Microsoft Security Bulletin MS03-040 - 828750

PCR · Oct 4, 2003

It's tough to know who is who, what is what, or how many "e"'s are in
Hardmeier.

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| I agree with the statements below...
|
| Brian
|
| --
| Brian Gaff....
| graphics are great, but the blind can't hear them
| Email: (e-mail address removed)
|
________________________________________________________________________
____
| __________________________________
|
|
| | | This may sound harsh.
| |
| | It is meant to sound harsh.
| |
| | I just re-read it.
| |
| | I am still posting it.
| |
| | Pardon me, but don't you think you could have EXPLAINED the meaning
and
| | importance of this (AND the other critical fix just issued)? What
does
| | MSFT, MSCE, or MCDBA mean if YOU are allow to put it after your
name? Not
| | much, evidently.
| |
| | Take into account the users who are asking questions on these
newsgroups.
| |
| | Take into account that they all are worried about the flood of
infected,
| | fake Microsoft security bulletins that USE EXACTLY THE SAME LANGUAGE
as
| what
| | you just posted.
| |
| | Pardon me, but do you have ANY idea how foolish your post is? Why
did you
| | do it? Was ANY thought involved?
| |
| | I am appalled. Do you have a keeper? Does Microsoft know what you
are
| | doing?
| |
| | And cross-posted too, just like the 'swen' worm posts to newsgroups!
| |
| |
| |
| | Please, could some responsible adult at Microsoft cancel the top of
this
| | thread.... quickly, before more damage is done? Except, of course,
for
| the
| | newsgroup that does not resolve!
| |
| |
| |
| | --
| | Invisible Dance, (e-mail address removed)
| | normally I've posted using a different e-mail address and name: Phil
| Weldon,
| | and something close to p well done in mindjump, but I'll get any
e-mail
| sent
| | to the e-mail address above (probably more reliably because THAT
mailbox
| | does not yet get 1800 infected e-mails each day.)
| |
message
| | | | > Title: Cumulative Patch for Internet Explorer Execution (828750)
| | > Date: October 3, 2003
| | > Software:
| | > Internet Explorer 5.01
| | > Internet Explorer 5.5
| | > Internet Explorer 6.0
| | > Internet Explorer 6.0 for Windows Server 2003
| | > Impact: Run code of attacker's choice.
| | > Maximum Severity Rating: Critical
| | > Bulletin: MS03-040
| | >
| | > The Microsoft Security Response Center has released Microsoft
Security
| | > Bulletin MS03-040
| | >
| | > What Is It?
| | > The Microsoft Security Response Center has released Microsoft
Security
| | > Bulletin MS03-040 which concerns a vulnerability in Internet
Explorer.
| | > Customers are advised to review the information in the bulletin,
test
| and
| | > deploy the patch immediately in their environments, if applicable.
| | >
| | > More information is now available at
| | > http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
| | >
| | > If you have any questions regarding the patch or its
implementation
| after
| | > reading the above listed bulletin you should contact Product
Support
| | > Services in the United States at 1-866-PCSafety (1-866-727-2338).
| | > International customers should contact their local subsidiary.
| | >
| | >
| | >
| | > --
| | > Regards,
| | >
| | > Jerry Bryant - MCSE, MCDBA
| | > Microsoft IT Communities
| | >
| | > Get Secure! www.microsoft.com/security
| | >
| | >
| | > This posting is provided "AS IS" with no warranties, and confers
no
| | rights.
| | >
| | >
| |
| |
|
|
| ---
| Outgoing mail is certified Virus Free.
| Checked by AVG anti-virus system (http://www.grisoft.com).
| Version: 6.0.522 / Virus Database: 320 - Release Date: 29/09/03
|
|

Jim Eshelman · Oct 4, 2003

Jerry said:
So, in light of recent swen issues in these
newsgroups, is it the general feeling of all here that cross posting
should not be used to communicate these bulletin releases?

No. (Or, at least, I'm not part of such a consensus.) I think you're doing
this as best as can be done. Keep it up, please!

Microsoft has always maintained that
www.microsoft.com/technet/security is authoritative in regards to
security issues with our products. This means that even if you are
subscribed to our security bulletin notification service, you should
verify the validity of that information by going to that site.

I left this in because it's good to reinforce.

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/

Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp

Jim Eshelman · Oct 4, 2003

Gary said:
That said, cross-posting has the unfortunate effect of turning
several discreet newsgroups into one big, incredibly redundant one.
That can be a good thing, that can be a bad thing. I, personally,
feel that X-Posting in this case is precisely proper. But it *might*
be more acceptable in the current climate to use multiple posting to
achieve the same effect.

I see what I think is Gary's point -- that PROPER cross-posting looks like
what the viruses are doing. But I wouldn't let them win on this one. CORRECT
cross-posting is the best way to do it unless you want people to develop a
real frustration of encountering the same post over and over dozens of
times. Ironically, though that isn't how the spammers do it, that may
actually give MORE of an impression that it's spam -- because the user sees
it dozens of times.

(Just realized that might be warped by my own perspective. Maybe the typical
user who would have these doubts doesn't visit dozens of newsgroups the way
I do <g>.)

The worst complaint here might be overcome by adding a phrase at the very
top to the effect of: "To confirm that this patch is authentically a
Microsoft patch, go get it at Windows Update." (Polished language left in
your able hands.)

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/

Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp

Invisible Dance · Oct 4, 2003

Well, certainly I agree with the "Gary S. Terhune" post. The point against
your position is that the people who most need some certainty of the
validity of information are exactly those who are not going to be
participating in a large number of these newsgroups. In fact, who is except
those like '"JB"?

No matter what you wish might be the case, wishing will not make it so. The
spammers and and wormers have won this round. It's time to get ahead of the
curve, and not to fight a rear-guard action over unwanted and unneeded
territory.

The fact is, a worm writer can mimic ANY rigid behavior. What is much
harder to do is to give the impression that a living person, reacting to
events and the environment, is behind a post. That is one of the major
reasons that very official corporate announcements about operating system
security problems are difficult for many to distinguish from the malicious
fakes. The 'swen' worm experience clearly shows this.

What you see, at least in microsoft.public.security.virus, is that most of
the intial posts in a thread that may be 'swen' connected' are from people
who haven't previously even heard of the 'swen' worm. Most of these people
are first time Usenet users, many who don't even know they have posted to a
Usenet newsgroup. Many post before even reading ANY of the prior posts. So
who, exactly are these "Official Microsoft security messages" posted in this
newsgroup?

The above brings up another question. Who participates in this (the
microsoft.public.security.virus newsgroup.)

#1. Users desperately looking for help, who may have recently had a
very bad experience with what they thought was an official Microsoft
communitation (i.e., they previewed, open or executed an infected e-mail.
#2. Users who are somewhat knowledgeable, an who are being confronted
with infected machines belonging to associates and family, and who want to
help.
#3. Users who are suffering effects from OTHER people's infected
machines, and want to help solve the problem (the reason for my current
participation)
#4. Regular posters who have some connection with Microsoft, and
participate on that basis.

This list is not exhaustive, but it likely covers the bulk of those who read
and/or post here.

Who, out of the list, needs the most care and careful consideration?
Clearly groups 1 and 2; certainly NOT group 4, and only secondarily group 3.

Tom P. Willett · Oct 4, 2003

Bill Sanderson · Oct 5, 2003

FWIW, which is very little:

I've not had time to even read the patch description carefully, nor check
all the references.

I do have a server with a copy of Firehole, version 1.01, which is a sample
test exploit.

You can find this via google, I'm sure--it is quite safe.

My recollection is that exploit worked fine last time I tried it.

It fails after this patch.

I'm glad that hole is patched--now on to the others!

Me2 said:
"mass post" "cross post" same thing...

My basic question is: Does MS03-040 fix the Trojan.Qhosts bug??? Do we just
guess or wait for Symantec to tell us??

Thanks

Me2 said:

Jupiter, so, it's ok to mass post... Let e'r rip...

With MS03-040 M$ released a 6% fix with some good descriptions of what to
change with IE
security setting.

What I can not figure out is what exactly this is supposed to fix.
Trojan.QHosts? Something other kind of Trojan/virus/worm. The technical
details and FAQs have a lot of wording about this and that - all good stuff.
But it looks like it all comes down to two fixes (three if you include the
Media player update):

a.. Object Tag vulnerability in Popup Window: CAN-2003-0838
b.. Object Tag vulnerability with XML data binding: CAN-2003-0809

The odd thing is the two "CAN-xxxx-xxxx" links don't work in the security
bulletin. If I try to match it up to the 31 IE vulnerabilities listed on
"http://www.pivx.com/larholm/unpatched" then it looks like M$ fixed 2 of the
31 (6%) leaving us with 29 (94%) IE vulnerabilities to go.

Still waiting for the other 94% of the IE fixes...

Jupiter Jones said:

I am viewing this thread through the Microsoft servers and I do see a
difference.
Perhaps you need to read more posts.
People often point out that this information does not get enough
publicity in these newsgroups.
Now Microsoft posts this very information to the newsgroups and people
complain.
Microsoft will lose no matter what they do.
Some of the patches need massive exposure.
In a 2 hour time frame, I saw the information about this patch from at
least 4 different methods.
This is what it is sometimes necessary to do.

You can pick all you want, the point is the information is getting out
in a non threatening way.
There are NO attachments.
If you would like to panic over a legitimate post, what did you do
when all the viruses were here?

I obviously realize a lot more than you think, a point that should be
obvious to you if you only look.

--
Jupiter Jones [MVP]
An easier way to read newsgroup messages:
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
http://dts-l.org/index.html

Since "Jerry Bryant [MSFT] massively cross-posted (the same
technique the
'swen' worm uses in posting to newsgroups), this is somewhat
difficult to
explain, so I'll append an example of the same information that was
posted
to microsoft.public.security.virus (not cross-posted as the 'swen'
worm
cross-posts fake Microsoft Security bulletins [which, by the way,
ALSO have
valid hot-links to appropriate Microsoft websites, it's just that
they also
have a malformed header and an infected attachment]) in a much
better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post
from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security
Bulletins" are
being sent out hourly by systems and networks infected by the 'swen'
worm.
Some of us are geting a thousand or more each day. That makes it
extremely
important to make every effort to insure any legitimate information
purporting to be from Microsoft to distinguish itself from that
provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at
(but be
very, very sure that you have all necessary Microsoft security
patches and
Service Packs installed AND have an antivirus program with the
latest virus
definitions scanning all operations of your computer before looking)
the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT

The post generated by the 'swen' worm has a malformed header AND has
the ~
106,000 byte infectious attachment. Open this attached file and,
without
up-to-date antivirus protection on your Windows 98 and up operating
system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------
----
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ------------------------------------------------------------------
----

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited
this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the
attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user
action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in
the
security context of the Internet Zone. In addition, an attacker
could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a
specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a
Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630,
you
will still be able to use HTML Help functionality after applying
this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from
Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being
automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host
a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would
take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the
same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.

- ------------------------------------------------------------------
---

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO
THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -

_______________
Quote Ends
--
Invisible Dance, (e-mail address removed)

Phil;
Why are you posting "It is meant to sound harsh"?
This is a newsgroup.
One purpose is to exchange of information.
Jerry gave information about an important Critical Update.
How much more of an explanation is needed.
Instead of wasting bandwidth, Jerry posted the relevant link,
click
it, the link works.

Click to expand...

Click to expand...

Bill Sanderson · Oct 5, 2003

One possible answer to this question is an issue of time. I know that folks
sweated to release this patch--typically the patch description states that
the documentation--kb articles, for example, will follow within 24 hours.
Given the timing, it might be longer this time.

I don't know if this'll rate a virus description article or not--but KB
article, for sure.

Bill Sanderson · Oct 5, 2003

Not to quibble too much, but your #4 doesn't impress me a bit--the virus
forges addresses--if we haven't seen a friendly name with MSFT in it, that's
largely accident. Neither way do we have proof that no Microsoft employee
has suffered a Swen infection.

Bill Sanderson · Oct 5, 2003

Stefan - I agree with Phil that you are still at risk. I'm not sure whether
it was this patch description I read, or something else, which indicated
that you were vulnerable simply by having IE on your system, even if not in
use for browsing. I'm sure your firewall helps, but we all know there are
both simple and complex ways things get around firewalls.

I'm not pursuaded by the argument that the newest version, patched to date,
may have more holes in it than the old one--could be true, but then, at
least patches may be forthcoming--they won't be for the version you are
using.

Bill Sanderson · Oct 5, 2003

as an aside--have you checked whether the KAROL posting is still available?

It should have been removed from MSNEWS. I'm unclear whether these removals
propagate outwards--if they do not, this would be another deviation from
Usenet standards for these groups.

Invisible Dance said:
Since "Jerry Bryant [MSFT] massively cross-posted (the same technique the
'swen' worm uses in posting to newsgroups), this is somewhat difficult to
explain, so I'll append an example of the same information that was posted
to microsoft.public.security.virus (not cross-posted as the 'swen' worm
cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have
valid hot-links to appropriate Microsoft websites, it's just that they also
have a malformed header and an infected attachment]) in a much better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to ensure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at (but be
very, very sure that you have all necessary Microsoft security patches and
Service Packs installed AND have an antivirus program with the latest virus
definitions scanning all operations of your computer before looking) the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT

The post generated by the 'swen' worm has a malformed header AND has the ~
106,000 byte infectious attachment. Open this attached file and, without
up-to-date antivirus protection on your Windows 98 and up operating system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -

_______________
Quote Ends
--
Invisible Dance, (e-mail address removed)

--
Invisible Dance, (e-mail address removed)

Jonathan Maltz said:

Hi Mae,

I also appreciate bulletins like this. I just wanted to make you aware that
Microsoft also has Email updates that you can subscribe to:
http://www.microsoft.com/security/security_bulletins/decision.asp

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

Thank you and FYI, I rely on these postings you provide in such a timely
manner.
It makes it easier for me and main reason I subscribe to this group.

mae
-------------------------------------------------------------
| Title: Cumulative Patch for Internet Explorer Execution (828750)
| Date: October 3, 2003
| Software:
| Internet Explorer 5.01
| Internet Explorer 5.5
| Internet Explorer 6.0
| Internet Explorer 6.0 for Windows Server 2003
| Impact: Run code of attacker's choice.
| Maximum Severity Rating: Critical
| Bulletin: MS03-040
|
| The Microsoft Security Response Center has released Microsoft Security
| Bulletin MS03-040
|
| What Is It?
| The Microsoft Security Response Center has released Microsoft Security
| Bulletin MS03-040 which concerns a vulnerability in Internet Explorer.
| Customers are advised to review the information in the bulletin, test and
| deploy the patch immediately in their environments, if applicable.
|
| More information is now available at
| http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
|
| If you have any questions regarding the patch or its implementation after
| reading the above listed bulletin you should contact Product Support
| Services in the United States at 1-866-PCSafety (1-866-727-2338).
| International customers should contact their local subsidiary.
|
|
|
| --
| Regards,
|
| Jerry Bryant - MCSE, MCDBA
| Microsoft IT Communities
|
| Get Secure! www.microsoft.com/security
|
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|

Click to expand...

Larry Samuels MS-MVP XP \(Shell/User\) · Oct 5, 2003

Keep them coming Jerry!
I got the info from your email before the security alert came down.
The only reason I posted it here after you had already posted it was the
fact your post was not showing up on my news server yet.

Crossposts are fine with me--you have lot's more groups to post the info to
than I do.<G>

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -

Bill Sanderson · Oct 5, 2003

Not all the regular posters have a "connection" to Microsoft--MVP's do--and
I'm an MVP, although I don't think it is in my sig here--my MVP is in
Windows Networking rather than security, and I'm definitely an amateur here.

And, of course, there are regulars whose posts are better disregarded by
everyone, as I'm sure you've noticed!

The question of whose information to trust is definitely an everyday issue
here, and there's no simple answer, I'm afraid.

That's one reason I think why you'll sometimes see multiple folks giving out
the same answer in a thread (probably not the main one, though!)--sometimes
getting information or a reference that may be out of the usual from
multiple sources can help validate it.

newpseud · Oct 5, 2003

FWIW - cross posting is good; multi posting is bad.
OBTW - appreciate your effort to get the word out.

PCR · Oct 5, 2003

Well, as cquirke said, even an URL can be faked, perhaps in HTML only--
still, a convincing enough post, with a signature such as yours will
entice one to click any URL. So, it's best to just put any critical fix
at Windows Update. Fine! We've all clicked a half million URLs by now,
and I've got a collection of 500, but... BUT...... well... this post
might be a favorite kind of target. Indeed, Swen has been here imitating
MS already, you know. So, until you do some of what Nancie suggested,
which is some kind of screening of posts, it's best to keep it at
Windows Update.

But do come by now & then, even just to tell us one has come out. This
is because some of us may have uninstalled the MS Critical Update
Notification Tool, whether accidentally or for any other valid reason.

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| There is some interesting feedback here to my post. FYI, I personally
have
| been posting our security bulletins and alerts in these newsgroups for
over
| two years now. In fact, I created these security newsgroups (.security
and
| .security.virus) mainly for this purpose. My post is completely
consistent
| with the way I have always posted them. This is the first time anyone
had
| issues with cross posting. I understand the basis of those concerns
though
| and will take them in to consideration. So, in light of recent swen
issues
| in these newsgroups, is it the general feeling of all here that cross
| posting should not be used to communicate these bulletin releases?
|
| Microsoft has always maintained that
www.microsoft.com/technet/security is
| authoritative in regards to security issues with our products. This
means
| that even if you are subscribed to our security bulletin notification
| service, you should verify the validity of that information by going
to that
| site.
|
| --
| Regards,
|
| Jerry Bryant - MCSE, MCDBA
| Microsoft IT Communities
|
| Get Secure! www.microsoft.com/security
|
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
| | > Title: Cumulative Patch for Internet Explorer Execution (828750)
| > Date: October 3, 2003
| > Software:
| > Internet Explorer 5.01
| > Internet Explorer 5.5
| > Internet Explorer 6.0
| > Internet Explorer 6.0 for Windows Server 2003
| > Impact: Run code of attacker's choice.
| > Maximum Severity Rating: Critical
| > Bulletin: MS03-040
| >
| > The Microsoft Security Response Center has released Microsoft
Security
| > Bulletin MS03-040
| >
| > What Is It?
| > The Microsoft Security Response Center has released Microsoft
Security
| > Bulletin MS03-040 which concerns a vulnerability in Internet
Explorer.
| > Customers are advised to review the information in the bulletin,
test and
| > deploy the patch immediately in their environments, if applicable.
| >
| > More information is now available at
| > http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
| >
| > If you have any questions regarding the patch or its implementation
after
| > reading the above listed bulletin you should contact Product Support
| > Services in the United States at 1-866-PCSafety (1-866-727-2338).
| > International customers should contact their local subsidiary.
| >
| >
| >
| > --
| > Regards,
| >
| > Jerry Bryant - MCSE, MCDBA
| > Microsoft IT Communities
| >
| > Get Secure! www.microsoft.com/security
| >
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| >
| >
|
|

Stefan Berglund · Oct 5, 2003

On Sat, 4 Oct 2003 19:49:08 -0400, "Bill Sanderson"

in said:
Stefan - I agree with Phil that you are still at risk. I'm not sure whether
it was this patch description I read, or something else, which indicated
that you were vulnerable simply by having IE on your system, even if not in
use for browsing. I'm sure your firewall helps, but we all know there are
both simple and complex ways things get around firewalls.

I'm not pursuaded by the argument that the newest version, patched to date,
may have more holes in it than the old one--could be true, but then, at
least patches may be forthcoming--they won't be for the version you are
using.

<resignedly>

OK, I'll download IE 6 and the appropriate MS03-040 patch and
apply it all across the LAN. Then, at least I'll be in
compliance. <g>

<sigh>

Me2 · Oct 5, 2003

Rob,

Yes, I did take it that you somehow were reducing the seriousness of the
Trojan.QHosts one of our executives got installed on his PC. I need to tell
you that I am (was?) a M$ advocate in that we have a vast investment in M$
software. We has spend tons of money on security (firewalls, DMZ,
monitoring, proxies, anti-virus, email monitors, etc) and what does it take
to have your information compromised? Just visiting a site with IE 6 (with
the most current patches and AV installed) - the site that you visit could
be one that you have visited before and is deemed ok. But the site uses
advertising banners from a third party - and today one of the little ad
banners is able to change the registry, add, delete and modify files. WOW,
is that a problem or what? And you know what M$ was telling us about this
bug - NOTHING!!!

You know what M$ told me when I called about the Trojan.QHosts infection -
sorry its not our problem (in a lot more words) - see your AV vendor!!!
Then nearly on the same day I find news articles all over the place talking
about the Qhosts and how M$ does not have a fix yet. Some of the articles
refer to the 31 holes in IE. 31 un-patched vulnerabilities!!! So when
MS03-040 is released - does M$ tell us that it fixed the hole that
Trojan.Qhosts used? NO, I need to find out on a new group or in the media.

Getting back to your question:

"If Microsoft and the antivirus companies made
as big a fuss about even the trivial stuff as they do about the serious
stuff, do you think that would heighten awareness? Or would it be more
likely to confuse people and cause them to "switch off" and not listen to
the warnings?"

Big fuss? First of all M$ has ZERO information about Trojan.QHosts. They
only make a big fuss about the release of a fix!!! (or a bug that is
effecting millions) Seems to be a complete lack of empathy for their
customers who are experiencing serious security breaches because of their
products. No information - let that sink in - M$ is not telling us about
problems (i.e. Trojans/viruses/worms) that are effecting the security of
their products!!! What total arrogance!

I agree that their are different levels risks and fix priorities that need
to be assigned but that is different than providing ZERO information. Yes,
I guess that M$ should only release a "news alert" about a new
virus/worm/Trojan if there are over X number of people and organizations
effected. What do you suggest for this X number? 1000, 10000, 1K, 1
million or more PCs infected and information compromised? Just look at the
masses of junk mail from swen - boy M$ will be really liked if there is
another virus infecting another 10000+ PCs on the net spewing out more junk
emails.

Sorry, if I sound mad - I am - I can't get over that M$ would not be warning
their customers about potential vulnerabilities in their products - they are
likely working on the next fixes - but we are left to suffer because M$ is
arrogantly not warning their customers about vulnerabilities. We don't need
any of the technical details, just some recommendations on risks and
tradeoffs of using IE or other products.

Seems to me that if M$ had at least warned (no news release - just a
post/recommendation on their security pages) about the IE vulnerabilities,
customers could decide FOR THEM SELF'S if it is worth the risk of allowing
Internet IE browsing from within a corporation. Maybe we need to setup a
separate network for Internet browsing until M$ gets things under control -
I don't know. Home users are certainly on their own when it comes to
information security.

I hope to God that the Department of Homeland Security is not open to the
Internet!!!

Thanks, for talking. I just kinda needed an outlet.
Me

Me2 · Oct 5, 2003

Sandi,

I dont' know what you are taking about. M$ had ZERO information about the
Trojan.Qhosts when it was infecting thousands of machines.

MS03-040 still says NOTHING about Trojan.Qhosts. Is that prominent enough
for you?

Me

Me2 · Oct 5, 2003

Cquirke,

What I meant by "post" was to the Microsoft security pages. When I have a
problem with Microsoft software I go to the Microsoft website and search the
KB, read the security pages, etc.

I know that Microsoft is not an AV vendor (yet) and that AV vendors list an
outrageous number of new viruses/Trojans/worms a day, but it would be nice
if a Trojan/virus/worm is effecting many machines (don't know what that
number is) and the news media already has articles on the top of the Yahoo
or Google News lists describing the Trojan/virus/worm if Microsoft would at
least acknowledge that such a critter exists (with at least post on the M$
security pages). Seems to be simple courtesy to their customers.

All the things you say are good. But I still would like Microsoft to
provide a little more current information about potential security risks
(not the technical details) of using Microsoft product XYZ. I don't know
the legal ramifications, but maybe just say IE has X number of know security
vulnerabilities and we are working on fixes to all of them. You have a
known chance of information compromise (until these vulnerabilities are
fixed), so take appropriate actions...

Me

Sandi - Microsoft MVP · Oct 5, 2003

Nope. Most patches are available via Technet.

--
Install the latest IE cumulative patch for protection against QHost:
http://www.microsoft.com/security/security_bulletins/ms03-040.asp
More information about QHosts can be found here:
http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
________________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer

Me2 · Oct 5, 2003

Bill,

I have been reading more and this "PSS Security Team - Security Alert
Severity Matrix" information:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/matrix.asp

Implies that Microsof MUST issue a Critical Security Alert when a "Microsoft
Product Vulnerability" is known "Yes/Patch Not Available(*)". * means: Any
attack that uses a Microsoft product vulnerability for which a patch has not
been released will be Critical Reactive regardless of other entries in the
matrix.

Microsoft dropped the ball on Trojan.Qhosts...

Microsoft Security Bulletin MS03-040 - 828750

PCR

Jim Eshelman

Jim Eshelman

Invisible Dance

Tom P. Willett

Bill Sanderson

Bill Sanderson

Bill Sanderson

Bill Sanderson

Bill Sanderson

Larry Samuels MS-MVP XP \(Shell/User\)

Bill Sanderson

newpseud

PCR

Stefan Berglund

Me2

Me2

Me2

Sandi - Microsoft MVP

Me2