In-Depth

Alert: Microsoft Issues "Critical" Patches

Vulnerabilities found in IE, Word, Excel, FrontPage Server Extensions, and Windows Workstation Service.

• By Mathew Schwartz
• 11/19/2003

Microsoft released patches for all vulnerabilities. (Links are listed at the end of this story.)

The first vulnerability concerns arbitrary code execution by Microsoft Word and Excel. A successful attack could give an attacker remote system access. The vulnerability applies to multiple versions of Microsoft Word (97, 98J, 2000, 2002) and Microsoft Office (97, 2000), but not the latest version of Word (Word 2003).

The Excel vulnerability could let a properly designed Excel document bypass the macro security check in Excel and automatically execute. A malicious script would have the ability to do anything that user could do. It affects Excel versions 97 through 2002, but not Excel 2003.

The Word vulnerability arises because Word doesn’t verify the length of a macro name. A too-long name could crash the application and “possibly to execute arbitrary code,” says Secunia. Also, Internet Explorer could play a part in the attack, since it automatically launchers an Office “helper” application when it finds Office documents online. A malicious Web site could make malicious documents automatically open, launching an attack. For the Microsoft Office Security Bulletin, see: http://www.microsoft.com/technet/security/bulletin/offnov03.asp

The second vulnerability concerns Microsoft Frontpage Server extensions running on all flavors of Microsoft Internet Information Server (IIS) version 5. The extensions are subject to a buffer overflow by a remote attacker. The overflow could lead to system access for the intruder, or denial of service.

The culprit is “an uncontrolled buffer in a DLL file [that] allows malicious people to cause a buffer overflow in the remote debug functionality in FrontPage Server Extensions,” says Secunia. An attacker can tailor HTTP requests to SmartHTML—i.e., WebBots—to “consume all available CPU resources for a short period of time.”

Microsoft FrontPage Server Extensions 2000 and 2002 are vulnerable, except if running on Windows 2000 systems with Service Pack 4 installed.

The third vulnerability concerns Windows Workstation Service, susceptible to a buffer overflow that could give attackers with local network access full access to the system, including the ability to execute arbitrary code. Microsoft Windows 2000 (Advanced Server, Datacenter Server, Professional, Server) and Microsoft Windows XP (both versions) are vulnerable.

The problem stems from “an uncontrolled buffer in the logging function of theWindows Workstation Service (WKSSVC.DLL),” says Secunia. “This can be exploited through the DCE/RPC service on ports 139/tcp and 445/tcp.” Secunia notes since the vulnerability is similar to the one exploited by the Blaster worm, and is “highly critical.”

The fourth vulnerability concerns Internet Explorer versions 5.01, 5.5, and 6, and could allow sensitive information to get out, or give a remote attacker system access.

“Three different vulnerabilities allow malicious HTML documents such as emails or web pages to bypass the security zone restrictions and to perform actions in the Local Zone,” says Secunia.

One vulnerability employs malicious HTML documents to read local files. Another can trick users into downloading malicious files.

Microsoft Windows Security Bulletin (including non-Office updates):http://www.microsoft.com/technet/security/bulletin/winnov03.asp