Common Microsoft vulnerabilities and Solutions

Source: Internet
Author: User
Tags ldap protocol microsoft outlook
Affected Systems:
Microsoft Windows NT Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3
And Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP and Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-bit Edition Service Pack 1
Microsoft Windows XP 64-bit Edition 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-bit Edition
Microsoft NetMeeting
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) and Microsoft
Windows Millennium Edition (me)

1. LSASS Vulnerability
The Local Security Authority Subsystem Service (LSASS) provides
Interface, used to manage local security, network authorization, and active directory services. It can be used to process clients and servers
Server-to-Server Authentication, including the Public used to support the Active Directory ServiceProgram. LSASS Service found recently
There is a buffer that has not been checked, resulting in a buffer overflow vulnerability. Attackers can exploit this vulnerability to gain system administrator privileges.

Temporary solution:
* Use a personal firewall, such as an Internet Connection Firewall bound with Windows XP and Windows Server 2003;
* Block the following ports on the firewall:
UDP ports 135,137,138 and 445, TCP ports 135,139,445 and 593
Block all inbound communication without requests on ports greater than 1024
Any other specially configured rpc port
* This feature is enabled on systems that support Advanced TCP/IP filtering;
* Use IPsec to block the affected ports on the affected system.

2. LDAP Vulnerability
Lightweight Directory Access Service Protocol (LDAP, Lightweight Directory Access Protocol) is
Common standard protocols for accessing directory services. Recently, it was found that the LSASS Service in Windows is processing LDAP protocol packages specially constructed.
There is a defect. When an attacker sends an LDAP packet that can be constructed to LSASS, the LSASS service will stop responding and cause
The system restarts to launch DoS attacks.

Temporary solution:
* Block ldap tcp 389,636,326 8 and 3269 ports in the firewall
Note that blocking these ports will cause Active Directory domain verification to fail.

3. PCT Vulnerabilities
Private Communications Transport (PCT) communication protocol is part of the SSL (Secure Sockets Layer) function library. A buffer overflow vulnerability exists in pct. Attackers can exploit this vulnerability to gain system administrator privileges. This
The vulnerability only exists in the system that enables the SSL Service (usually the Win2000 master Domain Controller ). All other
Protocol programs may be affected by this vulnerability, including Microsoft Internet Information Services 4.0,
Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1,
Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000,
Microsoft Exchange Server 2003 and Microsoft Analysis Services 2000 (provided with SQL Server 2000)
And other commercial programs using the PCT protocol.

Temporary solution:
* Disable PCT support through the Registry

4. Winlogon Vulnerability
Winlogonis a bottom-layer component of Windows systems. It is used to support optimized types. winlogon.exe is
A program used in Windows to manage interactive operations related to user logon security. It processes logon, logout, lock, or
Unlock the system, change the password, and other related requests.
When a user accesses the domain system, the winlog service reads relevant information from the domain and uses this information to set
USER environment. Recently, it was found that Winlogon does not effectively check the size of the obtained data in this process, resulting in a buffer
The vulnerability exists. To successfully exploit this vulnerability, attackers must have one of the domain's permissions to modify the domain user configuration.
.

Temporary solution:
* Reduce the number of users with Account Modification Permissions

5. Metafile Vulnerability
WMF is a 16-bit image format in windows. It can contain both vector and dot matrix format image information.
EMF is a 32-bit image format in windows. It is extended based on WMF.
Recently, it was found that the window system had a buffer overflow vulnerability during parsing these primitive formats, and malicious attackers
Attackers can send specially constructed files to users and trick them into clicking to attack the vulnerability.
Obtain system permissions.

Temporary solution:
* If Outlook 2002 or later is used, or Outlook Express 6 SP1 or later,
Read mail messages in plain text format to prevent HTML mail attacks.

6. Help and Support Center Vulnerabilities
The Help and Support Center (HSCC) is a help function in window that provides functions similar to whether to download and install the updated software.
Various help. The HCP protocol can enable the Help and Support Center function through the URL link, and
The function of enabling Internet Explorer for URLs is very similar. Because the Help and Support Center program does not have a valid check passed through the HCP protocol
This vulnerability causes a buffer overflow vulnerability. Attackers can exploit this vulnerability to gain system management permissions.

Temporary solution:
* Cancel the HCP protocol
* If Outlook 2000 SP1 or earlier is used, install Outlook e-mail security update.
* If Outlook 2002 or later is used, or Outlook Express 6 SP1 or later
Then, read the mail message in plain text format to prevent HTML mail attacks.

7. Tool Manager Vulnerability
The Tool Manager program allows users to check the status of the auxiliary program (such as a magnifier, screen keypad, voice Lang)
And can start and stop these auxiliary programs. Because the manager uses system permissions when starting the Helper Program
Local users can use this program to obtain system management permissions.

Temporary solution:
* Use software policies in all affected systems to disable the Tool Manager wherever it is not needed

8. Windows Management Vulnerabilities
Windows Management is a work mode that Windows XP allows to establish. In some special cases
Users can establish this mode and run it with system permissions, so as to improve the permissions.

Temporary solution:
* Delete the affected Windows Management Interface (Wmi) Provider

9. Local Descriptor list Vulnerability
Used to create a project-specific program interface in the Local Descriptor Table (LDT)
A local common user can exploit this vulnerability to gain system management permissions.

Temporary solution:
None

10. H.323 Vulnerability
H.323 is a ITU-T protocol that enables a data packet-based system to perform multimedia communication. It can enable sound
Communication and image conferencing systems for data transmission. Windows has a remote buffer overflow vulnerability when processing the H.323 protocol,
You can use this vulnerability to obtain system management permissions.

Temporary solution:
* Intercept inbound and outbound communication between TCP 1720 and TCP 1503 on the firewall
 
11. Virtual DOS Server Vulnerability
There is a problem with the Virtual DOS Machine supported by the Windows Kernel. Local attackers can exploit this vulnerability to escalate permissions.
The problem exists in 16-bit supportCodeIn the virtual DOS server, by making the processor in virtual86 mode
When vdm is initialized, the code is executed. In the Windows 2000 kernel, the NULL pointer is discarded.
The virtual address 0 is actually used. By providing special data on the vdm data address, arbitrary content in the kernel memory may be written, resulting in
Privilege escalation.

Temporary solution:
None

12. Negotiate SSP Vulnerabilities
Windows provides multiple security authentication methods. Therefore, when a user logs on to the server
The authentication method is used for negotiation. The SSP interface for negotiation is a Windows component that provides this function. Recently
The SSP interface may cause buffer overflow attacks due to unchecked buffer. Attackers can exploit this vulnerability to obtain system management information.
Permission management, but in most cases, this vulnerability will cause service crash.

Temporary solution:
* Disable integrated windows verification"
* Negotiation of SSP prohibited

13. ssl vulnerability can-2004-0120 High Risk Level
The Microsoft Secure Sockets Layer function library provides secure communication protocols.
These protocols include Transport Layer Security 1.0 (TLS 1.0 ),
Secure Sockets Layer 3.0 (SSL 3.0), Secure Sockets Layer 2.0 (SSL 2.0), and
Private communication technology 1.0 (PCT 1.0) protocol. Windows SSL function library does not exist
Effectively checks input data. Malicious attackers can construct special SSL requests, which may result in
The SSL function library of WINXP stops responding, but in win2003, the system may restart.

Temporary solution:
* Block ports 443 and 636 on the firewall

14. ASN.1 "Double Free" Vulnerability
Microsoft's ASN.1 function library has a remote code execution vulnerability. The cause of this vulnerability is ASN.1.
Data Inventory in Double Free (multiple memory space releases), a malicious attacker can construct special code
This vulnerability is used to release the memory space that has been released multiple times in the system memory, thus damaging the system memory structure.
Attackers can place malicious code execution in the damaged memory space. In a specific hardware environment, the code
May be run with system permissions. However, in most cases, this will only cause system denial of service.

Temporary solution:
None

Patch download:
Microsoft has released related security bulletins and patches for these vulnerabilities. You can download related supplements on our website.
Ding program installation:
Winnt Workstation 4.0 Chinese version + SP6 patch
Winnt Server 4.0 Chinese version + SP6 patch
Windows Chinese version + (SP1, SP2, SP3, or SP4) patch
WINXP Chinese version + SP1 Patch
Win2003 Chinese Version Patches

Microsoft Security Bulletin MS04-012
Microsoft RPC/DCOM Cumulative Update (828741)

impact system:
Microsoft Windows NT Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows 2000 Service Pack 2, microsoft Windows 2000 Service
Pack 3 and Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP and Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-bit Edition Service pack 1
Microsoft Windows XP 64-bit Edition 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-bit edition
Microsoft Windows 98, microsoft Windows 98 Second Edition (SE) and Microsoft
Windows Millennium Edition (me)

Details:
1. RPC Runtime Library Vulnerability
By default, the RPC-RUNTIME function library is installed in all Windows operating systems, which is a program developer
Provides underlying support for communication services, directory services, and security services. The RPC-runtime function library is processing Deliberately constructed data.
A condition competition error may occur during the package. Attackers can exploit this vulnerability to gain system management permissions. However, due to the condition competition vulnerability
This vulnerability can only cause DoS attacks.

Temporary solution:
* Use a personal firewall, such as an Internet Connection Firewall bound to Windows XP and Windows Server 2003
* Block the following ports on the firewall:
UDP ports 135,137,138 and 445, TCP ports 135,139,445 and 593
Block all inbound communication without requests on ports greater than 1024
Any other specially configured rpc port
If yes, block the COM Internet Service (CIS) or RPC over HTTP ports (on ports 80 and 443 ).
Port listening)
* This feature is enabled on systems that support Advanced TCP/IP filtering;
* Use IPsec to block the affected ports on the affected system.

2. RPCSS vulnerability can-2004-0120 High Risk Level
RPCSS has a Denial-of-Service attack vulnerability. When attackers construct special data packets to the RPC listening port
(TCP 135, 139, 445, 593, UDP 135, 138, 139, 445) causes the RPCSS server used by the system to start the DCOM function.
Service failure, causing the system to restart.

Temporary solution:
* Disable DCOM on all affected systems

3. COM Internet Service (CIS)-RPC over HTTP Vulnerability
RPC over HTTP enables the program to use RPC for communication between port 80 and port 443, so that the client can communicate through the proxy or
The firewall accesses the services on these two ports. COM Internet Service (CIS) enables the DCOM component to use RPC over HTTP in
The DCOM client communicates with the server. A denial of service attack vulnerability exists in the CIS service. Malicious attackers can send
Specially constructed data packets make the CIS service invalid. The administrator can recover to normal only after the IIS service is restarted.

Temporary solution:
* If CIS and RPC over HTTP are manually enabled in the affected system, do not forward untrusted
Resources
* If CIS or RPC over HTTP is not required, disable this function in the affected system.

4. object identification Vulnerability
Window has a sensitive information leakage vulnerability during object identification creation, which may cause attackers
The application opens the network communication port function. Although attackers cannot exploit this vulnerability to directly control or damage the system, they can
And you cannot determine which port is open for communication?

Temporary solution:
* Use a personal firewall, such as an Internet Connection Firewall bound to Windows XP and Windows Server 2003
* Block the following ports on the firewall:
UDP ports 135,137,138 and 445, TCP ports 135,139,445 and 593
Block all inbound communication without requests on ports greater than 1024
Any other specially configured rpc port
If yes, block the COM Internet Service (CIS) or RPC over HTTP ports (on ports 80 and 443 ).
Port listening)
* This feature is enabled on systems that support Advanced TCP/IP filtering;
* Use IPsec to block the affected ports on the affected system.

Patch download:
Microsoft has released related security bulletins and patches for these vulnerabilities. You can download related supplements on our website.
Ding program installation:
Winnt Workstation 4.0 Chinese version + SP6 patch
Winnt Server 4.0 Chinese version + SP6 patch
Windows Chinese version + (SP1, SP2, SP3, or SP4) patch
WINXP Chinese version + SP1 Patch
Win2003 Chinese Version Patches

Microsoft Security Bulletin MS04-013
Outlook Express Cumulative Security Update (837009)

Affected System:
Microsoft Windows NT Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP and Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-bit Edition Service Pack 1
Microsoft Windows XP 64-bit Edition 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-bit Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) and Microsoft
Windows Millennium Edition (me)

Affected Software:
Microsoft Outlook Express 5.5 SP2
Microsoft Outlook Express 6
Microsoft Outlook Express 6 SP1
Microsoft Outlook Express 6 SP1 (64 bit Edition)
Microsoft Outlook Express 6 on Windows Server 2003
Microsoft Outlook Express 6 (64 bit edition) on Windows Server 2003)

Details:
This is a patch set that includes all patches released before Outlook Express 5.5 and Outlook Express 6.
Program. A newly detected security vulnerability is fixed:

1. mhtml url Processing Vulnerability
MHTML is the abbreviation of mime encapsulation of aggregate html. It is a network encoding format and is used to define
How to transmit the MIME standard of HTML content in the email body. The mhtml url Processing Function is part of Outlook Express.
This feature provides a URL type (MHTML: //) that allows the program to translate MHTML files. All applications (packages
IE) will start the Outlook Express program to process MHTML-encoded files.
Outlook Express has a defect in MHTML processing, so that script programs in HTML can
Internet Explorer runs in the local security zone, which may cause attackers to gain system management permissions.

Temporary solution:
* Enhance the security settings of the "Local Machine" Area in Internet Explorer.
* If Outlook 2000 SP1 or earlier is used, install Outlook e-mail security update.
* If Outlook 2002 or later is used, or Outlook Express 6 SP1 or later
Then, read the mail message in plain text format to prevent HTML mail attacks.

Patch download:
Microsoft has released related security bulletins and patches for these vulnerabilities. You can download related supplements on our website.
Ding program installation:
Microsoft Outlook Express 5.5 + SP2 Chinese patch
Microsoft Outlook Express 6 Chinese patch
Microsoft Outlook Express 6 + SP1 Chinese patch
Microsoft Outlook Express 6 on Windows Server 2003 Chinese patch

Microsoft Security Bulletin MS04-014
Microsoft Jet Database Engine vulnerabilities may allow code execution

impact system:
Microsoft Windows NT Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows 2000 Service Pack 2, microsoft Windows 2000 Service
Pack 3 and Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP and Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-bit Edition Service pack 1
Microsoft Windows XP 64-bit Edition 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-bit edition
Microsoft Windows 98, microsoft Windows 98 Second Edition (SE) and Microsoft
Windows Millennium Edition (me)

Affected program:
Microsoft Jet Database Engine 4.0

Details:
Buffer overflow exists in the Microsoft Jet Database Engine (JET), which may allow remote code execution.
Attackers who successfully exploit this vulnerability can have full control over the affected systems, including installation programs, browsing,
Change, delete data, or create a new account with full permissions.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.