__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities [Microsoft Security Bulletin MS03-045] October 16, 2003 14:00 GMT Number O-009 [REVISED 17 Oct 2003] [REVISED 30 Oct 2003] [REVISED 4 Nov 2003] [REVISED 6 Nov 2003] ______________________________________________________________________________ PROBLEM: A vulnerability exists because the ListBox control and the ComboBox control both call a function, which is located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate the parameters that are sent to it. The controls can be made to run arbitrary code in the security context of the program that contains the control. SOFTWARE: MS Windows NT Workstation 4.0, Service Pack 6a MS Windows NT Server 4.0, Service Pack 6a MS Windows NT Server 4.0, Terminal Server Edition, Service 6 MS Windows 2000, Service Pack 2 MS Windows 2000, Service Pack 3, Service Pack 4 MS Windows XP Gold, Service Pack 1 MS Windows XP 64-bit Edition MS Windows XP 64-bit Edition Version 2003 MS Windows Server 2003 MS Windows Server 2003 64-bit Edition DAMAGE: A local attacker who has the ability to log onto a system interactively could run a program that could send a specially-crafted Windows message to any applications that have implemented the ListBox or the ComboBox controls, causing the application to take any action an attacker specified. This could give an attacker complete control over the system by using Utility Manager in Windows 2000 which runs with Administrator privileges. SOLUTION: Apply appropriate patches or implement workarounds. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker with a user account could ASSESSMENT: elevate their privileges to the Administrator level. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-009.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/MS03-045.asp CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0659 ADDITIONAL LINKS: CERT Advisory CA-2003-27 http://www.cert.org/advisories/CA-2003-27.html ______________________________________________________________________________ REVISION HISTORY: 10/17/03 - added link to CERT Advisory CA-2003-27. 10/30/03 - Microsoft released a revised security patch for Windows XP, to address the problem described in their Knowledge Base Article #830846 where installation of the previous patch may stop responding (hang). The revised patch contains version 5.4.1.0 of Update.exe. Version 5.4.1.0 or later versions of Update.exe no longer require the Debug Programs user right. 11/04/03 - Microsoft has revised MS03-045 with a Patch Replacement. This Patch also replaces the patch provided by MS02-071 [CIAC N-027]. 11/06/03 - Microsoft has revised MS03-045 Technical Details Section with information point to a new Knowledge Base Article 831739. [***** Start Microsoft Security Bulletin MS03-045 *****] Microsoft Security Bulletin MS03-045 Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) Issued: October 15, 2003 Updated: November 5, 2003 Version Number: 3.2 See all Windows bulletins released October, 2003 Summary Who Should Read This Document: Customers using Microsoft® Windows® Impact of Vulnerability: Local Elevation of Privilege Maximum Severity Rating: Important Recommendation: Customers should install this security patch at the earliest opportunity Patch Replacement: MS02-071 Caveats: None Tested Software and Patch Download Locations: Affected Software: * Microsoft Windows NT Workstation 4.0, Service Pack 6a – Download the patch * Microsoft Windows NT Server 4.0, Service Pack 6a – Download the patch * Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 – Download the patch * Microsoft Windows 2000, Service Pack 2 – Download the patch * Microsoft Windows 2000 Service Pack 3, Service Pack 4 – Download the patch * Microsoft Windows XP Gold, Service Pack 1 – Download the patch * Microsoft Windows XP 64 bit Edition – Download the patch * Microsoft Windows XP 64 bit Edition Version 2003 – Download the patch * Microsoft Windows Server 2003 – Download the patch * Microsoft Windows Server 2003 64 bit Edition – Download the Patch Non Affected Software: * Microsoft Windows Millennium Edition The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected. Technical Details Technical Description: Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows XP patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. This problem is unrelated to the security vulnerability discussed in this bulletin, however the problem has caused some customers difficulty installing the patch. If you have previously applied this security patch, this update does not need to be installed. Microsoft has also investigated reports of application compatibilty problems with some third party applications. Many of the affected applications have released updated versions to address these issues. For more information on these issues please view Knowledge Base Article 831739. Microsoft re-issued this bulletin on October 22, 2003 to advise of a compatibility problem with some third party software that has been identified with a set of language specific versions of the Windows 2000 Service Pack 4 patch. This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have applied the patch are protected against the vulnerability discussed in this bulletin. Subsequent to the release of this bulletin and the associated patches, a compatibility problem with some third party software has been identified with a set of language specific versions of the Windows 2000 Service Pack 4 patch. This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have applied the patch are protected against the vulnerability discussed in this bulletin. Microsoft has developed a fix for this issue and is re-releasing this bulletin to reflect the new updated patches. The compatibility problems only affect the language versions of the patch listed below and only those versions of the patch are being re-released. Other language versions of this patch are not affected and are not being re-released. Please note that the new security patches support both the Setup switches originally documented in this bulletin as well as a set of new Setup switches that are document in the Installation Information Section of this bulletin. Additionally, the updated language versions support Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4 in a single security patch. Brazilian Czech Danish Finnish Hungarian Italian Norwegian Polish Portuguese Russian Spanish Swedish Turkish Not Affected versions: Arabic Dutch English French German Greek Hebrew Hong Kong Japanese Korean Simplified Chinese Traditional Chinese A vulnerability exists because the ListBox control and the ComboBox control both call a function, which is located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate the parameters that are sent from a specially-crafted Windows message. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and to communicate with other interactive processes. A security vulnerability exists because the function that provides the list of accessibility options to the user does not correctly validate Windows messages that are sent to it. One process in the interactive desktop could use a specific Windows message to cause the ListBox control or the ComboBox control to execute arbitrary code. Any program that implements the ListBox control or the ComboBox control could allow code to be executed at an elevated level of administrative credentials, as long as the program is running at an elevated level of privileges (for example, Utility Manager in Windows 2000). This could include third-party applications. An attacker who had the ability to log on to a system interactively could run a program that could send a specially-crafted Windows message to any applications that have implemented the ListBox control or the ComboBox control, causing the application to take any action an attacker specified. This could give an attacker complete control over the system by using Utility Manager in Windows 2000. Mitigating factors: * An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited remotely. * Properly-secured systems are at little risk from this vulnerability. Standard best practices recommend only allowing trusted users to log on to systems interactively. * Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are affected by this vulnerability in the ListBox control and in the ComboBox control. However, in Windows XP and in Windows Server 2003, Utility Manager runs under the context of the logged-on user and does not allow for elevation of privileges. Windows NT 4.0 does not implement Utility Manager. Severity Rating: ************************************************************************ Microsoft Windows NT 4.0 Low ************************************************************************ Microsoft Windows NT Server 4.0, Terminal Server Edition Low ************************************************************************ Microsoft Windows 2000 Important ************************************************************************ Microsoft Windows XP Low ************************************************************************ Microsoft Windows Server 2003 Low ************************************************************************ The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0659 Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below. * Disable the Utility Manager on all affected systems that do not need this feature through software polices Since the Utility Manager Service is a possible attack vector this can be disabled using software restriction polices within Active Directory or within the Local Security Policy. The Utility Manager process name is utilman.exe. You may use the following software restriction policy guides to help prevent users from accessing this file: * Using Software Restriction Policies to Protect Against Unauthorized Software * HOW TO: Use Software Restriction Policies in Windows Server 2003 (324036) * Protect Your System from Viruses (Using Software Restriction Polices) * To create new software restriction policies Impact of Vulnerability: The Utility Manager Service provides many of the accessibility features of the operating system. These would be unavailable until the restrictions are removed. Security Patch Information Installation platforms and Prerequisites: For information about the specific security patch for your platform, click the appropriate link: * Windows Server 2003 (all versions) * Windows XP (all versions) * Windows 2000 (all versions) * Windows NT 4.0 (all versions) Acknowledgments Microsoft thanks the following for working with us to protect customers: * Brett Moore of Security-Assessment.com for reporting the issue in MS03-045. Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site Support: * Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches. Security Resources: * The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. * Microsoft Software Update Services: http://www.microsoft.com/sus/ * Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool. * Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 * Windows Update: http://windowsupdate.microsoft.com * Office Update: http://office.microsoft.com/officeupdate/ Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 October 15, 2003: First Published. * V1.1 October 17, 2003: Re-issued to advise of a language specific compatibility issue with some third-party software. * V2.0 October 22, 2003: Version changed to reflect the availability of updated patch for specific languages. * V3.0 October 29, 2003: A revised version of the security patch for Windows XP has been released to correct the issue documented by Knowledge Base Article 830846. * V3.1 November 3, 2003: Updated Patch Replacement section. This patch replaces the patch provided by Security Bulletin MS02-071. * V3.2 November 5, 2003: Updated Technical Details and Frequently Asked Questions sections. This update documents the availability of Knowledge Base Article 831739 which addresses reports of application compatibilty problems with some third party applications. [***** End Microsoft Security Bulletin MS03-045 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-158: CERT/CC Vulnerability Note Portable OpenSSH server PAM N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely O-002: Microsoft Internet Explorer Cumulative Patch O-003: HP Potential Security Vulnerability in dtprintinfo O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution O-005: Microsoft Exchange Server Vulnerabilities O-006: Microsoft Authenticode Verification Vulnerability O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability