April 2005
Microsoft April Security Bulletins Update
ID: 00328
Ref: 302/2005
Date: 19 April 2005:12:15:07
Version: 1
Title: Microsoft April Security Bulletins Update
Abstract: The NISCC Response Group have researched the vulnerabilities relating to the Microsoft Security Bulletins released in April 2005. Analysis indicates that Proof of concept code has currently been released on the Internet.
Vendors affected: Microsoft
Operating systems affected: Microsoft
Title
=====
Microsoft April Security Bulletins Update
Detail
======
The NISCC Response Group have researched the vulnerabilities relating to the
Microsoft Security Bulletins released in April 2005. Analysis indicates that
Proof of concept code has currently been released on the Internet for the
following bulletins:
CRITICAL UPDATES
MICROSOFT SECURITY BULLETIN MS05-019
Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of
Service (893066)
http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx
This bulletin discussed five related vulnerabilities, which if exploited could
result in remote code execution or denial of service conditions. As these
vulnerabilities relate to the implementation of the TCP/IP protocol, they exist
in products by many vendors, not just Microsoft. It is possible that these
vulnerabilities may be exploited to crash targeted computers.
At the time of writing, proof of concept code has been released for the
ICMP Connection Reset Vulnerability (CAN-2004-0790) and a IP Validation
Vulnerability (CAN-2005-0048). Both exploits cause Denial of Service attacks.
As it may allow for remote code execution without the need for user interaction,
the IP Validation Vulnerability (CAN-2005-0048) could possibly be used by
a Internet worm. However, most routers should block the malformed packets
necessary for such an attack. The NISCC Response Group are not currently
aware of a successful remote code execution exploit for this vulnerability.
MICROSOFT SECURITY BULLETIN MS05-020
Cumulative Security Update for Internet Explorer (890923)
http://www.microsoft.com/technet/security/bulletin/MS05-020.mspx
This bulletin listed three vulnerabilities in Microsoft Internet Explorer. These
were buffer overflow vulnerabilities in relation to the handling of DHTML files,
URLs with specially crafted long hostnames, and Content Advisor files. All three
can be exploited to remotely execute code. It is possible that these vulnerabilities
could be exploited by an e-mail virus or to execute code from a malicious website.
Proof of concept exploits are available for the DHTML file handling vulnerability.
Although an attack may be achieved by sending a specially crafted file by e-mail
to a victim, it is more likely that such an exploit would attempt to trick the user
into accessing a file on a web server.
IMPORTANT UPDATES
MICROSOFT SECURITY BULLETIN MS05-016
Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086)
http://www.microsoft.com/technet/security/bulletin/MS05-016.mspx
This bulletin discussed a vulnerability, whereby with user interaction, an attacker
could take control of a system with the privileges the user has. The most likely
method of attack would be to send a malicious attachment within an email. As such,
this vulnerability could potentially be exploited by an e-mail virus.
There a number of proof of concept demonstrations for this vulnerability.
MICROSOFT SECURITY BULLETIN MS05-017
Vulnerability in Message Queuing Could Allow Code Execution (892944)
http://www.microsoft.com/technet/security/bulletin/MS05-017.mspx
Message Queuing is a Windows component that is not installed by default, it must
be selected for installation by the administrator. The vulnerability would
allow a remote attacker to take complete control of a system. Therefore, this
vulnerability could potentially be exploited by a worm. However, as the Message
Queuing Component is not installed by default, it is more likely it may be used
by hackers to gain remote unauthorised access to an affected system.
A number of proof of concept exploits have been identified for this vulnerability.
SUMMARY
The NISCC Response Group are aware of the following proof of concepts for Microsoft
Security Bulletins released in April:
------------------------------------------------------------------------------
| Name | PoC | No PoC |
|------------------------------------------------------------------------------|
| MS05-019 Vulnerabilities in TCP/IP | | |
| * IP Validation Vulnerability (DoS) | X | |
| * IP Validation Vulnerability (Remote Code Exec) | | X |
| * ICMP Connection Reset Vulnerability | X | |
| * ICMP Path MTU Vulnerability | | X |
| * TCP Connection Reset Vulnerability | | X |
| * Spoofed Connection Request Vulnerability | | X |
| MS05-020 Update for Internet Explorer | | |
| * DHTML Object Memory Corruption Vulnerability | X | |
| * URL Parsing Memory Corruption Vulnerability | | X |
| * Content Advisor Memory Corruption Vulnerability | | X |
| MS05-022 Vulnerability in MSN Messenger | | X |
| MS05-023 Vulnerabilities in Microsoft Word | | |
| * Buffer Overrun in Microsoft Word CAN-2004-0963 | | X |
| * Buffer Overrun in Microsoft Word CAN-2005-0558 | | X |
| MS05-016 Vulnerability in Windows Shell | X | |
| MS05-017 Vulnerability in Message Queuing | X | |
| MS05-018 Vulnerabilities in Windows Kernel | | |
| * Font Vulnerability | | X |
| * Windows Kernel Vulnerability | | X |
| * Object Management Vulnerability | | X |
| * CSRSS Vulnerability | | X |
| | | |
------------------------------------------------------------------------------