Get up to speed on Microsoft's October security bulletins

by John McCormick | Oct 24, 2005 7:00:00 AM

Tags: Operating systems, Servers, John McCormick, security, Microsoft Windows, Microsoft Corp., CSNW, Microsoft Windows XP, attacker, Novell NetWare, Microsoft Windows 2000, IT Locksmith Newsletter

3 comment(s)

Takeaway: Microsoft released nine security bulletins in October�three critical, four important, and two moderate threats. Last time, John McCormick brought you up to speed on the three critical updates. This time, he completes his coverage by offering the details on the remaining six bulletins.

Making up for lost time, Microsoft has released nine security bulletins for October after taking the month of September off. Of the nine updates, Microsoft has rated three as critical, four as important, and two as moderate threats.

Details

Last time, I told you what you needed to know about Microsoft's three critical security bulletins for October: MS05-050, MS05-051, and MS05-052. This time, let's look at the remaining six bulletins, classified as either important or moderate threats. In case you've lost track, important is more dangerous than moderate, so I'll address the bulletins in that order.

MS05-046

Microsoft Security Bulletin MS05-046, "Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution," affects users of the Client or Gateway Service for NetWare (CAN-2005-1985). This is a remote code execution threat, but no exploits have appeared in the wild.

Applicability
This threat applies to all Windows OS versions after Windows 2000 that have Client Service for NetWare (CSNW) installed (known as Gateway Service for NetWare on Windows 2000). This includes:

Windows 2000 Service Pack 4
Windows XP SP1
Windows XP SP2
Windows Server 2003
Windows Server 2003 SP1

Risk level
Microsoft has rated this as an important threat for all affected systems.

Mitigating factors
While some components of CSNW are present on all affected platforms, none of the operating systems activate this service by default. Only systems that have CSNW fully installed and activated are vulnerable. In addition, Windows Server 2003 SP1 systems are only vulnerable if the attacker has valid logon credentials.

Fix
Install the update. Microsoft has tested and approved several workarounds. These include:

Block ports TCP 139 and 445 at the firewall.
If not using CSNW, remove it.

MS05-047

Microsoft Security Bulletin MS05-047, "Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege," could allow an attacker to completely take over a vulnerable system (CAN-2005-2120). This bulletin replaces Microsoft Security Bulletin MS05-039 on all affected platforms.

Applicability

Windows 2000 SP4
Windows XP SP1
Windows XP SP2

Risk level
This is an important threat for all affected systems.

Mitigating factors
If you already applied MS05-039 to Windows 2000 systems, remote attackers can't exploit the vulnerability without valid logon credentials. For both versions of Windows XP, attackers must have valid logon credentials. In addition, attackers must have administrator privileges to exploit the vulnerability on Windows XP SP2.

Fix
Install the update. Microsoft has tested and approved one workaround: Block ports TCP 139 and 445 at the firewall.

MS05-048

Microsoft Security Bulletin MS05-048, "Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution," is a newly reported vulnerability (CAN-2005-1987) that could allow an attacker to take complete control of vulnerable systems. The threat stems from an unchecked buffer in Collaboration Data Objects, but no exploits have appeared in the wild.

Applicability

Windows 2000 SP4
All versions of Windows XP
All versions of Windows Server 2003
Exchange 2000 Server SP3

This threat does not apply to Exchange Server 5.5, Exchange Server 2003, Exchange Server 2003 SP1, Windows 98, Windows SE, or Windows ME.

Risk level
This is an important threat for Windows 2000 SP4 and Exchange 2000 Server SP3. It is a moderate threat for all other affected systems.

Mitigating factors
Most systems don't have the affected components enabled by default.

Fix
Install the update. A workaround is available for some systems, but applying it affects functionality. See the security bulletin for details.

MS05-049

Microsoft Security Bulletin MS05-049, "Vulnerabilities in Windows Shell Could Allow Remote Code Execution," is a newly discovered threat, and no exploits have appeared in the wild. This bulletin addresses three separate threats:

Shell Vulnerability CAN-2005-2122
Shell Vulnerability CAN-2005-2118
Web View Script Injection Vulnerability CAN-2005-2117.

For Windows 2000, Windows XP, and Windows Server 2003 (but not Windows Server 2003 SP1), this bulletin replaces Microsoft Security Bulletin MS05-016. This bulletin also replaces Microsoft Security Bulletin MS05-024 for Windows 2000.

Applicability

Windows 2000 SP4
All versions of Windows XP
All versions of Windows Server 2003

Risk level
Some of the vulnerabilities don't apply to all platforms or are only moderate threats. The aggregate threat level for all platforms is important.

Mitigating factors
All three vulnerabilities require valid logon credentials. There are various other mitigating factors, which mostly involve not visiting malicious Web sites or opening suspicious e-mails.

Fix
Install the update. There are various workarounds tested and approved by Microsoft. For Shell Vulnerability CAN-2005-2122, don't open attachments with .lnk extensions. For the other two threats, block TCP ports 139 and 445 at the firewall.

MS05-044

Microsoft Security Bulletin MS05-044, "Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering," is a relatively minor file-tampering threat (CAN-2005-2126). This vulnerability's only effect is to allow an attacker to alter the destination directory for downloaded files, which means attackers could use it in conjunction with other attacks to place files in unprotected locations. Proof of concept is on the Web, but Microsoft says it hasn't received any reports of successful attacks.

Applicability

Windows XP SP1
Windows Server 2003
Windows Server 2003 for Itanium-based systems

Risk level
This is a moderate threat for all affected platforms.

Mitigating factors
Attackers must entice users to visit a malicious FTP site.

Fix
Install the update. As a workaround, simply don't download files from untrusted FTP sites.

MS05-045

Microsoft Security Bulletin MS05-045, "Vulnerability in Network Connection Manager Could Allow Denial of Service," is a newly reported minor threat caused by an unchecked buffer (CAN-2005-2307). Proof of concept is on the Web, but Microsoft says it hasn't received any reports of successful attacks.

Applicability

Windows 2000 SP4
Windows XP SP1
Windows XP SP2
Windows Server 2003
Windows Server 2003 SP1

Risk level
This is a moderate threat for Windows 2000, Windows XP SP1, and Windows Server 2003. For Windows XP SP2 and Windows Server 2003 SP1, it is a low-level threat.

Mitigating factors
Attackers need valid logon credentials to exploit this vulnerability.

Fix
Install the update. Workarounds are available that involve some fairly complex firewall settings. For more details, see the security bulletin.

Also watch for...

FrSIRT reports a critical remotely exploitable vulnerability in Snort versions 2.4.0 through 2.4.2. This is an arbitrary file execution threat.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

3 comment(s)