In-Depth

Microsoft, Lotus Patch “Highly Critical” Problems

Microsoft patches two highly critical vulnerabilities and corrects a dud patch-installation process, while IBM issues patches for six Lotus Notes problems

• By Mathew Schwartz
• 02/21/2006

Two Highly Critical Microsoft Vulnerabilities Patched

Microsoft disclosed (and issued patches for) six vulnerabilities as part of its monthly vulnerability round-up. According to vulnerability information provider Secunia, two of the vulnerabilities are “highly critical.”

Microsoft also released a cumulative security update for Internet Explorer running on Windows 2000 Service Pack 4.

The first highly critical vulnerability affects versions 7, 8, 9, and 10 of Windows Media Player, and is “due to a boundary error within the processing of bitmap files,” says Secunia. Because of the boundary error, an attacker could use a specially crafted bitmap file to cause a buffer overload, then execute arbitrary code on a user’s PC. Note the attack can be triggered by a user visiting a Web site containing the malicious bitmap, or if a user opens a malicious bitmap or Word document containing such a bitmap.

The other highly critical flaw concerns a Windows Media Player plug-in for non-Microsoft Web browsers. Due to a boundary handling error, an attacker could cause a buffer overflow in the plug-in and run arbitrary code.

The four other vulnerabilities are rated as “important” by Microsoft. One is a TCP/IP problem in Windows XP and Windows Server 2003, which could allow an attacker to generate a denial-of-service attack. Note some versions of the patch Microsoft released to fix this problem wouldn’t install, though the patch itself worked. The non-installation problem affected Automatic Updates, Windows Update, Windows Server Update Services, and the Inventory Tool for Microsoft Updates (ITMU) in Systems Management Server 2003. Manual installations were not affected.

Other flaws are a Web Client Service bug that could allow an attacker to run code remotely on a user’s computer; a vulnerability in the Korean Input Method Editor which could allow for elevation of account privileges; and a vulnerability in PowerPoint 2000 that could allow for inadvertent information disclosure.

Six Lotus Notes Vulnerabilities Corrected

IBM Lotus Notes also has a number of “highly critical” vulnerabilities which could allow attackers to bypass application security controls and directly attack a user’s PC, says Secunia. Overall, there are six vulnerabilities: five buffer overflow problems and one directory traversal flaw.

A technical statement from IBM notes that “to successfully exploit these issues, an attacker would need to send a specially crafted file attachment to users, and the users would have to double-click and view the attachment.” IBM released Notes versions 6.5.5 and 7.0.1, which correct the flaw. All previous versions of Lotus Notes 6 and 7 may be affected.

One overflow vulnerability is a boundary error in kvarcve.dll, which could be exploited if an attacker creates a Zip file containing a file with an overly long name. When extracted and viewed by the Notes attachment viewer, the long filename could cause a buffer overflow. Similar boundary errors affect uudrdr.dll, which reads UUE files, and tarrdr.dll, which reads TAR archives. Exploiting any of these buffer overflows could allow an attacker to execute arbitrary code on a PC.

Exploiting any of these buffer overflows could allow an attacker to execute arbitrary code on a PC.

Meanwhile, directory traversal errors relating to previews of zip, UUE, and TAR archives—again stemming from kvarcve.dll—could allow an attacker to delete files to which a Notes user has access. “Successful exploitation requires that the user is tricked into reviewing a compressed file with directory traversal sequences in its filename from within the Notes attachment viewer,” notes Secunia.

The final two vulnerabilities involve htmsr.dll, used by Notes to view HTML attachments in e-mail. Long links that begin with HTTP, FTP, or just “//” can be used to cause a buffer overflow, again allowing an attacker to execute arbitrary code on a user’s PC. Users, however, would have to click any external links to trigger the attack. Another boundary error in the same DLL file, however, can also trigger a buffer overflow when Notes checks local file links, just from a user opening the malicious HTML document.

For organizations not yet ready to upgrade their Notes software, IBM suggests that a workaround is to disable the affected file viewers: kvarce.dll, tarrdr.dll, and htmsr.dll. There are three ways to do this on a PC with Notes installed: deleting keyview.ini, commenting the files out in the keyview.ini file, or simply deleting the DLLs themselves. All of these workarounds, says IBM, will result in users seeing this message when they try to open HTML, TAR, or UUD files in Notes: “The viewer display window could not be initialized.”