to June 30, 2004.
It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Life Cycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.
Customers who require additional support for Windows NT Workstation 4.0 SP6a must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of phone numbers. When you call, ask to speak with the local Premier Support sales manager.
For more information, visit the Windows Operating System FAQ.
How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.
For more information about severity ratings, visit the following Web site.
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by the vulnerability that is addressed in this security bulletin?
No. This vulnerability is not critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.
Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
Yes. MBSA will determine if this update is required. For more information about MBSA, visit the MBSA Web site.
Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 1.1.1 and earlier versions is no longer being updated with new security bulletin data. Therefore, scans that are performed after that date with MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA 1.2 because it provides more accurate security update detection and supports additional products. Users can download MBSA 1.2 from the MBSA Web site. For more information about MBSA support, visit the following Microsoft Baseline Security Analyzer 1.2 Q&A Web site.
Can I use Systems Management Server (SMS) to determine if this update is required?
Yes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site.
Mitigating Factors for NetDDE Vulnerability:
* Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
* On Windows Server 2003 the NetDDE services are disabled by default. Typically only administrators can change the startup type of a service. An attacker would first have to change the startup type from Disabled, and then start the service to attempt to exploit this vulnerability.
* Disabling the NetDDE services helps prevent the possibility of a remote attack. See the Workarounds section for instructions that describe how to disable these services. Operating systems other than Windows Server 2003 have the NetDDE services startup type set to Manual instead of Disabled by default.
* Chapter 6 of the Microsoft Solution for Securing Windows 2000 Server,Hardening the Base Windows 2000 Server recommends disabling the NetDDE services. Environments that comply with these guidelines could be at a reduced risk from this vulnerability.
Workarounds for NetDDE Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
Disable the NetDDE services:
Disabling the NetDDE services will help protect from remote attempts to exploit this vulnerability. You can disable the NetDDE services by following these steps:
1. Click Start, and then click Control Panel (or point to Settings, and then click Control Panel).
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click Network DDE.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.
7. Double-click Network DDE DSDM.
8. In the Startup type list, click Disabled.
9. Click Stop, and then click OK.
Impact of Workaround: If the NetDDE services are disabled, messages from NetDDE applications are not transmitted. If the NetDDE services are disabled, any services that explicitly depend on the NetDDE services will not start, and an error message is logged in the system event log.
Use the Group Policy settings to disable NetDDE services on all affected systems that do not require this feature.
Because NetDDE is a possible attack vector, disable it by using the Group Policy settings. You can disable the startup of this service at either the local, site, domain or organizational unit level using Group Policy object functionality in Windows 2000 or Windows Server 2003 domain environments.
Note You may also review the Windows 2000 Hardening Guide. This guide includes information about how to disable services.
For more information about Group Policy, visit the following Web sites:
* Step-by-Step Guide to Understanding the Group Policy Feature Set
* Windows 2000 Group Policy
* Group Policy in Windows Server 2003
Impact of Workaround: If the NetDDE services are disabled, messages from NetDDE applications are not transmitted. If the NetDDE services are disabled, any services that explicitly depend on the NetDDE services will not start, and an error message is logged in the system event log.
Block the following at the firewall:
* UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
* All unsolicited inbound traffic on ports greater than 1024
* Any other specifically configured RPC port
These ports can be used to initiate a connection to an affected system. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports that RPC uses, visit the following Web site.
Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003.
If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. We recommend blocking all unsolicited inbound communication from the Internet.
Note This procedure does not apply to Windows XP Service Pack 2. Windows XP Server Pack 2 is not affected by this vulnerability.
To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection, follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet Connections, and then click Network Connections.
3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.
Note If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services that are required.
Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.
Block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Articles 313190 and 813878.
FAQ for NetDDE Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, the NetDDE services are not started by default and would have to be manually started for an attacker to attempt to remotely exploit this vulnerability. This vulnerability could also be used to attempt to perform a local elevation of privilege or remote denial of service.
What causes the vulnerability?
An unchecked buffer in the NetDDE services.
What is Network Dynamic Data Exchange?
Network Dynamic Data Exchange (NetDDE) allows two applications to communicate with each other over a network. This is considered an older communication method that typically has been replaced by newer technologies such as DCOM. For more information about DCOM, visit the DCOM MSDN Web Site.
What applications or services require NetDDE?
NetDDE is a considered to be an older network communication method. Applications such as the Windows for Workgroups 3.11 version of Microsoft Hearts (MSHearts) and Microsoft Chat (MSChat) application use NetDDE services. The version of Microsoft Hearts that is provided as part of Windows XP does not use NetDDE Services. The Clipbook service that is used to share a local clipboard to other systems in a network and the DDE Share Manager (DDEShare) application both require the NetDDE services. There are cases when Microsoft Excel could also use NetDDE. Microsoft Knowledge Base Article 128941 discusses how Microsoft Excel can use NetDDE. Third-party applications may also require the NetDDE services; therefore it is important to test the suggested workarounds in your organization before you deploy this update.
How can an administrator determine if NetDDE services are running?
Administrators can determine if the NetDDE services are running by viewing, Administrative Tools, Services, and searching for the NetDDE and the NetDDE DSDM services. The status of Started indicates that the services are running. See the Workarounds section of this security bulletin for instructions that explain how you can disable these services.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
After the NetDDE services are started, any anonymous user who could deliver a specially crafted message to the affected system could attempt to remotely exploit this vulnerability. Operating systems other than Windows XP Service Pack2 and Windows Server 2003 have the NetDDE services set to a startup type of Manual instead of Disabled. This could allow non privileged users to start the NetDDE services or could allow them to start an application that starts the NetDDE services. After the NetDDE services are started, the affected system could be vulnerable to a remote attack. To help prevent this, see the Workaround section for instructions that explain how you can disable the NetDDE services. This vulnerability could also be used to attempt to perform a local elevation of privilege.
How could an attacker exploit the vulnerability?
After a NetDDE service is started, an attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system, which could then cause the affected system to remotely execute code. Receipt of such a message could also cause the vulnerable system to fail in such a way that it could cause a denial of service.
To exploit this vulnerability for a local elevation of privilege, an attacker would first have to log on to the system. An attacker could then run a specially-designed application that could attempt to exploit the vulnerability and thereby gain complete control over the affected system.
An attacker could also access the affected component through another vector. For example, an attacker could use another program that passes parameters to the vulnerable component (locally or remotely).
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only at risk if users are given the ability to log on and to run programs. However, best practices strongly discourage allowing this.
Windows XP Service Pack 2 is not vulnerable to this issue. Windows Server 2003 is impacted at a lower severity rating because the NetDDE services startup type is set to Disabled. An attacker would first have to change the setting from Disabled to Manual or Automatic, and then start the service to attempt to remotely exploit this vulnerability. Typically, only administrators can change the startup type of a service. Operating systems other than Windows Server 2003 have the NetDDE services set to a startup type of Manual instead of Disabled. This could allow non privileged users to start the NetDDE services or allow them to start an application that starts the NetDDE services. Once the NetDDE services are started the affected system could be vulnerable to a remote attack. To help prevent this, see the Workarounds section for instructions that explain how you can disable the NetDDE services.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because the NetDDE service is not started by default. For more information about severity ratings, visit the following Web site.
Could the vulnerability be exploited over the Internet?
Yes. If you have manually started the NetDDE services, or if you are using applications that may have started the NetDDE services, an attacker could attempt to remotely exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT Professionals can visit the Security Guidance Center Web site.
What does the update do?
The update removes the vulnerability by modifying the way that the NetDDE services validate the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
