Andy Lacey
andy at minstersystems.co.uk
Sun Sep 7 07:07:04 CDT 2003
Thanks Gustav I obviously have to beg MS for the patch. What a PITA! Why the hell can't they make it downloadable like the others? Andy > -----Original Message----- > From: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of > Gustav Brock > Sent: 06 September 2003 16:42 > To: Discussion of Hardware and Software issues > Cc: accessd at databaseadvisors.com > Subject: Re: [AccessD] Re: [dba-Tech] Recent MS Security Updates > > > Oops, some cannot see the attachment. > > I can highly recommend this newsletter. > > /gustav > > > > I think you have hit same dead end as have Woody in paragraph 8 ... > > <quote> > > --==>> WOW -- WOODY's OFFICE WATCH <<==-- > Microsoft Office advice and news from Woody Leonhard > 4 September 2003 Vol 8 No 35 > > > Within the past 12 hours, Microsoft released four Security > Bulletins for Office products. This is our "rapid response" > WOW to the flurry of activity. There are good points, bad > points, at least one gotcha, and a host of unanswered > questions, but the bottom line is that I recommend you > install all the patches, immediately. > > Please pass this edition of WOW along to your friends, > family, co-workers - even that weird guy in the cubicle > across from you. It's important. It's complicated, too, as > you'll soon see. > > Anyone can join WOW, it's free and your email address is > private. Hop to http://woodyswatch.com/wow/ or send a blank > email to wow at woodyswatch.com > > > 1. What Happened > 2. MS03-035 / 824936 / 824934 > 3. MS03-036 / 824993 / 824938 > 4. MS03-037 / 822035 / 822036 > 5. MS03-038 / 826292 / 826293 > 6. If You Have Office XP > 7. If You Have Office 2000 > 8. If You Have Office 97 and/or Visio 2000 > 9. The Good Point: One Kudos for Microsoft > 10. Keep WOW Alive and Free > > > 1. WHAT HAPPENED > Microsoft has just released four security patches: three > rated "Important" and one "Critical". I recommend that you > install them all right away, but read the specific > instructions below first. > > No matter which version of Office or which Office products > you use (including Access), you need to patch your PC. You > also need to patch your PC if you have FrontPage 2000 or > 2002, Project 2000 or 2002, Publisher 2002, Visio 2000 or > 2002, Works 2001, 2002, or 2003, or several of the "MS > Business Solutions" products. > > VBA is a big part of this round of security fixes, and many, > many applications run VBA. Folks who own any of the 300 > products listed at http://msdn.microsoft.com/vba/companies/company.asp > (including AutoCAD, CorelDRAW, WordPerfect, Peachtree, and > many more) will undoubtedly be receiving instructions to > patch their systems, too. It would be a good idea to wait > until the manufacturer contacts you, or to keep an eye on the > manufacturer's Web site. The patching instructions for each > product may vary a bit. Good luck. > > > In the headings below, I've identified each patch by security > bulletin number (MS03-???), and also by the Knowledge Base > article number which is used to identify and track the patch. > Many of the references you'll see in the press relate to > bulletin numbers. But when you go to install a patch, all > you'll see is the KB article number. Worse, there's also a > Knowledge Base article with a completely different number > that gives technical details on the hole and the fix. I > listed those KB article numbers at the bottom of each > security hole's description. It's a real mess. I hope this > kinda cuts through some of the obfuscation. > > > 2. MS03-035 / 824936 / 824934 > MS03-035: "Flaw in Microsoft Word Could Enable Macros to Run > Automatically" > > Patch for Word 2000: http://woodyswatch.com/kb?824936 > Patch for Word 2002 (Office XP): http://woodyswatch.com/kb?824934 > > The problem described in MS03-035 affects Word 97, 2000, and > 2002 (the version of Word in Office XP). It also affects > Works 2001, 2002 and 2003 because they all contain vulnerable > versions of Word. > > At this point, I don't know if it affects Word 2003, but > based on the way they handled the other patches (see below), > I'll bet Microsoft built the fix into Office 2003 before it > released the gold code. > > There are very few details online about this security hole, > although it sounds like the "flipped macro bit" hole that I > discussed more than two years ago in WOW 6.30 > (http://www.woodyswatch.com/office/archtemplate.asp?v6-n30 ). > In that earlier exploit, Steven McLeod discovered a way to > flip a single bit in a Word document, and have Word bypass > macro screening. It led to the first patch of Word 2002. > > According to MS's Web page, the particular problem in > MS03-035 was discovered by Jim Bassett. Jim reports, "I just > stumbled on the security hole by accident. A co-worker > (non-developer) made a Word template in an unusual way. I > noticed that new documents created from this template behaved > strangely. I investigated and discovered that when you create > a template in a particular manner, derived documents always > get past macro security. It happened on all versions of Word > including 2003 Beta." > > Jim reports that he first notified Microsoft in May, so it > took four months for this patch to appear. > > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp > http://woodyswatch.com/kb?827653 > > > 3. MS03-036 / 824993 / 824938 > MS03-036: Buffer Overrun in WordPerfect Converter Could Allow > Code Execution > > Patch for Office 2000: http://woodyswatch.com/kb?824993 > Patch for Office XP: http://woodyswatch.com/kb?824938 > > This is a gaping security hole in the program that Word uses > to open WordPerfect-formatted documents. Because Internet > Explorer cranks up Word whenever it tries to open a .doc, IE > "inherits" the security hole from Word. (A bit ironic, > actually, when you think about how many times Outlook has > "inherited" security holes from IE and its HTML rendering engine.) > > It's a traditional buffer overflow problem: the WordPerfect > converter doesn't check to make sure that data coming in fits > inside the allocated area. As a result, a craftily concocted > WordPerfect document can blow away the converter, take over, > and start running any program the attacker likes. > > Microsoft lists the vulnerable programs as Office 97, 2000, > and XP, FrontPage 2000 and 2002, Publisher 2000 and 2002, and > Works 2001, 2002, and 2003. According to Microsoft, all of > those programs automatically install the faulty converter > (although I don't understand how the converter would be > invoked if Word isn't installed - oh well). > > No official word on whether it affects Office 2003, but when > you install Build 5604 of Office 2003 (the final Office 2003 > Build is 5612), you get the same "good" Word Converter file > mention in the Knowledge Base articles. Thus, it's highly > likely that Microsoft caught the problem and fixed it before > Office 2003 went gold. > > eEye Digital Security - the folks who have uncovered more > than a dozen security holes in Internet Explorer - caught > this one, too. They report that it's taken Microsoft four > months to plug the hole. > > http://www.microsoft.com/technet/security/bulletin/MS03-036.asp > http://woodyswatch.com/kb?827103 > http://www.eeye.com/html/Research/Advisories/AD20030903-1.html > > > 4. MS03-037 / 822035 / 822036 > MS03-037: Flaw in Visual Basic for Applications Could Allow > Arbitrary Code Execution > > Patch for Office 2000: http://woodyswatch.com/kb?822035 > Patch for Office XP: http://woodyswatch.com/kb?822036 > > This is the biggie. It's rated "critical" because you can get > infected by simply replying to or forwarding an infected > email message - assuming you use Word as your Email editor. > > Don't get me started. > > There's a buffer overflow problem with the VBA Editor (er, > the "Visual Basic Design Time Environment Library"). Yeah, > you read that right. > > Here's how it works. Say you open a .doc file with Word. One > early part of the process of opening a file involves Word > plucking off a bit of the file and handing it to the VBA > Editor (actually, handing it to the Visual Basic Design Time > Environment Library, VBE.DLL). In effect, to a first > approximation, Word asks the VBA Editor if VBA needs to be > loaded in order to take care of the file. And Word asks > VBE.DLL before it officially "opens" the file. > > That's when the problem occurs. If Word is tricked into > plucking off too much data (which is remarkably easy to do), > VBE.DLL gulps down the whole gob of data, chokes, and starts > running the data that's passed to it, as if it were a > program. If a bad guy jimmies a Word document so the plucked > off part is too long, and sticks a malicious program at the > point where VBE.DLL chokes and starts running the data as if > it were a program, you have a classic buffer overflow attack. > > A lot of people are confused because they think their macro > scanning anti-virus software should handle this sort of > problem. In short, it can't (at least, not in the way you > usually think of virus checkers working). Why? This initial > plucking and feeding to VBE.DLL occurs long before Word even > scans the document for macros, much less invokes the security > levels you've set, or calls your anti-virus package. > > That's why WordMail can get clobbered. If you try to reply to > or forward a message, WordMail plucks a string off the > message and hands it to VBE.DLL, asking VBA if it needs to be > loaded. If the string's too long, VBE.DLL can start running > whatever program the bad guy stuck at the end of the string. > Your anti-virus software will never even see the message. > > It's a helluva bad problem. > > As far as I can tell, anything and everything that uses > Visual Basic for Applications is vulnerable. As mentioned > earlier, that would include all of the 300-plus products made > by companies that paid to have VBA included with their > software. No doubt Corel and AutoCAD and a couple hundred > other vendors are a bit, uh, peeved at this point. > > Remarkably, Microsoft does NOT list Outlook in the MS03-037 > Security Bulletin lineup of afflicted products. That must be > an oversight. Outlook certainly does use VBA. I bet MS fixes > the KB article within minutes of reading this. > > Although there's no mention of Office 2003 in the Security > Bulletin or KB articles, when you install Office 2003 Build > 5604 (RTM is Build 5612), you get the "good" updated VBE6.DLL > discussed in KB articles 822035 and 822036. Apparently MS > fixed this hole before Office 2003 was released to manufacturing. > > eEye caught this one, too. It took Microsoft four months to > patch this hole. > > http://www.microsoft.com/technet/security/bulletin/MS03-037.asp > http://woodyswatch.com/kb?822715 > http://www.eeye.com/html/Research/Advisories/AD20030903-2.html > > > 5. MS03-038 / 826292 / 826293 > MS03-038 - Unchecked Buffer in Microsoft Access Snapshot > Viewer May Permit Code Execution > > Patch for Access 2000: http://woodyswatch.com/kb?826292 > Patch for Access 2002 (Office XP): http://woodyswatch.com/kb?826293 > > This is another buffer overflow bug. (Somebody remind me. > Didn't Microsoft perform a month-long security lockdown and > code review, specifically aimed at buffer overflows and other > common security holes, about a year ago? Hundreds of millions > of dollars, if memory serves. Hmmmmm...) > > The Access Snapshot Viewer is a program that lets you look at > a "snapshot" of an Access database. No, I've never used it, either. > > This particular security hole is susceptible to the same > "kill bit" problem that the old Office Web Components bug > encountered. I talked about the kill bit cat-and-mouse game > in WOW 7.40, > http://www.woodyswatch.com/OFFICE/archtemplate.asp?v7-n40 . > Basically, even if you download and apply the fix, it's still > possible for a really persistent cretin to undo your patch, > remotely, operating from a Web site you visit. As far as I > know, there aren't any good solutions to kill bit problems. > You just have to wait for the next Internet Explorer patch, > and apply it. > > And pray. > > Microsoft credits Oliver Lavery with finding this hole. I've > written to Oliver, and will let you know if he wants to add anything. > > http://www.microsoft.com/technet/security/bulletin/MS03-038.asp > http://woodyswatch.com/kb?827104 > > > 6. IF YOU HAVE OFFICE XP > I hate to do it, but I'm going to recommend that you go to > the Office Update site, > http://www.office.microsoft.com/ProductUpdates/default.aspx , > and apply whatever patches Microsoft may have for you. > > Why? Because there's working "exploit" code already posted on > the Web for MS03-036 and MS03-037. It won't be long before > somebody with a black hat figures out a way to use it. > > I've installed the patches on my own Office XP machines, and > nothing has fallen over yet. I've combed the newsgroups and > haven't heard any wailing or gnashing of teeth - although > many folks are skeptical of Office Update. (No, you *can't* > get these patches from Windows Update. You have to use Office Update.) > > If you want to download individual files, heaven help ya!, > the Administrative Update page with links to all the Office > XP update files is at > http://www.microsoft.com/office/ork/xp/journ/oxpupdte.htm . > You can also try following the instructions in the KB > articles I noted at the end of the discussion for each security hole. > > > 7. IF YOU HAVE OFFICE 2000 > See the above recommendation for Office XP. The only good way > I can figure to get all of the right patches (and there's a > bunch of them, especially if you have FrontPage or Publisher) > is via Office Update. > > Office 2000 (and 97) Administrative Updates (which is > Microsoft speak for "downloadable > patches") are listed at > http://www.microsoft.com/office/ork/xp/journ/o2kupdte.htm > > > 8. IF YOU HAVE OFFICE 97 AND/OR VISIO 2000 > Sez Microsoft: "A supported fix is now available from > Microsoft, but it is only intended to correct the problem > that is described in this article. Apply it only to computers > that are experiencing this specific problem." > > Of course, Microsoft doesn't provide you with enough > information to determine whether or not a specific PC is > experiencing the MS03-035 problem, in particular, but it > appears to me as if all Office 97 computers are vulnerable to > all four threats. > > Worse, if you wait until the 'specific problem' appears it > means you probably have been attacked in some way. > > Here's "Trustworthy Computing" in action - Microsoft is > recommending you do nothing until something bad happens. And > people wonder why I don't take Microsoft a face value. > > For MS03-035: Start at http://woodyswatch.com/kb?827647 and > follow the instructions to beg Microsoft for the patch. > > For MS03-036: Start at http://woodyswatch.com/kb?827656 and beg. > > For MS03-037: Start at http://woodyswatch.com/kb?822150 and > download and apply the generic VBA update. > > For MS03-038: You need to download the new Access Snapshot > Viewer at > http://www.microsoft.com/accessdev/articles/snapshot.htm?&gssnb=1 > > > WOODY's EMAIL ESSENTIALS - our new, free, newsletter, all > about email. WEE will give you news and tips on Outlook > Express - yes, finally a place for all those OE users to call > home. There'll also be advice on email etiquette, spam > prevention, email services and scams. Just click on this > link to join using the same email address as this issue of > WOW http://woodyswatch.com/email/subscribe.asp?cactus@cactus.dk > Or send a blank email to wee at woodyswatch.com > > > 9. THE GOOD POINT: ONE KUDOS FOR MICROSOFT > Somebody in Redmond decided, once again, that Office 97 > applications will be patched, even if Office 97 is, at least > theoretically, orphaned. > > That's the right decision to make, and I want to thank the > person or people who made it. > > It'd sure be nice if we didn't have to beg to get the > updates. But at least they're available. > > Hopefully some sanity will prevail and the patches will be > made available without going cap in hand to Microsoft. Well, > maybe not sanity so much as self-preservation as waves of > unhappy Office 97 / Visio 2000 user call Microsoft support. > > So far, the patches look stable. Let's all keep our fingers crossed. > > > 10. KEEP WOW ALIVE AND FREE > If you like the no-nonsense style you see in this newsletter > - the straight scoop, whether Microsoft likes it or not, > dished out in a way that won't put you to sleep - get one of my books! > > "Windows XP All-In-One Desk Reference For Dummies", Hungry Minds > http://www.woodyswatch.com/l.asp?0764515489 > > "Special Edition Using Microsoft Office XP" with Ed Bott, Que > http://www.woodyswatch.com/l.asp?0789725134 > > "Special Edition Using Microsoft Office 2000" with Ed Bott, Que > http://www.woodyswatch.com/l.asp?0789718421 > > "Woody Leonhard Teaches Office 2000", Que > http://www.woodyswatch.com/l.asp?0789718715 > > > </quote> > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/d> ba-tech > > Website: http://www.databaseadvisors.com > >