Microsoft Rolls Out January Patches; One Is Critical

The most serious of the three bulletins affects Microsoft Internet Security and Acceleration (ISA) Server 2000, and because that software's part of both the Small Business Server 2000 and Small Business Server 2003 packages, those products as well.

A vulnerability exists in the H.323 filter in ISA Server 2000 that might let an attacker creating a buffer overflow in the Microsoft Firewall Service, which is integral to ISA. By using the buffer overflow, attackers could introduce other code to the server and gain complete control over the system, said Microsoft.

H.323, a protocol used in voice-over-IP (VoIP) telephony and video conferencing applications to deliver audio and video, is at the root of a number of VoIP vulnerabilities, and not just in Microsoft's wares, according to e-mail alerts Tuesday from several security firms including Symantec and Internet Security Systems (ISS).

The University of Oulu, based in the Finnish city of Oulu at the northern end of the Gulf of Bothnia, developed a suite of test tools that targeted H.323-based applications by sending unusual or improper call signaling messages, and first spotted the problem. Testing by ISS confirmed Tuesday that a wide range of vendors' products -- Microsoft included -- are vulnerable to possible exploit. Among them, Cisco's Internetwork Operating System (IOS); Nortel's Business Communication Manager and its 802.11 Wireless IP Gateway; and Tandberg videoconferencing end points.

"The ISA Server 2000 vulnerability is fairly significant," said Craig Schmugar, a virus research engineer with security firm Network Associates. "It allows a remote attacker to execute code, and is of concern."

While Microsoft has posted several work-arounds for this vulnerability on its Web site -- including disabling the ISA Server 2000 H.323 filter and blocking TCP port 1720 at the perimeter or gateway -- Schmugar urged enterprises to patch quickly. "With a critical update like this, the recommendation is always to install the patch as soon as possible," he said.

Rated as Important, second only to Critical in the four-step ranking Microsoft gives vulnerabilities, is a bug in the Microsoft Data Access Components (MDAC) versions 2.5 through 2.8, which are part and parcel of Windows 2000, Windows XP, Microsoft SQL Server 2000, Windows Server 2003, and Windows Server 2003 64-Bit Edition.

MDAC, a service that provides for connectivity between Windows and remote databases, sports a flaw that could allow an attacker to cause a buffer overflow, and gain partial or even complete control over the targeted system.

But because the attacker would have to be within the network perimeter, or able to simulate an SQL database server that's on the same IP subnet as the target PC, Microsoft and analysts consider the danger on the low side.

"This overflow is of some concern," said Schmugar, "but its impact depends on what permissions the application targeted is running under."

Microsoft's recommended that if users don't immediately patch, that they block UDP port 1434 from accepting inbound traffic. This is the same port that Microsoft recommended blocking against last year's SQL Slammer worm, said Schmugar, but some organizations might not have gotten the message, and have left the port open.

As with all Microsoft's patches, the fix for the MDAC flaw can be downloaded via links on the security bulletin page of the TechNet Web site, or by using the Windows Update service.

The third bulletin released today involves Exchange Server 2003, the newest edition of Microsoft's e-mail server software. Tagged as a Moderate threat, it's of less concern for most enterprises, said Schmugar, since an attacker must already have some access in order to exploit the flaw.

"It's less likely to be exploited," he said, "and much less likely to be exploited successfully."

The problem stems from how HTTP connections are reused when authentication is done between servers running Exchange Server 2003 and Outlook Web Access (OWA) -- which allows users to reach their Exchange mailboxes via a browser -- and other back-end mail servers. An attacker might be able to read mail on a compromised Exchange server, but he wouldn't be able to predict which mailbox. More likely, said Microsoft, is that OWA users would see random and unreliable access to mailboxes.

More details on this vulnerability, including the patch for Exchange, are available on Microsoft's TechNet Web site.

But there is good news, said Schmugar. "We've not yet seen any exploits that take advantage of these new vulnerabilities," he said. "But as always, it's a good idea to patch as soon as you can."

Missing in the January patches were one or more for Internet Explorer, which many security analysts expected to see in the line-up.

Internet Explorer, pegged with a quintet of security holes by a Chinese researcher as long ago as November, 2003, was thought to be a prime target for this month's list. The disclosed vulnerabilities, which were backed up by proof-of-concept exploits, could lead to leaking of sensitive information, bypass the browser's security system, and even allow attackers to take over a compromised machine. The problems affect IE 5.01, 5.5, and 6.0.

Microsoft was mum Tuesday on IE.

"Internet Explorer has a huge installed base and therefore there's lots of testing necessary around any suspected vulnerability," said Schmugar. "Unfortunately, it didn't make it in this month's list."

*This story courtesy of Techweb.com.