Microsoft Discloses Huge Number Of Windows Vulnerabilties

Microsoft took it on the security chin as it released April's round of security vulnerabilities. The total number of vulnerabilities in the four security bulletins tallied an astounding 20 separate flaws in Windows and Outlook Express.

"This is simply an unprecedented number of vulnerabilities," said Vincent Gullotto, the vice president of Network Associates' AVERT research team.

April's mega collection includes 20 new vulnerabilities, 8 of which are rated as "Critical," the most dire assessment in the Redmond, Wash.-based developer's four-level ranking system. Sixteen of the 20 vulnerabilities can be exploited remotely, the most dangerous type of bug because hackers can conduct an attack over the Internet.

Microsoft even took the unusual step of ganging together multiple vulnerabilities under two of the four security bulletins.

In its description of Security Bulletin MS04-011, which Microsoft called "Critical," the company stated, "This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that contain almost identical files, customers can install only this update," said Microsoft in the bulletin."MS04-011, which includes 14 new vulnerabilities, affects every version of Windows to one degree or another, and if exploited, could allow attackers remote access to a PC. The most serious of the bugs affect Windows NT, 2000, XP, and Server 2003.

Among the 14 vulnerabilities are 8 which could allow attackers to run their own code by exploiting such weaknesses as in the Windows log-on process and the Negotiate Security Software Provider (SSP) interface used during authentication. The most severe of the dozen-plus-two vulnerabilities -- six of the bugs are rated "Critical" -- could allow an attacker to take complete control of an system, including installing programs, deleting data, or creating new user accounts that have full access privileges.

Also in MS04-011's mega-collection of Windows bugs is one that involves SSL (Secure Socket Layer), the security protocol often used to transmit such confidential information as credit card numbers and other financial data. If any SSL-enabled services are present, and both the PCT 1.0 and SSL 2.0 protocols enabled, a remote attacker could exploit the buffer overflow vulnerability to run code of his own choosing on a vulnerable Windows server. These protocols are turned on by default in Windows NT 4.0 and Windows 2000.

"The severity of this vulnerability is compounded by the fact that SSL is most often used to secure communications involving confidential or valuable financial information, and that Firewalls and packet filtering alone will not be able to stop attacks," said Internet Security Systems' X-Force in a statement. ISS' X-Force was the group which originally brought this vulnerability to Microsoft's attention.

"X-Force believes that hackers will aggressively target this vulnerability given the high-value nature of Web sites protected by SSL."Network Associates' Gullotto seconded the warning by ISS. "This stack overflow is a significant vulnerability, and pretty easy to exploit," he said.

The second of the four bulletins released Tuesday, MS04-012, also grouped multiple vulnerabilities into one notice and patch update.

This cumulative security update includes four new vulnerabilities in the RPC/DCOM components of Windows -- the same modules that were exploited last summer by the havoc-wrecking MSBlast worm -- and the fix replaces all previous RPC/DCOM patches for Windows NT, 2000, XP, and Server 2003.

The most dangerous of the four new vulnerabilities is in the RPC Runtime Library, which could be exploited by an attacker who crafts a specially-built message to Windows. The hacker could take complete remote control of the system, although Microsoft said that the most likely result of an attack would be a denial of service, which would bring down Windows.

"The RPC/DCOM Runtime vulnerability should be of special concern to all users," said Gullotto. "There's great potential for another worm that exploits this."Microsoft's third bulletin of the day involves Outlook Express (OE), the free e-mail client bundled with Windows. MS04-013 outlines the problem, which affects versions 5.5 SP2, 6.0 SP1, and 6.0 on Server 2003. An attacker who builds malicious URLs could run HTML code in the Local Security zone of Internet Explorer, possibly resulting in a takeover of the system.

Because OE is included with Windows, all users of NT, 2000, XP, and Server 2003 were urged to apply the patch, even if the OE client isn't used as the default e-mail software on the system. An attacker would have to entice users to read a maliciously-crafted HTML e-mail message or use IE to surf to a malicious Web site to grab control of the PC, so workstations are at greatest risk, said Microsoft.

Security Bulletin MS04-014 is the only one of the quartet which wasn't rated "Critical." This "Important" vulnerability -- one step below Critical -- affects the Microsoft Jet Database Engine. A hacker skilled enough to craft a malicious database query could take complete control of a compromised PC

As is the norm for its critical vulnerability bulletins, Microsoft recommended that users immediately apply the patches associated with MS04-011, 012, and 013. Users can obtain updates by heading to Microsoft's Windows Update site.