In-Depth

In Brief

Ten Microsoft Problems; Lotus Notes and Domino Vulnerabilities

• By Mathew Schwartz
• 04/20/2005

Microsoft Flags New Security Vulnerabilities

Microsoft this month released fixes for 10 security vulnerabilities, seven of which are critical. Exploit code is already circulating for one.

The seven critical security vulnerabilities include TCP/IP problems that could lead to remote code execution; Internet Explorer (IE) vulnerabilities that could let an attacker take over a machine; a Microsoft Exchange Server flaw that could allow code to be executed remotely; a MSN Messenger flaw; and a problem with Microsoft Word.

Two of the critical problems involved earlier security notices that were re-released. For example, a patch released in January, when applied, often caused PCs running Windows 98, 98SE, or ME to restart. Another patch troubleshoots Windows Messenger version 4.7.0.2009, which wouldn’t install via Microsoft SMS on PCs running on Windows XP Service Pack 1.

This month’s “important” security notices involve the Windows Shell and Message Queuing, which are vulnerable to remote code execution. Another vulnerability involves the Windows kernel, which is susceptible to elevation of privilege attacks.

Of the vulnerabilities now patched for the first time, the MSN Messenger flaw affects version 6.x and 7.0 beta and could allow an attacker to compromise a system. “The vulnerability is caused due to an error within the processing of GIF images and can be exploited by sending a specially crafted emoticon or display picture to a user,” says vulnerability information provider Secunia. MSN Messenger users can only receive emoticons from people in their contact list, so a successful attack would first have to trick users into adding the attacker to their contact list.

The IE security announcement is for versions 5.01, 5.5, and 6, and relates to three problems, according to Secunia. First, “a rare condition in the processing of DHTML objects can be exploited to execute arbitrary code via specially crafted HTML emails and Web sites.” Second, “a boundary error in the handling of certain URLs can be exploited to execute arbitrary code via specially crafted HTML emails and Web sites.” Finally, attackers could exploit a boundary error in Content Advisor to execute arbitrary code.

Microsoft released patches for all problems. The IE DHTML vulnerability may be the most pressing problem, however, since “there already is a public proof-of-concept exploit,” says antivirus provider F-Secure, which recommends this vulnerability be patched immediately. “Often within a few days of these proof-of-concepts appearing, we will start seeing malware that uses the same techniques.”

Secunia says that in addition to the list of vulnerabilities Microsoft disclosed, another vulnerability exists in the Microsoft Jet Database Engine. Furthermore, code to exploit the vulnerability has already been posted to a public mailing list. Secuna rates the vulnerability as "highly critical" and says it’s caused by a memory-handling error involving Microsoft Access (.mdb) files. If a user opens a specially crafted Access file, the file could execute arbitrary code.

F-Secure notes that this flaw “was not addressed by the Microsoft’s April security patches.” As a workaround, Secunia recommends users not open any Access files they receive from untrusted sources.

Highly Critical Lotus Notes Vulnerabilities

Secunia warns of multiple highly critical vulnerabilities in Lotus Notes and Lotus Domino which could allow a remote attacker to access a user’s system, cause a denial of service attack, or launch a cross-site scripting attack. Notes and Domino version 6.x are vulnerable.

The first vulnerability can be exploited to create a boundary error and cause a buffer overflow in Domino server when it processes either time or date fields. Attackers would use a specially crafted PST request, which can be made over the Web. “According to the vendor, successful exploitation crashes the Domino server,” says Secunia. Yet the organization that first identified the vulnerability, NGSSoftware, “states that code execution is possible.”

The second problem is a “format string error in the Domino server when handling authentication using the NRPC Notes protocol.” A specially crafted string can crash a Domino server.

The third problem is “an unspecified boundary error in Notes.ini on a Lotus Notes client.” This can be used to cause a buffer overflow and crash the client. One mitigating factor: the attacker must have local access to the Notes.ini file.

Finally, there’s an error in the @SetHTTPHeader function. An attacker could exploit this by injecting “arbitrary content into the header,” which could lead to cache poisoning or HTTP response splitting attacks.

Even so, the last vulnerability requires unusual levels of access. “According to the vendor, the vulnerable function is only available to application developers, and successful exploitation requires the ability to install a malicious application on the Lotus Domino server,” says Secunia.

To fix the vulnerabilities, Lotus recommends upgrading to Lotus Notes/Domino versions 6.0.5/6.5.4.