Information About Microsoft’s August 2004 Security Bulletins August 13, 2004 Feliciano Intini, CISSP, MCSE Security Advisor Premier Security Center Microsoft Services - ITALY

What we will cover  Security Bulletins:  MS Windows Internet Explorer  MS Microsoft Exchange Server 5.5  Other Security Topics:  Security Tools  Reminder: Defense In Depth Configuration Changes  Windows XP Service Pack 2  Resources  Questions & Answers

Review of August Security Bulletins  Overview of vulnerability for risk assessment  Workarounds you can implement while deploying the security updates  How to determine what systems the available security updates apply to  How you can deploy the security updates to your systems

August 2004 Security Bulletins MAXIMUM SEVERITY BULLETIN NUMBER PRODUCTS AFFECTED IMPACT CriticalMS04-025Microsoft WindowsRemote Code Execution ModerateMS04-026Microsoft ExchangeRemote Code Execution

MS04-025: Overview  Cumulative Security Update for Internet Explorer (867801)  Impact: Remote Code Execution  Maximum Severity: Critical  Affected Software:  Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003  Critical for Windows 98, Windows 98 Second Edition, Windows Millennium Edition  Affected Components:  Internet Explorer 5.01 Service Packs 2, 3 and 4  Internet Explorer 5.5 Service Pack 2  Internet Explorer 6.0  Internet Explorer 6.0 Service Pack 1,Internet Explorer 6 Service Pack 1 (64-Bit Edition)  Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)

MS04-025: Understanding the Vulnerabilities  Navigation Method Cross-Domain Vulnerability - CAN :  A vulnerability in how Navigation Methods are validated that can enable code execution  Malformed BMP File Buffer Overrun Vulnerability - CAN :  A buffer overrun vulnerability in how BMP files are rendered that can enable code execution  Malformed GIF File Double Free Vulnerability - CAN :  A double free vulnerability in how GIF files are handled that can enable a denial of service or potentially code execution

MS04-025: Risk Assessment  Possible Attack Vectors  Malicious HTML page  Hosted on a Web site  Sent as  Impact of Successful Attack  Attacker’s code would run in user’s context  Mitigating Factors  Web page and vectors require user actions  Attacker’s code limited by user’s privileges

MS04-025: Risk Assessment (2)  Mitigating Factors (con’t)  HTML in the Restricted sites zone helps reduce attacks  Outlook Express 6, Outlook 2002, and Outlook 2003 by default  Outlook 98 and Outlook 2000 with Outlook Security Update (OESU)  Outlook Express 5.5 with MS  Also, risk from HTML vector significantly if both:  Latest Cumulative Security Update for IE installed (change introduced in MS03-040)  Using IE 6.0 or later

MS04-025: Updates  Two updates available  contains only security fixes and publicly available updates  Available on Windows Update, Software Update Services, Download Center  (update rollup) contains security fixes, publicly available updates AND hotfixes  Available only on the Download Center  To reduce risk of problems in deployment customers should apply by default

MS04-026: Overview  Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross- Site Scripting and Spoofing Attacks (842463)  Impact: Remote Code Execution  Maximum Severity: Moderate  Affected Software:  Microsoft Exchange Server 5.5 SP4  Affected Components:  Outlook Web Access (OWA)

MS04-026: Understanding the Vulnerability  Cross-site Scripting and Spoofing Vulnerability CAN  A cross-site scripting and spoofing vulnerability that could cause a user to run script on the attacker's behalf or a user to view spoofed content.

MS04-026: Risk Assessment  Possible Attack Vectors  Sending a specially-crafted HTTP request to the Outlook Web Access server  Impact of Successful Attack  Execute script in the user’s context  Put spoofed content in Web browser and intermediate proxy server caches  Mitigating Factors  An attacker must have valid logon credentials for the Outlook Web Access server  Limitations on user’s account apply to attacker’s script  “Do not save encrypted pages to disk” option prevents attempts to put spoofed content into client cache  SSL-protected connections protect against intermediate proxy vector  Difficult for an attacker to predict what users would be served spoofed cached content from intermediate proxy server

MS Re-Release  Re-issued to advise on the availability of a security update for Microsoft INTERIX 2.2  Customers who are not using Microsoft INTERIX 2.2 and have previously installed the security updates provided as part of the original release of this bulletin do not need to install the new security update  Customers using Microsoft INTERIX 2.2 should apply the new update

Workarounds  Host-based workarounds:  MS  Set Internet and Local Intranet security zone settings to “High”  Restrict Web sites to only trusted Web sites  Strengthen the security settings for the Local Machine zone  Knowledge Base article  Read messages in plain text format  MS  Disable Outlook Web Access for Each Exchange Site

Determining Systems for Deployment  MBSA:  Use MBSA to determine systems that require MS04-025, MS  MBSA will identify systems that require MS but cannot determine systems that might require (update rollup)  As of 8/10, MBSA will not raise a warning regarding greater-than- expected file versions on systems with (update rollup)  SUS:  The SUS Client (the Automatic Updates Client) will automatically detect systems that require MS  The SUS Client (the Automatic Updates Client) will identify systems that require MS but cannot determine systems that might require (update rollup)  Cannot use SUS to determine systems that require MS04-026

Determining Systems for Deployment (2)  SMS 2.0 / 2003:  SMS 2003 to identify systems that need MS04-025, MS  SMS will identify systems that require MS but cannot determine systems that might require (update rollup)  To limit the deployment of the update rollup to only those computers running post-MS hotfixes  Use software inventory to detect systems based on the hotfix affected files  For more information see Deploying Software Updates Using the SMS Software Distribution Feature:  tchupdate.mspx tchupdate.mspx tchupdate.mspx  Note regarding SMS and MBSA:  Proxy caching at ISP or Intranet may delay the availability of detection catalog mssecure.cab  File uses “Cache-Control: must-revalidate” most proxy servers honor this  Refer to KB to diagnose delays KB KB

Deploying the Updates  SUS:  Use the SUS Client (the Automatic Updates Client) to deploy MS  SUS can only be used to deploy , it will not deploy (update rollup)  SMS:  Use SMS 2.0 with the SMS SUS Feature Pack or SMS 2003 to deploy MS04-025, MS  Can deploy (update rollup) using “import” feature documented in SMS documentation

Deploying the Updates (2)  Restarts  MS04-025: Required  MS04-026: Not required but will restart these services  Microsoft Internet Information Services (IIS)  Exchange Store  Exchange System Attendant  Uninstall  MS04-025: Can be uninstalled  MS04-026: Can be uninstalled

Deploying the Updates (3)  Notes for MS04-026:  Version Requirements for Dependent Components: Microsoft Outlook Web Access (OWA) server must have one of the following:  Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3  Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4  Internet Explorer 6 Service Pack 1 on current supported operating systems  Apply update to Exchange 5.5 Servers running Outlook Web Access only.

Security Tools: MBSA Reminder  MBSA no longer supported  As of April 20, 2004 mssecure.xml file used by versions earlier than MBSA 1.2 is no longer updated  Scans performed with MBSA or earlier versions will not detect the Security Bulletins released since April  When using SMS, MBSA GUI and mbsacli, scan results will include an ‘update’, e.g.:  Obtain Upgrades:  SMS 2.0 SUS Feature Pack and SMS 2003 users:  SMS downloads page  MBSA Users:  MBSA homepage

Security Tools: MBSA & XP SP2  New version of MBSA (1.2.1) needed for Windows XP SP2 compatibility!  Needed to provide compatibility and better support for Windows XP SP2 security improvements  Needed to provide compatibility and better support for Windows XP SP2 security improvements  Will be available in mid-August  Users running MBSA 1.2 will be automatically notified when they run the tool with an Internet connection 

 New variant, MyDoom.O, discovered on Monday, July  Zindos.A worm, discovered on Tuesday, July , uses backdoor opened by MyDoom.O  Cleaner tool was updated to clean for all known MyDoom variants and Zindos.A  More information: Security Tools: MyDoom Cleaner Tool

Three configuration changes released in July to enhance resiliency of Internet Explorer 6.0 and Outlook Express 5.5 SP2  Disable ADODB.stream in Windows ActiveX Control (July )  Knowledge Base Article (  Limit functionality of Shell.application (July )  Fix is included in MS  Change HTML viewing in Outlook Express 5.5 SP2 (July )  Change included in MS Reminder: Deploy Defense in Depth Configuration Changes

Proactive protection technologies block malicious code at the “point of entry”  Enhance Security  Increase Manageability  Improve Experience  Network  & IM  Web Browsing  Memory Attack Vectors Windows XP Service Pack 2

Functional Area Compatibility Status Attachment Handler User experience modified NX & /GS Windows Firewall Few apps  proper configuration required DCOM & RPC Other components Internet Explorer Some apps  proper configuration required  The vast majority of application compatibility issues are mitigated through configuration of SP2 security options  Very few issues require code changes Application Compatibility Snapshot

 August 6:  Release to manufacturing for SP2 English and German (Remaining 25 languages RTM over 5 weeks)  August 9:  Release to Microsoft Download Center – full network installation package  Release to MSDN – CD ISO image  August 10:  Release to Automatic Updates - for machines running pre- release versions of Windows XP SP2 only  August 16:  Release to Automatic Updates - for machines not running pre- releases versions of Windows XP SP2  Release to SUS  August TBD:  Release to Windows Update for interactive user installations Windows XP SP2 – Timeline

SP2 Delivery via Automatic Update  SP2 is categorized as a critical update  Unlike previous critical updates, SP2 requires interactive installation  Some customer have requested a mechanism to temporarily block SP2 delivery via AU  Allow all other critical security updates via AU  Registry based solution temporarily prevents Automatic Update and Windows Update from downloading SP2 - and only SP2  AU and WU search for existence of new registry setting  Other downloads unaffected  Registry setting is the only change required on local machine

Automatic Update Blocking Mechanism  Tools for implementing solution  ADM file to control registry setting via Active Directory Group Policy  Microsoft signed executable that will set the registry setting on local machine  Script file to execute the tool remotely  message point users to a script file hosted on Microsoft.com  All of these tools allow for disabling the registry setting  This solution expires after 120 days  AU and WU will ignore registry key after December 14, 2004  Scripts and documentation posted on TechNet   Best solution is Software Update Services 

Windows XP SP2 Summary  More secure  “Shields-up” approach  Reduced attack surface area  Improved manageability of security settings  More granular control  Improved support for Active Directory Group Policy  Reduced urgency for patching vulnerabilities  Better user experience  More and better security information  Applications function while remaining secure A major step forward on a long journey

Resources  September Security Bulletins Webcast: il nostro prossimo appuntamento è venerdì 17 settembre – 10:  Security Bulletins Search  Windows XP Service Pack  Information on MyDoom and its variants  Security Newsletter  Security Guidance Center