__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Jet Database Engine Buffer Overrun [MS04-014] April 14, 2004 13:00 GMT Number O-117 [REVISED 11 May 2004] ______________________________________________________________________________ PROBLEM: Microsoft has identified a buffer overrun vulnerability in the Microsoft Jet Database Engine. PLATFORM: Affected Software: Microsoft Windows NT® Workstation 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP and Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition Service Pack 1 Microsoft Windows XP 64-Bit Edition Version 2003 Microsoft Windows Server™ 2003 Microsoft Windows Server 2003 64-Bit Edition Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems. Tested Microsoft Windows Affected Components: Microsoft Jet Database Engine version 4.0 Note--The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site. DAMAGE: A remote attacker can take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. SOLUTION: Apply the Microsoft patch. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker can take complete control ASSESSMENT: of the system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-117.shtml ORIGINAL BULLETIN: Microsoft Security Bulletin MS04-014 http://www.microsoft.com/technet/security/bulletin/ms04- 014.mspx CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2004-0197 ______________________________________________________________________________ REVISION HISTORY: 5/11/04 - Microsoft released a revised security update for Windows XP non-English versions. For more information, read the Executive Summary section of Microsoft's publication. [***** Start MS04-014 *****] Microsoft Security Bulletin MS04-014 Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) Issued: April 13, 2004 Updated: May 11, 2004 Version: 2.0 Summary Who should read this document: Customers who use Microsoft® Windows® Impact of vulnerability: Remote Code Execution Maximum Severity Rating: Important Recommendation: Customers should install the update at the earliest opportunity. Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software: • Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update • Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update • Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 – Download the update • Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 – Download the update • Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update • Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update • Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update • Microsoft Windows Server™ 2003 – Download the update • Microsoft Windows Server 2003 64-Bit Edition – Download the update • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems. Tested Microsoft Windows Components: Affected Components: • Microsoft Jet Database Engine version 4.0 The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site. Top of section General Information Technical Details Executive Summary: Microsoft updated this bulletin on May 11, 2004 to advise on the availability of a revised version of the security update for non-English versions of Windows XP (as opposed to Windows XP Service Pack 1). The original update does address the vulnerability in Windows XP for all supported languages; however, the original update was not fully localized. Specifically, optional Jet error strings were only being offered in English on Windows XP. This issue does not affect other operating systems. If you have previously applied the security update for other operating systems, including Windows XP Service Pack 1, you need not take any additional action. If you have previously applied the security update for non-English versions of Windows XP (as opposed to Windows XP Service Pack 1), you need not take any additional action as you are already protected from this vulnerability. However, if you want to have the Jet optional text error information in the same language as your Windows XP installation, you will need to remove the original security update MS04-014 (837001) following the Removal Information procedure located in this document and install the revised version. Once 837001 is uninstalled, revisiting Windows Update will result in the revised MS04-014 security update for Windows XP being re-offered with the correct, localized, optional text error strings. The following files, on non-English systems only, were updated as part of this update: mswstr10.dll and msjint40.dll. You may see other files with new Date and Time information from the original release - these files remain unchanged, only the 2 files above have been updated. A buffer overrun vulnerability exists in the Microsoft Jet Database Engine (Jet) that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. Microsoft recommends that customers install the update at the earliest opportunity. Severity Ratings and Vulnerability Identifiers: ************************************************************************************** Vulnerability * Impact of * Windows * Windows * Windows * Windows * Windows Identifiers * Vulnerability * 98, 98 * NT 4.0 * 2000 * XP * Server * * SE, ME * * * * 2003 ************************************************************************************** Jet * Remote Code * Not * Moderate * Important* Important * Important Vulnerability * Execution * Critical* * * * -CAN-2004-0197* * * * * * *************************************************************************************** The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Top of section Vulnerability Details Jet Vulnerability - CAN-2004-0197: A buffer overrun vulnerability exists in the Microsoft Jet Database Engine (Jet) that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Jet on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Mitigating Factors for Jet Vulnerability - CAN-2004-0197: • Windows NT 4.0 does not contain a version of the Microsoft Jet Database Engine (Jet) by default. However, other applications such as Microsoft Office or Microsoft Visual Studio could have installed Jet. Jet is also available as a stand-alone download. To determine if Jet is present on a system, search for the file named Msjet40.dll. If this file exists, this security update is required. • If the application that is communicating with Jet is using strong input validation, it is possible to filter the malicious input that an attacker is trying to submit to the Jet engine. Strong input validation means that all input is considered to be not trusted. Developing with strong input validation is considered to be a best practice. For more information about best practice application development and about application input validation, visit the MSDN Web site. • If an attacker successfully exploited this vulnerability, they would gain the same privileges as the user context of the application. Users or services whose accounts are configured to have few privileges on the system would be at less risk than users or services that operate with administrative or system privileges. Top of section Workarounds for Jet Vulnerability - CAN-2004-0197: None Security Update Information Installation Platforms and Prerequisites: For information about the specific security update for your operating system, click the appropriate link: Windows Server 2003 (all versions) Prerequisites This security update requires a released version of Windows Server 2003. Inclusion in Future Service Packs: The update for this issue will be included in Windows Server 2003 Service Pack 1. Installation Information /help Display the command-line options Setup Modes /quiet Use Quiet mode (no user interaction or display) /passive Use Unattended mode (progress bar only) /uninstall Uninstall the package Restart Options /norestart Do not require restart when installation is complete /forcerestart Require restart after installation Special Options /l Lists installed Windows hotfixes or update packages /o Overwrite OEM files without prompting /n Do not back up files that are needed for uninstall /f Force other programs to close when the computer shuts down Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. Deployment Information To install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003: Windowsserver2003-kb837001-x86-enu /passive /quiet To install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003: Windowsserver2003-kb837001-x86-enu /norestart For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Restart Requirement In some cases, this update does not require a reboot. The installer stops the needed services, applies the update, and then restarts the services. However, if the needed services cannot be stopped for any reason, or if required files are in use, this update will require a reboot. If this occurs, a message is displayed that advises you to reboot. Removal Information To remove this update, use the Add or Remove Programs tool in Control Panel. System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB837001$\ Spuninst folder. The Spuninst.exe utility supports the following Setup switches: /?: Show the list of installation switches. /u: Use unattended mode. /f: Force other programs to quit when the computer shuts down. /z: Do not restart when the installation is complete. /q: Use Quiet mode (no user interaction). File Information The English version of this security update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, and Windows Server 2003 Datacenter Edition: Date Time Version Size File name Folder --------------------------------------------------------------------- 03/07/2004 03:14 3.60.8618.0 561,179 Dao360.dll RTMGDR 03/07/2004 03:14 6.0.72.9589 380,957 Expsrv.dll RTMGDR 03/07/2004 03:14 4.0.8618.0 319,517 Msexcl40.dll RTMGDR 03/07/2004 03:14 4.0.8618.0 1,507,356 Msjet40.dll RTMDGR 02/17/2004 05:15 4.0.8227.0 358,976 Msjetoledb40.dll RTMGDR 03/07/2004 03:14 4.0.8618.0 241,693 Msjtes40.dll RTMGDR 03/07/2004 03:14 4.0.8015.0 348,189 Mspbde40.dll RTMGDR 03/07/2004 03:14 4.0.7328.0 421,919 Msrd2x40.dll RTMGDR 03/07/2004 03:14 4.0.8015.0 552,989 Msrepl40.dll RTMGDR 03/07/2004 03:14 4.0.8015.0 258,077 Mstext40.dll RTMGDR 03/07/2004 03:14 4.0.8025.0 348,189 Msxbde40.dll RTMGDR 03/07/2004 03:07 3.60.8618.0 561,179 Dao360.dll RTMQFE 03/07/2004 03:07 6.0.72.9589 380,957 Expsrv.dll RTMQFE 03/07/2004 03:07 4.0.8618.0 319,517 Msexcl40.dll RTMQFE 03/07/2004 03:07 4.0.8618.0 1,507,356 Msjet40.dll RTMQFE 12/01/2003 23:28 4.0.8227.0 358,976 Msjetoledb40.dll RTMQFE 03/07/2004 03:07 4.0.8618.0 241,693 Msjtes40.dll RTMQFE 03/07/2004 03:07 4.0.8015.0 348,189 Mspbde40.dll RTMQFE 03/07/2004 03:07 4.0.7328.0 421,919 Msrd2x40.dll RTMQFE 03/07/2004 03:07 4.0.8015.0 552,989 Msrepl40.dll RTMQFE 03/07/2004 03:07 4.0.8015.0 258,077 Mstext40.dll RTMQFE 03/07/2004 03:07 4.0.8025.0 348,189 Msxbde40.dll RTMQFE Windows Server 2003 64-Bit Enterprise Edition and Windows Server 2003 64-Bit Datacenter Edition: Date Time Version Size File name Platform Folder ---------------------------------------------------------------------------------- 03/27/2004 18:42 6.0.0.8481 1,210,368 Expsrv.dll IA64 RTMGDR 03/07/2004 03:14 3.60.8618.0 561,179 Wdao360.dll IA64 RTMGDR\WOW 03/07/2004 03:14 6.0.72.9589 380,957 Wexpsrv.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8618.0 319,517 Wmsexcl40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8618.0 1,507,356 Wmsjet40.dll IA64 RTMGDR\WOW 02/17/2004 05:15 4.0.8227.0 358,976 Wmsjetoledb40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8618.0 241,693 Wmsjtes40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8015.0 348,189 Wmspbde40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.7328.0 421,919 Wmsrd2x40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8015.0 552,989 Wmsrepl40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8015.0 258,077 Wmstext40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8025.0 348,189 Wmsxbde40.dll IA64 RTMGDR\WOW 03/27/2004 18:42 6.0.0.8481 1,210,368 Expsrv.dll IA64 RTMQFE 03/07/2004 03:07 3.60.8618.0 561,179 Wdao360.dll IA64 RTMQFE\WOW 03/07/2004 03:07 6.0.72.9589 380,957 Wexpsrv.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8618.0 319,517 Wmsexcl40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8618.0 1,507,356 Wmsjet40.dll IA64 RTMQFE\WOW 12/01/2003 23:28 4.0.8227.0 358,976 Wmsjetoledb40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8618.0 241,693 Wmsjtes40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8015.0 348,189 Wmspbde40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.7328.0 421,919 Wmsrd2x40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8015.0 552,989 Wmsrepl40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8015.0 258,077 Wmstext40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8025.0 348,189 Wmsxbde40.dll IA64 RTMQFE\WOW Note When you install this security update on Windows Server 2003 or on Windows XP 64-Bit Edition Version 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994. Verifying Update Installation To verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site. You may also be able to verify the files that this security update has installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB837001\Filelist Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 837001 security update into the Windows installation source files. Top of section Windows XP (all versions) Note For Windows XP 64-Bit Edition Version 2003, this security update is the same as the Windows Server 2003 64-Bit Edition security update. Prerequisites This security update requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For more information, see Microsoft Knowledge Base Article 322389. Inclusion in Future Service Packs: The update for this issue will be included in Windows XP Service Pack 2. Installation Information This security update supports the following setup switches: /help Displays the command-line options Setup Modes /quiet Use Quiet mode (no user interaction or display) /passive Unattended mode (progress bar only) /uninstall Uninstalls the package Restart Options /norestart Do not restart when installation is complete /forcerestart Restart after installation Special Options /l Lists installed Windows hotfixes or update packages /o Overwrite OEM files without prompting /n Do not backup files needed for uninstall /f Force other programs to close when the computer shuts down Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841. Deployment Information To install the security update without any user intervention, use the following command at a command prompt for Windows XP: Windowsxp-kb837001-x86-enu /passive /quiet To install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP: Windowsxp-kb837001-x86-enu /norestart For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Restart Requirement In some cases, this update does not require a reboot. The installer stops the needed services, applies the update, and then restarts the services. However, if the needed services cannot be stopped for any reason, or if required files are in use, this update will require a reboot. If this occurs, a message is displayed that advises you to reboot. Removal Information To remove this update, use the Add or Remove Programs tool in Control Panel. System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe is located in the %Windir%\$NTUninstallKB837001$\Spuninst folder. The Spuninst.exe utility supports the following setup switches: /?: Show the list of installation switches. /u: Use unattended mode. /f: Force other programs to quit when the computer shuts down. /z: Do not restart when the installation is complete. /q: Use Quiet mode (no user interaction). File Information The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition: Date Time Version Size File name Folder ------------------------------------------------------------------------ 03/01/2004 18:55 3.60.8618.0 561,179 Dao360.dll (pre-sp1) 03/16/2004 18:44 6.0.72.9589 380,957 Expsrv.dll (pre-sp1) 03/01/2004 18:55 4.0.6807.0 512,029 Msexch40.dll (pre-sp1) 03/01/2004 18:55 4.0.8618.0 319,517 Msexcl40.dll (pre-sp1) 03/16/2004 18:44 4.0.8618.0 1,507,356 Msjet40.dll (pre-sp1) 03/01/2004 18:52 4.0.8227.0 358,976 Msjetoledb40.dll (pre-sp1) 03/01/2004 18:55 4.0.6508.0 151,583 Msjint40.dll (pre-sp1) 03/01/2004 18:55 4.0.6508.0 53,279 Msjter40.dll (pre-sp1) 03/01/2004 18:55 4.0.8618.0 241,693 Msjtes40.dll (pre-sp1) 03/01/2004 18:55 4.0.6508.0 213,023 Msltus40.dll (pre-sp1) 03/01/2004 18:55 4.0.8015.0 348,189 Mspbde40.dll (pre-sp1) 03/01/2004 18:55 4.0.7328.0 421,919 Msrd2x40.dll (pre-sp1) 03/01/2004 18:55 4.0.6508.0 315,423 Msrd3x40.dll (pre-sp1) 03/01/2004 18:55 4.0.8015.0 552,989 Msrepl40.dll (pre-sp1) 03/01/2004 18:55 4.0.8015.0 258,077 Mstext40.dll (pre-sp1) 03/01/2004 18:55 4.0.6508.0 831,519 Mswdat10.dll (pre-sp1) 03/01/2004 18:55 4.0.6508.0 614,431 Mswstr10.dll (pre-sp1) 03/01/2004 18:55 4.0.8025.0 348,189 Msxbde40.dll (pre-sp1) 03/16/2004 18:44 6.0.1.9431 30,749 Vbajet32.dll (pre-sp1) 03/01/2004 18:55 3.60.8618.0 561,179 Dao360.dll (with sp1) 01/10/2004 11:37 6.0.72.9589 380,957 Expsrv.dll (with sp1) 03/01/2004 18:55 4.0.6807.0 512,029 Msexch40.dll (with sp1) 03/01/2004 18:55 4.0.8618.0 319,517 Msexcl40.dll (with sp1) 03/16/2004 18:44 4.0.8618.0 1,507,356 Msjet40.dll (with sp1) 03/01/2004 18:52 4.0.8227.0 358,976 Msjetoledb40.dll (with sp1) 03/16/2004 17:38 4.0.6508.0 151,583 Msjint40.dll (with sp1) 01/10/2004 11:36 4.0.6508.0 53,279 Msjter40.dll (with sp1) 03/01/2004 18:55 4.0.8618.0 241,693 Msjtes40.dll (with sp1) 01/10/2004 11:36 4.0.6508.0 213,023 Msltus40.dll (with sp1) 03/01/2004 18:55 4.0.8015.0 348,189 Mspbde40.dll (with sp1) 01/10/2004 11:36 4.0.7328.0 421,919 Msrd2x40.dll (with sp1) 01/10/2004 11:36 4.0.6508.0 315,423 Msrd3x40.dll (with sp1) 03/01/2004 18:55 4.0.8015.0 552,989 Msrepl40.dll (with sp1) 03/01/2004 18:55 4.0.8015.0 258,077 Mstext40.dll (with sp1) 01/10/2004 11:36 4.0.6508.0 831,519 Mswdat10.dll (with sp1) 03/16/2004 17:38 4.0.6508.0 614,431 Mswstr10.dll (with sp1) 03/01/2004 18:55 4.0.8025.0 348,189 Msxbde40.dll (with sp1) 03/16/2004 18:44 6.0.1.9431 30,749 Vbajet32.dll (with sp1) Windows XP 64-Bit Edition Service Pack 1: Date Time Version Size File name Platform ------------------------------------------------------------------------- 01/09/2004 23:11 6.0.0.8481 1,210,368 Expsrv.dll IA64 02/23/2004 23:07 3.60.8618.0 561,179 Wdao360.dll IA64 01/10/2004 11:37 6.0.72.9598 380,957 Wexpsrv.dll IA64 01/10/2004 11:36 4.0.6807.0 512,029 Wmsexch40.dll IA64 02/23/2004 23:07 4.0.8618.0 319,517 Wmsexcl40.dll IA64 02/23/2004 23:07 4.0.8618.0 1,507,356 Wmsjet40.dll IA64 01/09/2004 23:09 4.0.8227.0 358,976 Wmsjetoledb40.dll IA64 03/16/2004 17:38 4.0.6508.0 151,583 Wmsjint40.dll IA64 01/10/2004 11:36 4.0.6508.0 53,279 Wmsjter40.dll IA64 02/23/2004 23:07 4.0.8618.0 241,693 Wmsjtes40.dll IA64 01/10/2004 11:36 4.0.6508.0 213,023 Wmsltus40.dll IA64 01/10/2004 11:36 4.0.8015.0 348,189 Wmspbde40.dll IA64 01/10/2004 11:36 4.0.7328.0 421,919 Wmsrd2x40.dll IA64 01/10/2004 11:36 4.0.6508.0 315,423 Wmsrd3x40.dll IA64 01/10/2004 11:36 4.0.8015.0 552,989 Wmsrepl40.dll IA64 01/10/2004 11:36 4.0.8015.0 258,077 Wmstext40.dll IA64 01/10/2004 11:36 4.0.6508.0 831,519 Wmswdat10.dll IA64 03/16/2004 17:38 4.0.6508.0 614,431 Wmswstr10.dll IA64 01/10/2004 11:36 4.0.8025.0 348,189 Wmsxbde40.dll IA64 01/10/2004 11:37 6.0.1.9431 30,749 Wvbajet32.dll IA64 Windows XP 64-Bit Edition Version 2003: Date Time Version Size File name Platform Folder -------------------------------------------------------------------------------- 03/27/2004 18:42 6.0.0.8481 1,210,368 Expsrv.dll IA64 RTMGDR 03/07/2004 03:14 3.60.8618.0 561,179 Wdao360.dll IA64 RTMGDR\WOW 03/07/2004 03:14 6.0.72.9589 380,957 Wexpsrv.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8618.0 319,517 Wmsexcl40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8618.0 1,507,356 Wmsjet40.dll IA64 RTMGDR\WOW 02/17/2004 05:15 4.0.8227.0 358,976 Wmsjetoledb40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8618.0 241,693 Wmsjtes40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8015.0 348,189 Wmspbde40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.7328.0 421,919 Wmsrd2x40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8015.0 552,989 Wmsrepl40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8015.0 258,077 Wmstext40.dll IA64 RTMGDR\WOW 03/07/2004 03:14 4.0.8025.0 348,189 Wmsxbde40.dll IA64 RTMGDR\WOW 03/27/2004 18:42 6.0.0.8481 1,210,368 Expsrv.dll IA64 RTMQFE 03/07/2004 03:07 3.60.8618.0 561,179 Wdao360.dll IA64 RTMQFE\WOW 03/07/2004 03:07 6.0.72.9589 380,957 Wexpsrv.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8118.0 319,517 Wmsexcl40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8118.0 1,507,356 Wmsjet40.dll IA64 RTMQFE\WOW 12/01/2003 23:28 4.0.8227.0 358,976 Wmsjetoledb40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8618.0 241,693 Wmsjtes40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8015.0 348,189 Wmspbde40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.7328.0 421,919 Wmsrd2x40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8015.0 552,989 Wmsrepl40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8015.0 258,077 Wmstext40.dll IA64 RTMQFE\WOW 03/07/2004 03:07 4.0.8025.0 348,189 Wmsxbde40.dll IA64 RTMQFE\WOW Note The Windows XP and Windows XP 64-Bit Edition Version 2003 versions of this security update are packaged as dual-mode packages, which contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, see Microsoft Knowledge Base Article 328848. When you install the Windows XP 64-Bit Edition Version 2003 security update, the installer checks to see if any of the files that are being updated on your system previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994. Verifying Update Installation To verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site. You may also be able to verify the files that this security update has installed by reviewing the following registry keys: For Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP 64-Bit Edition Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB837001\Filelist For Windows XP 64-Bit Edition Version 2003: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB837001\Filelist Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 837001 security update into the Windows installation source files. Top of section Windows 2000 (all versions) Prerequisites For Windows 2000, this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4). The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site. For more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910. Inclusion in Future Service Packs: The update for this issue will be included in Windows 2000 Service Pack 5. Installation Information This security update supports the following setup switches: /help Displays the command-line options Setup Modes /quiet Use Quiet mode (no user interaction or display) /passive Unattended mode (progress bar only) /uninstall Uninstalls the package Restart Options /norestart Do not restart when installation is complete /forcerestart Restart after installation Special Options /l Lists installed Windows hotfixes or update packages /o Overwrite OEM files without prompting /n Do not backup files needed for uninstall /f Force other programs to close when the computer shuts down Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841. Deployment Information To install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4: Windows2000-kb837001-x86-enu /passive /quiet To install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4: Windows2000-kb837001-x86-enu /norestart For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Restart Requirement In some cases, this update does not require a reboot. The installer stops the needed services, applies the update, and then restarts the services. However, if the needed services cannot be stopped for any reason, or if required files are in use, this update will require a reboot. If this occurs, a message is displayed that advises you to reboot. Removal Information To remove this update, use the Add or Remove Programs tool in Control Panel. System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe is located in the %Windir%\$NTUninstallKB837001$\Spuninst folder. The Spuninst.exe utility supports the following setup switches: /?: Show the list of installation switches. /u: Use unattended mode. /f: Force other programs to quit when the computer shuts down. /z: Do not restart when the installation is complete. /q: Use Quiet mode (no user interaction). File Information The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Note Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files. Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4: Date Time Version Size File name ------------------------------------------------------ 03/01/2004 19:58 3.60.8618.0 561,424 Dao360.dll 09/27/2003 01:12 6.0.72.9589 380,957 Expsrv.dll 09/27/2003 01:12 4.0.6807.0 512,272 Msexch40.dll 03/01/2004 19:58 4.0.8618.0 319,760 Msexcl40.dll 03/01/2004 19:58 4.0.8618.0 1,507,600 Msjet40.dll 02/18/2004 12:26 4.0.8227.0 352,528 Msjetoledb40.dll 09/27/2003 01:12 4.0.6508.0 151,824 Msjint40.dll 09/27/2003 01:12 4.0.6508.0 53,520 Msjter40.dll 03/01/2004 19:58 4.0.8618.0 241,936 Msjtes40.dll 09/27/2003 01:12 4.0.6508.0 213,264 Msltus40.dll 09/27/2003 01:12 4.0.8015.0 348,432 Mspbde40.dll 09/27/2003 01:12 4.0.7328.0 422,160 Msrd2x40.dll 09/27/2003 01:12 4.0.6508.0 315,664 Msrd3x40.dll 09/27/2003 01:12 4.0.8015.0 553,232 Msrepl40.dll 09/27/2003 01:12 4.0.8015.0 258,320 Mstext40.dll 09/27/2003 01:13 4.0.6508.0 831,760 Mswdat10.dll 09/27/2003 01:13 4.0.6508.0 614,672 Mswstr10.dll 09/27/2003 01:12 4.0.8025.0 348,432 Msxbde40.dll 09/27/2003 01:12 6.0.1.9431 30,749 Vbajet32.dll Verifying Update Installation To verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site. You may also be able to verify the files that this security update has installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB837001\Filelist Note This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 837001 security update into the Windows installation source files. Top of section Windows NT 4.0 (all versions) Prerequisites This security update requires Windows NT Workstation 4.0 Service Pack 6a (SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0 Terminal Server Edition Service Pack 6 (SP6). The software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site. For more information on obtaining the latest service pack, see Microsoft Knowledge Base Article 152734. Installation Information This security update supports the following setup switches: /q Specifies quiet mode, or suppresses prompts, when files are being extracted /t:path Specifies the target folder for extracting files /c Extracts the files without installing them. If /t:path is not specified, you are prompted for a target folder /c:path Specifies the path and name of the Setup .inf or .exe file Deployment Information To install the security update without any user intervention, use the following command at a command prompt for Windows NT 4.0: Jet40-KB837001-ENU /q Restart Requirement You must restart your computer to complete the installation. You do not have to use an administrator logon after the computer restarts. Removal Information This update cannot be uninstalled. File Information The English version of this security update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Note Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files Windows NT Workstation 4.0 and Windows NT Server 4.0: Date Time Version Size File name ------------------------------------------------------ 03/18/2004 19:23 3.60.8618.0 568,040 Dao360.dll 06/02/2003 17:14 6.0.72.9589 387,680 Expsrv.dll 06/02/2003 17:15 4.0.6807.0 518,752 Msexch40.dll 03/18/2004 19:23 4.0.8618.0 326,376 Msexcl40.dll 03/18/2004 19:23 4.0.8618.0 1,514,216 Msjet40.dll 03/18/2004 19:23 4.0.8227.0 359,152 Msjetoledb40.dll 12/02/2003 22:59 4.0.6508.0 158,256 Msjint40.dll 06/02/2003 17:14 4.0.6508.0 60,000 Msjter40.dll 03/18/2004 19:23 4.0.8618.0 248,552 Msjtes40.dll 06/02/2003 17:14 4.0.6508.0 219,744 Msltus40.dll 11/12/2003 21:16 4.0.8015.0 354,856 Mspbde40.dll 06/02/2003 17:15 4.0.7328.0 428,640 Msrd2x40.dll 06/02/2003 17:14 4.0.6508.0 322,144 Msrd3x40.dll 11/12/2003 21:16 4.0.8015.0 559,656 Msrepl40.dll 11/12/2003 21:16 4.0.8015.0 264,744 Mstext40.dll 06/02/2003 17:15 4.0.6508.0 838,240 Mswdat10.dll 12/02/2003 23:00 4.0.6508.0 621,104 Mswstr10.dll 11/12/2003 21:16 4.0.8025.0 354,856 Msxbde40.dll 12/03/2003 17:56 4.0.6205.0 60,224 Odbcji32.dll 11/12/2003 21:16 4.0.6205.0 285,224 Odbcjt32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Oddbse32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Odexl32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Odfox32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Odpdx32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Odtext32.dll 06/02/2003 17:14 6.0.1.9431 37,472 Vbajet32.dll Windows NT Server 4.0 Terminal Server Edition: Date Time Version Size File name ------------------------------------------------------- 03/18/2004 19:23 3.60.8618.0 568,040 Dao360.dll 06/02/2003 17:14 6.0.72.9589 387,680 Expsrv.dll 06/02/2003 17:15 4.0.6807.0 518,752 Msexch40.dll 03/18/2004 19:23 4.0.8618.0 326,376 Msexcl40.dll 03/18/2004 19:23 4.0.8618.0 1,514,216 Msjet40.dll 03/18/2004 19:23 4.0.8227.0 359,152 Msjetoledb40.dll 12/02/2003 22:59 4.0.6508.0 158,256 Msjint40.dll 06/02/2003 17:14 4.0.6508.0 60,000 Msjter40.dll 03/18/2004 19:23 4.0.8618.0 248,552 Msjtes40.dll 06/02/2003 17:14 4.0.6508.0 219,744 Msltus40.dll 11/12/2003 21:16 4.0.8015.0 354,856 Mspbde40.dll 06/02/2003 17:15 4.0.7328.0 428,640 Msrd2x40.dll 06/02/2003 17:14 4.0.6508.0 322,144 Msrd3x40.dll 11/12/2003 21:16 4.0.8015.0 559,656 Msrepl40.dll 11/12/2003 21:16 4.0.8015.0 264,744 Mstext40.dll 06/02/2003 17:15 4.0.6508.0 838,240 Mswdat10.dll 12/02/2003 23:00 4.0.6508.0 621,104 Mswstr10.dll 11/12/2003 21:16 4.0.8025.0 354,856 Msxbde40.dll 12/03/2003 17:56 4.0.6205.0 60,224 Odbcji32.dll 11/12/2003 21:16 4.0.6205.0 285,224 Odbcjt32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Oddbse32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Odexl32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Odfox32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Odpdx32.dll 11/12/2003 21:15 4.0.6205.0 27,464 Odtext32.dll 06/02/2003 17:14 6.0.1.9431 37,472 Vbajet32.dll Verifying Update Installation To verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site. You can also compare the file versions of the files installed on your computer to the file versions found in the Security Update Information section. Top of section Acknowledgments Microsoft thanks the following for working with us to help protect customers: • Matt Thompson of Aberdeen IT for reporting the Jet Vulnerability (CAN-2004-0197). Obtaining other security updates: Updates for other security issues are available from the following locations: • Security updates are available from the Microsoft Download Center: you can find them most easily by doing a keyword search for “security_patch”. • Updates for consumer platforms are available from the Windows Update Web site. Support: • Customers in the U.S. and Canada can get technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. • International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. For more information on how to contact Microsoft for support issues, visit the International Support Web site. Security Resources: • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. • Microsoft Software Update Services • Microsoft Baseline Security Analyzer (MBSA) • Windows Update • Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166. • Office Update Software Update Services (SUS): Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop systems running Windows 2000 Professional or Windows XP Professional. For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer Note The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • V1.0 April 13, 2004: Bulletin published • V2.0 May 11, 2004: Microsoft has release a revised version of the Windows XP security update that contains the correctly localized optional Jet error strings. [***** End MS04-014 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-107: vfte Buffer Overflow Vulnerabilities O-108: Squid ACL Bypass Vulnerability O-109: Heimdal Kerberos Cross-Realm Vulnerability O-110: MAC OS X Jaguar and Panther Security Vulnerabilities o-111: CISCO WLSE and HSE Contain Default Passwords O-112: Cisco IPSec VPN Services Module Malformed IKE Packet Vulnerability O-113: Debian tcpdump Denial of Service O-114: Microsoft Security Update for Microsoft Windows O-115: Microsoft Cumulative Update for RPC/DCOM O-116: Microsoft Cumulative Security Update for Outlook Express