‘Security Update for Microsoft Windows (MS04-032)’

Summary

This update resolves several newly-discovered, privately reported vulnerabilities in the Microsoft Windows Management, Virtual DOS Machine, Graphics Rendering Engine and in Windows Kernel.

Window Management Vulnerability – A privilege elevation vulnerability exists in the Window Management application programming interfaces (APIs). This vulnerability could allow a logged on user to take complete control of the system.

Virtual DOS Machine Vulnerability – A local privilege elevation vulnerability exists in the operating system component that handles the Virtual DOS Machine (VDM) subsystem. This vulnerability could allow a logged on user to take complete control of the system.

Graphics Rendering Engine Vulnerability – A remote code execution vulnerability in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Windows Kernel Vulnerability – A local denial of service vulnerability exists in the Windows kernel. An attacker could locally run a program that could cause the affected system to stop responding.

An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.’

Credit:

‘The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx


Details

Affected Software:
Microsoft Windows NT Server 4.0 Service Pack 6a Download the update
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 Download the update
Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 Download the update
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 Download the update
Microsoft Windows XP 64-Bit Edition Service Pack 1 Download the update
Microsoft Windows XP 64-Bit Edition Version 2003 Download the update
Microsoft Windows Server 2003 Download the update
Microsoft Windows Server 2003 64-Bit Edition Download the update
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Review the FAQ section of this bulletin for details about these operating systems.

Non-Affected Software:
Microsoft Windows XP Service Pack 2

Caveats: Microsoft Knowledge Base Article 840987 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 840987.

CVE Information:
Window Management Vulnerability – CAN-2004-0207
Virtual DOS Machine Vulnerability – CAN-2004-0208
Graphics Rendering Engine Vulnerability – CAN-2004-0209
Windows Kernel Vulnerability – CAN-2004-0211

Mitigating Factors for Window Management Vulnerability:
An attacker must have valid logon credentials and be able to logon locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

FAQ for Window Management Vulnerability:
What is the scope of the vulnerability?
This is a local privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?
Several Window Management API functions allow programs to change the properties of other programs that are running at a higher level of privilege. Programs should be limited to changing the properties of other programs that are running at the same level of privilege. The properties of the program that is running at a higher level of privilege could be changed in such a way that the change could cause an elevation of privilege for the locally logged on user.

What are the Window Management application programming interface functions?
The Windows graphical user interface (GUI) allows programs to change various properties that define that program such as the size of the window or the name of the program. The Window Management API functions are the components of the operating system that programs use to change these properties. For more information about the components that are used to build Windows programs, visit the MSDN Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally to a system and run a program.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-crafted program that could attempt to exploit the vulnerability, and thereby gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical. For more information about severity ratings, visit the following Web site.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is targeted for attack. An attacker cannot load and run a program remotely by using this vulnerability.

What does the update do?
The update removes the vulnerability by preventing programs from changing the properties of other programs that are running at a different level of privilege.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued

Mitigating Factors for Virtual DOS Machine Vulnerability:
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Windows XP Service Pack 2 is not affected by this vulnerability.

FAQ for Virtual DOS Machine Vulnerability:
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. To exploit the vulnerability, an attacker must be able to log on locally to the system and run a program.

What causes the vulnerability?
The operating system component that handles the virtual DOS machine (VDM) subsystem could be used to gain access to protected kernel memory. In certain circumstances, some privileged operating system functions might not validate system structures and could allow an attacker to execute a specially-designed program with system privileges.

What is the virtual DOS machine subsystem?
A virtual DOS machine (VDM) subsystem is an environment that emulates the MS-DOS operating system and the MS-DOS-based Windows operating system on Windows NT-based operating systems. A VDM is created whenever a user starts an MS-DOS application on a Windows NT-based operating system.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally to a system and run a program.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-designed application that could exploit the vulnerability, and thereby gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely by using this vulnerability.

What does the update do?
This update modifies the way that Windows validates data when referencing memory locations that are allocated to a VDM.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

How does this vulnerability relate to the virtual DOS machine vulnerability that is corrected by MS04-011?
Both vulnerabilities were in the virtual DOS machine. However, this update addresses a new vulnerability that was not addressed as part of MS04-011. MS04-011 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update does not replace MS04-011. You must install this update and the update that is provided as part of the MS04-011 security bulletin to help protect your system against both vulnerabilities.

Mitigating Factors for Graphics Rendering Engine Vulnerability:
The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or to view a folder that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file, except potentially through previewing an email message.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s site.
Windows XP Service Pack 2 is not affected by this vulnerability.

Workarounds for Graphics Rendering Engine Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

Read e-mail messages in plain text format if you are using Outlook 2002 or later, or Outlook Express 6 SP1 or later, to help protect yourself from the HTML e-mail attack vector.

Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or later and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about enabling this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition:

The changes are applied to the preview pane and to open messages.

Pictures become attachments so that they are not lost.
Note Manually viewing these pictures could allow remote code execution if you are using a vulnerable application or operating system.
Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

FAQ for Graphics Rendering Engine Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. This vulnerability could also be used to attempt to perform a local elevation of privilege or a remote denial of service.

What causes the vulnerability?
An unchecked buffer in the way that the Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.

What are Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats?
A WMF image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system. An EMF image is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile format and contains extended features.

For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

How could an attacker exploit this vulnerability?
Any program that renders the affected image types could be vulnerable to this attack. Here are some examples:
 * An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
 * An attacker could create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Microsoft Outlook or through Outlook Express 6. An attacker could persuade the user to view the HTML e-mail message.
 * An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document.
 * An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the folder.
 * An attacker could locally log on to the system. An attacker could then run a specially-designed program that could exploit the vulnerability, and thereby gain complete control over the affected system.

An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely). To locally exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-designed application that could exploit the vulnerability, and thereby gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?
The vulnerability could be exploited on the affected systems by an attacker who persuaded a user to open a specially crafted file or to view a folder that contains the specially crafted image. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an email message.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s site.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the Internet.

What does the update do?
The update removes the vulnerability by modifying the way that the Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

How does this vulnerability relate to the metafile vulnerability that is addressed by MS04-011?
Both vulnerabilities are related to the processing of WMF and EMF image formats. However, this update addresses a new vulnerability that was not addressed as part of MS04-011. MS04-011 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update does not replace MS04-011. You must install this update and the update provided as part of the MS04-011 security bulletin to help protect your system against both vulnerabilities.

How does this vulnerability relate to the JPEG processing (GDI+) vulnerability that is addressed by MS04-028?
The affected component of this vulnerability is a native operating system component and is not redistributed. The affected component in the MS04-028 JPEG processing (GDI+) vulnerability was able to be redistributed by other applications and third-party programs. Installing this operating system update helps protect against this vulnerability for all applications that could be possible attack vectors that may attempt to exploit this vulnerability. MS04-028 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update does not replace MS04-028. You must install this update and the update that is provided as part of the MS04-028 security bulletin to help protect your system against both vulnerabilities.

Mitigating Factors for Windows Kernel Vulnerability:
The vulnerability would not enable an attacker to gain any privileges on an affected system. This issue is strictly a denial of service vulnerability.
Windows NT 4.0, Windows 2000, and Windows XP are not affected by this vulnerability

FAQ for Windows Kernel Vulnerability:
What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to stop responding and automatically restart. During that time, the server cannot respond to requests.

Note The denial of service vulnerability would not allow attackers to execute code or elevate their privileges, but it could cause the affected system to stop accepting requests.

What causes the vulnerability?
The Windows kernel does not properly reset some values within some CPU data structures.

What is the Windows kernel?
The Windows kernel is the core of the operating system. It provides system level services such as device management and memory management, it allocates processor time to processes, and it manages error handling. For more information about the kernel and about other operating system structures, visit the following Web site.

What might an attacker use the vulnerability to do?
An attacker who exploited this vulnerability could cause the affected system to stop responding and automatically restart. During that time, the server cannot respond to requests.

Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally to a system and run a program.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-designed program that could exploit the vulnerability. This could cause the system to stop responding and therefore cause a denial of service condition.

What systems are primarily at risk from the vulnerability?
Terminal servers are primarily at risk. Servers are only at risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system targeted for attack. An attacker cannot load and run a program remotely by using this vulnerability.

What does the update do?
The update addresses the vulnerability by modifying the way that the Windows kernel resets some values in some CPU data structures.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.’

Categories: Windows