Summary of Symantec Safeguard Protection for Microsoft Security Bulletins for April 2004
Microsoft's Security Bulletins for April 2004 included fixes for a total of 18 new vulnerabilities, as well as updates to a total of three previously known vulnerabilities. The severity of these vulnerabilities ranges from moderate to critical, with several potentially allowing for the remote execution of arbitrary code, thus causing a full compromise of systems running the vulnerable software.
Network administrators are strongly advised to audit their controlled systems that these issues may affect, and also apply necessary updates. The Symantec Security Response team believes that the creation of Internet worms that take advantage of some of these vulnerabilities is possible and recommends that the risks be mitigated as soon as possible.
The DeepSight Threat Analyst team has raised the ThreatCon to level 2. Symantec's ThreatCon Rating provides an overall view of global Internet Security and is based on a 1-4 rating system, with a level 4 being the highest threat level.
On April 13, 2004, Microsoft released four Security Bulletins covering multiple vulnerabilities in a number of different products.
These Security Bulletins are the:
Each of the vulnerabilities that the Security Bulletins describe has either associated patches or workarounds available. Refer to the DeepSight alerting service for more details on each of these vulnerabilities.
Security Update for Microsoft Windows Bulletin (MS04-011)
The Security Update for Microsoft Windows Bulletin (MS04-011) details 14 new vulnerabilities, many of which have a severity rating of Critical.
The following vulnerabilities are covered in the bulletin:
Cumulative Update for Microsoft RPC/DCOM Security Bulletin (MS04-012)
The Cumulative Update for the Microsoft RPC/DCOM Security Bulletin (MS04-012) details three new vulnerabilities, as well as one previously known vulnerability.
The lists of these issues are:
Cumulative Security Update for Outlook Express Security Bulletin (MS04-013)
The Cumulative Security Update for Outlook Express Security Bulletin (MS04-013) details one previously known vulnerability, which applies to two separate entries in the Symantec Vulnerability Database. They are listed below, and each references a detailed summary later in the document.
Microsoft Jet Database Engine Could Allow Code Execution Bulletin (MS04-014)
The Microsoft Jet Database Engine Could Allow Code Execution Bulletin (MS04-014) details a single new vulnerability, the Microsoft Jet Database Engine Remote Code Execution Vulnerability.
Symantec DeepSight Threat Management System and DeepSight Alert Service
Each of the vulnerabilities is summarized on the Threat Management Daily Summary Report. The Threat Analyst team will closely monitor global activity for signs of attack and deliver additional notifications as required. Individual vulnerability alerts have been sent out.
Managed Security Services
Symantec Managed Security Services (MSS) has audited all the affected managed systems and has coordinated emergency patches for any vulnerable systems. In addition, clients with devices that MSS does not manage have received an alert informing them of these critical updates. The Symantec SOCs will also deploy IDS signatures on an accelerated basis, as and when our supported vendors make available.
Small Business / Home User Protection
Norton Internet Security and Norton Personal Firewall include Symantec's personal firewall technology and provide zero-day protection against such vulnerabilities as the RPC Runtime Library Vulnerability and the LSASS Vulnerability (previously listed in the "Technical Description"). The firewall blocks ports 135, 137, 138, 139, and 445, which could be used to exploit these two vulnerabilities.
Norton Internet Security and Norton AntiVirus provides antivirus heuristic protection for the Microsoft Windows LSASS Buffer Overrun Vulnerability, Microsoft Windows LSASS Buffer Overrun Vulnerability, and MHTML URL Processing Vulnerability (Outlook Express).
Corporate Protection - Host Based Security
Symantec Client Security and Symantec Personal Firewall include Symantec's personal firewall technology and provide zero-day protection against vulnerabilities, such as the previously mentioned RPC Runtime Library Vulnerability and LSASS Vulnerability.
The firewall blocks ports 135, 137, 138, 139, and 445, which could be used to exploit these two vulnerabilities.
Symantec Client Security and Symantec AntiVirus Corporate Edition provide antivirus heuristic protection for the Microsoft Windows LSASS Buffer Overrun Vulnerability, Microsoft Windows LSASS Buffer Overrun Vulnerability, and MHTML URL Processing Vulnerability (Outlook Express).
Symantec Host IDS enables the creation of customizable host-based, intrusion-protection policies and responses to protect against malicious processes and threats that target vulnerabilities. Symantec Host IDS provides access to granular process behavior data, allowing a wide variety of security configurations. Thus, administrators are provided with data to make informed decisions regarding host security, which provides a fault-tolerant, secure environment tailored to an organization's security policy.
Corporate Protection - Gateway Security
Symantec Gateway Security v1.0, Symantec Gateway Security 5400 Series, Symantec Enterprise Firewall, and VelociRaptor use Symantec's full application inspection firewall component. This component protects against multiple RPC/DCOM and windows vulnerabilities, by default, by blocking all the unused incoming ports.
Symantec advises firewall administrators to verify that their security policy does not include the following incoming ports:
Additionally, by default, the firewall blocks RPC over HTTP (TCP port 80 or 443). An additional configuration or patch is not required.
Symantec Gateway Security provides antivirus heuristic protection for the Microsoft Windows LSASS Buffer Overrun Vulnerability, Microsoft Windows LSASS Buffer Overrun Vulnerability, and MHTML URL Processing Vulnerability (Outlook Express).
Corporate Protection - Network Security
Symantec ManHunt's Security Update 5 detects the public exploits that target the RPC Runtime Library Vulnerability (CAN-2003-0813) as the Microsoft DCOM RPC Buffer Overflow event. The event description has been updated to note the new CAN reference.
Symantec has also released a rapid response security update to protect against the following vulnerabilities:
Corporate Protection - Vulnerability Assessment
Symantec Enterprise Security Manager has released an update to the OS Patch Policy that detects and reports systems that are not patched against the vulnerabilities in the four bulletins posted on April 14, 2004.
Symantec Vulnerability Assessment detects and reports the vulnerabilities in the four bulletins. On April 13, 2004, a vulnerability update for SVA was made available using the LiveUpdate feature of SVA 1.0.
The following patches are available in the associated Security Bulletin:
Copyright © by Symantec Corp.
Symantec, Symantec products, Symantec Security Response, and firstname.lastname@example.org are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Monday, 19-Apr-2004 09:46:01 PDT