Information About Microsoft’s August 2004 Security Bulletins August 13, 2004 Feliciano Intini, CISSP, MCSE Security Advisor Premier Security Center Microsoft Services - ITALY
What we will cover Security Bulletins: MS Windows Internet Explorer MS Microsoft Exchange Server 5.5 Other Security Topics: Security Tools Reminder: Defense In Depth Configuration Changes Windows XP Service Pack 2 Resources Questions & Answers
Review of August Security Bulletins Overview of vulnerability for risk assessment Workarounds you can implement while deploying the security updates How to determine what systems the available security updates apply to How you can deploy the security updates to your systems
August 2004 Security Bulletins MAXIMUM SEVERITY BULLETIN NUMBER PRODUCTS AFFECTED IMPACT CriticalMS04-025Microsoft WindowsRemote Code Execution ModerateMS04-026Microsoft ExchangeRemote Code Execution
MS04-025: Overview Cumulative Security Update for Internet Explorer (867801) Impact: Remote Code Execution Maximum Severity: Critical Affected Software: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003 Critical for Windows 98, Windows 98 Second Edition, Windows Millennium Edition Affected Components: Internet Explorer 5.01 Service Packs 2, 3 and 4 Internet Explorer 5.5 Service Pack 2 Internet Explorer 6.0 Internet Explorer 6.0 Service Pack 1,Internet Explorer 6 Service Pack 1 (64-Bit Edition) Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)
MS04-025: Understanding the Vulnerabilities Navigation Method Cross-Domain Vulnerability - CAN : A vulnerability in how Navigation Methods are validated that can enable code execution Malformed BMP File Buffer Overrun Vulnerability - CAN : A buffer overrun vulnerability in how BMP files are rendered that can enable code execution Malformed GIF File Double Free Vulnerability - CAN : A double free vulnerability in how GIF files are handled that can enable a denial of service or potentially code execution
MS04-025: Risk Assessment Possible Attack Vectors Malicious HTML page Hosted on a Web site Sent as Impact of Successful Attack Attacker’s code would run in user’s context Mitigating Factors Web page and vectors require user actions Attacker’s code limited by user’s privileges
MS04-025: Risk Assessment (2) Mitigating Factors (con’t) HTML in the Restricted sites zone helps reduce attacks Outlook Express 6, Outlook 2002, and Outlook 2003 by default Outlook 98 and Outlook 2000 with Outlook Security Update (OESU) Outlook Express 5.5 with MS Also, risk from HTML vector significantly if both: Latest Cumulative Security Update for IE installed (change introduced in MS03-040) Using IE 6.0 or later
MS04-025: Updates Two updates available contains only security fixes and publicly available updates Available on Windows Update, Software Update Services, Download Center (update rollup) contains security fixes, publicly available updates AND hotfixes Available only on the Download Center To reduce risk of problems in deployment customers should apply by default
MS04-026: Overview Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross- Site Scripting and Spoofing Attacks (842463) Impact: Remote Code Execution Maximum Severity: Moderate Affected Software: Microsoft Exchange Server 5.5 SP4 Affected Components: Outlook Web Access (OWA)
MS04-026: Understanding the Vulnerability Cross-site Scripting and Spoofing Vulnerability CAN A cross-site scripting and spoofing vulnerability that could cause a user to run script on the attacker's behalf or a user to view spoofed content.
MS04-026: Risk Assessment Possible Attack Vectors Sending a specially-crafted HTTP request to the Outlook Web Access server Impact of Successful Attack Execute script in the user’s context Put spoofed content in Web browser and intermediate proxy server caches Mitigating Factors An attacker must have valid logon credentials for the Outlook Web Access server Limitations on user’s account apply to attacker’s script “Do not save encrypted pages to disk” option prevents attempts to put spoofed content into client cache SSL-protected connections protect against intermediate proxy vector Difficult for an attacker to predict what users would be served spoofed cached content from intermediate proxy server
MS Re-Release Re-issued to advise on the availability of a security update for Microsoft INTERIX 2.2 Customers who are not using Microsoft INTERIX 2.2 and have previously installed the security updates provided as part of the original release of this bulletin do not need to install the new security update Customers using Microsoft INTERIX 2.2 should apply the new update
Workarounds Host-based workarounds: MS Set Internet and Local Intranet security zone settings to “High” Restrict Web sites to only trusted Web sites Strengthen the security settings for the Local Machine zone Knowledge Base article Read messages in plain text format MS Disable Outlook Web Access for Each Exchange Site
Determining Systems for Deployment MBSA: Use MBSA to determine systems that require MS04-025, MS MBSA will identify systems that require MS but cannot determine systems that might require (update rollup) As of 8/10, MBSA will not raise a warning regarding greater-than- expected file versions on systems with (update rollup) SUS: The SUS Client (the Automatic Updates Client) will automatically detect systems that require MS The SUS Client (the Automatic Updates Client) will identify systems that require MS but cannot determine systems that might require (update rollup) Cannot use SUS to determine systems that require MS04-026
Determining Systems for Deployment (2) SMS 2.0 / 2003: SMS 2003 to identify systems that need MS04-025, MS SMS will identify systems that require MS but cannot determine systems that might require (update rollup) To limit the deployment of the update rollup to only those computers running post-MS hotfixes Use software inventory to detect systems based on the hotfix affected files For more information see Deploying Software Updates Using the SMS Software Distribution Feature: tchupdate.mspx tchupdate.mspx tchupdate.mspx Note regarding SMS and MBSA: Proxy caching at ISP or Intranet may delay the availability of detection catalog mssecure.cab File uses “Cache-Control: must-revalidate” most proxy servers honor this Refer to KB to diagnose delays KB KB
Deploying the Updates SUS: Use the SUS Client (the Automatic Updates Client) to deploy MS SUS can only be used to deploy , it will not deploy (update rollup) SMS: Use SMS 2.0 with the SMS SUS Feature Pack or SMS 2003 to deploy MS04-025, MS Can deploy (update rollup) using “import” feature documented in SMS documentation
Deploying the Updates (2) Restarts MS04-025: Required MS04-026: Not required but will restart these services Microsoft Internet Information Services (IIS) Exchange Store Exchange System Attendant Uninstall MS04-025: Can be uninstalled MS04-026: Can be uninstalled
Deploying the Updates (3) Notes for MS04-026: Version Requirements for Dependent Components: Microsoft Outlook Web Access (OWA) server must have one of the following: Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3 Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 Internet Explorer 6 Service Pack 1 on current supported operating systems Apply update to Exchange 5.5 Servers running Outlook Web Access only.
Security Tools: MBSA Reminder MBSA no longer supported As of April 20, 2004 mssecure.xml file used by versions earlier than MBSA 1.2 is no longer updated Scans performed with MBSA or earlier versions will not detect the Security Bulletins released since April When using SMS, MBSA GUI and mbsacli, scan results will include an ‘update’, e.g.: Obtain Upgrades: SMS 2.0 SUS Feature Pack and SMS 2003 users: SMS downloads page MBSA Users: MBSA homepage
Security Tools: MBSA & XP SP2 New version of MBSA (1.2.1) needed for Windows XP SP2 compatibility! Needed to provide compatibility and better support for Windows XP SP2 security improvements Needed to provide compatibility and better support for Windows XP SP2 security improvements Will be available in mid-August Users running MBSA 1.2 will be automatically notified when they run the tool with an Internet connection
New variant, MyDoom.O, discovered on Monday, July Zindos.A worm, discovered on Tuesday, July , uses backdoor opened by MyDoom.O Cleaner tool was updated to clean for all known MyDoom variants and Zindos.A More information: Security Tools: MyDoom Cleaner Tool
Three configuration changes released in July to enhance resiliency of Internet Explorer 6.0 and Outlook Express 5.5 SP2 Disable ADODB.stream in Windows ActiveX Control (July ) Knowledge Base Article ( Limit functionality of Shell.application (July ) Fix is included in MS Change HTML viewing in Outlook Express 5.5 SP2 (July ) Change included in MS Reminder: Deploy Defense in Depth Configuration Changes
Proactive protection technologies block malicious code at the “point of entry” Enhance Security Increase Manageability Improve Experience Network & IM Web Browsing Memory Attack Vectors Windows XP Service Pack 2
Functional Area Compatibility Status Attachment Handler User experience modified NX & /GS Windows Firewall Few apps proper configuration required DCOM & RPC Other components Internet Explorer Some apps proper configuration required The vast majority of application compatibility issues are mitigated through configuration of SP2 security options Very few issues require code changes Application Compatibility Snapshot
August 6: Release to manufacturing for SP2 English and German (Remaining 25 languages RTM over 5 weeks) August 9: Release to Microsoft Download Center – full network installation package Release to MSDN – CD ISO image August 10: Release to Automatic Updates - for machines running pre- release versions of Windows XP SP2 only August 16: Release to Automatic Updates - for machines not running pre- releases versions of Windows XP SP2 Release to SUS August TBD: Release to Windows Update for interactive user installations Windows XP SP2 – Timeline
SP2 Delivery via Automatic Update SP2 is categorized as a critical update Unlike previous critical updates, SP2 requires interactive installation Some customer have requested a mechanism to temporarily block SP2 delivery via AU Allow all other critical security updates via AU Registry based solution temporarily prevents Automatic Update and Windows Update from downloading SP2 - and only SP2 AU and WU search for existence of new registry setting Other downloads unaffected Registry setting is the only change required on local machine
Automatic Update Blocking Mechanism Tools for implementing solution ADM file to control registry setting via Active Directory Group Policy Microsoft signed executable that will set the registry setting on local machine Script file to execute the tool remotely message point users to a script file hosted on Microsoft.com All of these tools allow for disabling the registry setting This solution expires after 120 days AU and WU will ignore registry key after December 14, 2004 Scripts and documentation posted on TechNet Best solution is Software Update Services
Windows XP SP2 Summary More secure “Shields-up” approach Reduced attack surface area Improved manageability of security settings More granular control Improved support for Active Directory Group Policy Reduced urgency for patching vulnerabilities Better user experience More and better security information Applications function while remaining secure A major step forward on a long journey
Resources September Security Bulletins Webcast: il nostro prossimo appuntamento è venerdì 17 settembre – 10: Security Bulletins Search Windows XP Service Pack Information on MyDoom and its variants Security Newsletter Security Guidance Center