WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
Summary of Symantec Safeguard Protection for Microsoft Security Bulletins for April 2004

Summary

Microsoft's Security Bulletins for April 2004 included fixes for a total of 18 new vulnerabilities, as well as updates to a total of three previously known vulnerabilities. The severity of these vulnerabilities ranges from moderate to critical, with several potentially allowing for the remote execution of arbitrary code, thus causing a full compromise of systems running the vulnerable software.

Network administrators are strongly advised to audit their controlled systems that these issues may affect, and also apply necessary updates. The Symantec Security Response team believes that the creation of Internet worms that take advantage of some of these vulnerabilities is possible and recommends that the risks be mitigated as soon as possible.

The DeepSight Threat Analyst team has raised the ThreatCon to level 2. Symantec's ThreatCon Rating provides an overall view of global Internet Security and is based on a 1-4 rating system, with a level 4 being the highest threat level.

Technical Description

On April 13, 2004, Microsoft released four Security Bulletins covering multiple vulnerabilities in a number of different products.

These Security Bulletins are the:

  1. Security Update for Microsoft Windows (MS04-011)
  2. Cumulative Update for Microsoft RPC/DCOM (MS04-012)
  3. Cumulative Security Update for Outlook Express (MS04-013)
  4. Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (MS04-014).

Each of the vulnerabilities that the Security Bulletins describe has either associated patches or workarounds available. Refer to the DeepSight alerting service for more details on each of these vulnerabilities.

Security Update for Microsoft Windows Bulletin (MS04-011)

The Security Update for Microsoft Windows Bulletin (MS04-011) details 14 new vulnerabilities, many of which have a severity rating of Critical.

The following vulnerabilities are covered in the bulletin:

  • Microsoft Windows LSASS Buffer Overrun Vulnerability
  • Microsoft Windows 2000 Domain Controller LDAP Denial of Service Vulnerability
  • Microsoft Windows Private Communications Transport Buffer Overrun Vulnerability
  • Microsoft Windows Logon Process Remote Buffer Overflow Vulnerability
  • Microsoft Windows WMF/EMF Image Formats Remote Buffer Overflow Vulnerability
  • Microsoft Windows Help And Support Center URI Validation Code Execution Vulnerability
  • Microsoft Windows Utility Manager Local Privilege Escalation Vulnerability
  • Microsoft Windows Management Local Privilege Escalation Vulnerability
  • Microsoft Windows Local Descriptor Table Local Privilege Escalation Vulnerability
  • Microsoft Windows H.323 Remote Buffer Overflow Vulnerability
  • Microsoft Virtual DOS Machine Local Privilege Escalation Vulnerability
  • Microsoft Negotiate SSP Remote Buffer Overflow Vulnerability
  • Microsoft Windows SSL Library Denial of Service Vulnerability
  • Microsoft ASN.1 Library Double Free Memory Corruption Vulnerability

Cumulative Update for Microsoft RPC/DCOM Security Bulletin (MS04-012)

The Cumulative Update for the Microsoft RPC/DCOM Security Bulletin (MS04-012) details three new vulnerabilities, as well as one previously known vulnerability.

The lists of these issues are:

  • Microsoft Windows RPCSS Service Remote Denial Of Service Vulnerability
  • Microsoft Windows COM Internet Service and RPC over HTTP Remote Denial of Service Vulnerability
  • Microsoft Windows Object Identity Network Communication Vulnerability
  • Microsoft Windows RPCSS Multi-thread Race Condition Vulnerability

Cumulative Security Update for Outlook Express Security Bulletin (MS04-013)

The Cumulative Security Update for Outlook Express Security Bulletin (MS04-013) details one previously known vulnerability, which applies to two separate entries in the Symantec Vulnerability Database. They are listed below, and each references a detailed summary later in the document.

  • Microsoft Internet Explorer Browser MHTML Redirection Local File Parsing Vulnerability
  • Microsoft Internet Explorer MHTML Forced File Execution Vulnerability

Microsoft Jet Database Engine Could Allow Code Execution Bulletin (MS04-014)

The Microsoft Jet Database Engine Could Allow Code Execution Bulletin (MS04-014) details a single new vulnerability, the Microsoft Jet Database Engine Remote Code Execution Vulnerability.

Safeguard Information

Symantec DeepSight Threat Management System and DeepSight Alert Service

Each of the vulnerabilities is summarized on the Threat Management Daily Summary Report. The Threat Analyst team will closely monitor global activity for signs of attack and deliver additional notifications as required. Individual vulnerability alerts have been sent out.

Managed Security Services

Symantec Managed Security Services (MSS) has audited all the affected managed systems and has coordinated emergency patches for any vulnerable systems. In addition, clients with devices that MSS does not manage have received an alert informing them of these critical updates. The Symantec SOCs will also deploy IDS signatures on an accelerated basis, as and when our supported vendors make available.

Small Business / Home User Protection

Norton Internet Security and Norton Personal Firewall include Symantec's personal firewall technology and provide zero-day protection against such vulnerabilities as the RPC Runtime Library Vulnerability and the LSASS Vulnerability (previously listed in the "Technical Description"). The firewall blocks ports 135, 137, 138, 139, and 445, which could be used to exploit these two vulnerabilities.

Norton Internet Security and Norton AntiVirus provides antivirus heuristic protection for the Microsoft Windows LSASS Buffer Overrun Vulnerability, Microsoft Windows LSASS Buffer Overrun Vulnerability, and MHTML URL Processing Vulnerability (Outlook Express).

Corporate Protection - Host Based Security

Symantec Client Security and Symantec Personal Firewall include Symantec's personal firewall technology and provide zero-day protection against vulnerabilities, such as the previously mentioned RPC Runtime Library Vulnerability and LSASS Vulnerability.

The firewall blocks ports 135, 137, 138, 139, and 445, which could be used to exploit these two vulnerabilities.

Symantec Client Security and Symantec AntiVirus Corporate Edition provide antivirus heuristic protection for the Microsoft Windows LSASS Buffer Overrun Vulnerability, Microsoft Windows LSASS Buffer Overrun Vulnerability, and MHTML URL Processing Vulnerability (Outlook Express).

Symantec Host IDS enables the creation of customizable host-based, intrusion-protection policies and responses to protect against malicious processes and threats that target vulnerabilities. Symantec Host IDS provides access to granular process behavior data, allowing a wide variety of security configurations. Thus, administrators are provided with data to make informed decisions regarding host security, which provides a fault-tolerant, secure environment tailored to an organization's security policy.

Corporate Protection - Gateway Security

Symantec Gateway Security v1.0, Symantec Gateway Security 5400 Series, Symantec Enterprise Firewall, and VelociRaptor use Symantec's full application inspection firewall component. This component protects against multiple RPC/DCOM and windows vulnerabilities, by default, by blocking all the unused incoming ports.

Symantec advises firewall administrators to verify that their security policy does not include the following incoming ports:

  • UDP: 135, 137, 138, 445
  • TCP: 135, 139, 445, 593

Additionally, by default, the firewall blocks RPC over HTTP (TCP port 80 or 443). An additional configuration or patch is not required.

Symantec Gateway Security provides antivirus heuristic protection for the Microsoft Windows LSASS Buffer Overrun Vulnerability, Microsoft Windows LSASS Buffer Overrun Vulnerability, and MHTML URL Processing Vulnerability (Outlook Express).

Corporate Protection - Network Security

Symantec ManHunt's Security Update 5 detects the public exploits that target the RPC Runtime Library Vulnerability (CAN-2003-0813) as the Microsoft DCOM RPC Buffer Overflow event. The event description has been updated to note the new CAN reference.

Symantec has also released a rapid response security update to protect against the following vulnerabilities:

  • RPCSS Service Vulnerability (CAN-2004-0116)
  • LSASS Vulnerability (CAN-2003-0533)

Corporate Protection - Vulnerability Assessment

Symantec Enterprise Security Manager has released an update to the OS Patch Policy that detects and reports systems that are not patched against the vulnerabilities in the four bulletins posted on April 14, 2004.

Symantec Vulnerability Assessment detects and reports the vulnerabilities in the four bulletins. On April 13, 2004, a vulnerability update for SVA was made available using the LiveUpdate feature of SVA 1.0.

Patches

The following patches are available in the associated Security Bulletin:


Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Last modified on: Monday, 19-Apr-2004 09:46:01 PDT