Erwin Craps
Erwin.Craps at ithelps.be
Sun Sep 7 10:15:32 CDT 2003
Because it has not been regression tested... Erwin Erwin Craps Zaakvoerder www.ithelps.be/jonathan This E-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and E-mail confirmation to the sender. IT Helps - I.T. Help Center *** Box Office Belgium & Luxembourg www.ithelps.be * www.boxoffice.be * www.stadleuven.be IT Helps bvba* ** Mercatorpad 3 ** 3000 Leuven IT Helps * Phone: +32 16 296 404 * Fax: +32 16 296 405 E-mail: Info at ithelps.be Box Office ** Fax: +32 16 296 406 ** Box Office E-mail: Staff at boxoffice.be -----Oorspronkelijk bericht----- Van: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] Namens Andy Lacey Verzonden: zondag 7 september 2003 14:07 Aan: 'Discussion of Hardware and Software issues' Onderwerp: RE: [AccessD] Re: [dba-Tech] Recent MS Security Updates Thanks Gustav I obviously have to beg MS for the patch. What a PITA! Why the hell can't they make it downloadable like the others? Andy > -----Original Message----- > From: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of > Gustav Brock > Sent: 06 September 2003 16:42 > To: Discussion of Hardware and Software issues > Cc: accessd at databaseadvisors.com > Subject: Re: [AccessD] Re: [dba-Tech] Recent MS Security Updates > > > Oops, some cannot see the attachment. > > I can highly recommend this newsletter. > > /gustav > > > > I think you have hit same dead end as have Woody in paragraph 8 ... > > <quote> > > --==>> WOW -- WOODY's OFFICE WATCH <<==-- > Microsoft Office advice and news from Woody Leonhard > 4 September 2003 Vol 8 No 35 > > > Within the past 12 hours, Microsoft released four Security > Bulletins for Office products. This is our "rapid response" > WOW to the flurry of activity. There are good points, bad > points, at least one gotcha, and a host of unanswered > questions, but the bottom line is that I recommend you > install all the patches, immediately. > > Please pass this edition of WOW along to your friends, > family, co-workers - even that weird guy in the cubicle > across from you. It's important. It's complicated, too, as > you'll soon see. > > Anyone can join WOW, it's free and your email address is > private. Hop to http://woodyswatch.com/wow/ or send a blank > email to wow at woodyswatch.com > > > 1. What Happened > 2. MS03-035 / 824936 / 824934 > 3. MS03-036 / 824993 / 824938 > 4. MS03-037 / 822035 / 822036 > 5. MS03-038 / 826292 / 826293 > 6. If You Have Office XP > 7. If You Have Office 2000 > 8. If You Have Office 97 and/or Visio 2000 > 9. The Good Point: One Kudos for Microsoft > 10. Keep WOW Alive and Free > > > 1. WHAT HAPPENED > Microsoft has just released four security patches: three > rated "Important" and one "Critical". I recommend that you > install them all right away, but read the specific > instructions below first. > > No matter which version of Office or which Office products > you use (including Access), you need to patch your PC. You > also need to patch your PC if you have FrontPage 2000 or > 2002, Project 2000 or 2002, Publisher 2002, Visio 2000 or > 2002, Works 2001, 2002, or 2003, or several of the "MS > Business Solutions" products. > > VBA is a big part of this round of security fixes, and many, > many applications run VBA. Folks who own any of the 300 > products listed at http://msdn.microsoft.com/vba/companies/company.asp > (including AutoCAD, CorelDRAW, WordPerfect, Peachtree, and > many more) will undoubtedly be receiving instructions to > patch their systems, too. It would be a good idea to wait > until the manufacturer contacts you, or to keep an eye on the > manufacturer's Web site. The patching instructions for each > product may vary a bit. Good luck. > > > In the headings below, I've identified each patch by security > bulletin number (MS03-???), and also by the Knowledge Base > article number which is used to identify and track the patch. > Many of the references you'll see in the press relate to > bulletin numbers. But when you go to install a patch, all > you'll see is the KB article number. Worse, there's also a > Knowledge Base article with a completely different number > that gives technical details on the hole and the fix. I > listed those KB article numbers at the bottom of each > security hole's description. It's a real mess. I hope this > kinda cuts through some of the obfuscation. > > > 2. MS03-035 / 824936 / 824934 > MS03-035: "Flaw in Microsoft Word Could Enable Macros to Run > Automatically" > > Patch for Word 2000: http://woodyswatch.com/kb?824936 > Patch for Word 2002 (Office XP): http://woodyswatch.com/kb?824934 > > The problem described in MS03-035 affects Word 97, 2000, and > 2002 (the version of Word in Office XP). It also affects > Works 2001, 2002 and 2003 because they all contain vulnerable > versions of Word. > > At this point, I don't know if it affects Word 2003, but > based on the way they handled the other patches (see below), > I'll bet Microsoft built the fix into Office 2003 before it > released the gold code. > > There are very few details online about this security hole, > although it sounds like the "flipped macro bit" hole that I > discussed more than two years ago in WOW 6.30 > (http://www.woodyswatch.com/office/archtemplate.asp?v6-n30 ). > In that earlier exploit, Steven McLeod discovered a way to > flip a single bit in a Word document, and have Word bypass > macro screening. It led to the first patch of Word 2002. > > According to MS's Web page, the particular problem in > MS03-035 was discovered by Jim Bassett. Jim reports, "I just > stumbled on the security hole by accident. A co-worker > (non-developer) made a Word template in an unusual way. I > noticed that new documents created from this template behaved > strangely. I investigated and discovered that when you create > a template in a particular manner, derived documents always > get past macro security. It happened on all versions of Word > including 2003 Beta." > > Jim reports that he first notified Microsoft in May, so it > took four months for this patch to appear. > > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp > http://woodyswatch.com/kb?827653 > > > 3. MS03-036 / 824993 / 824938 > MS03-036: Buffer Overrun in WordPerfect Converter Could Allow > Code Execution > > Patch for Office 2000: http://woodyswatch.com/kb?824993 > Patch for Office XP: http://woodyswatch.com/kb?824938 > > This is a gaping security hole in the program that Word uses > to open WordPerfect-formatted documents. Because Internet > Explorer cranks up Word whenever it tries to open a .doc, IE > "inherits" the security hole from Word. (A bit ironic, > actually, when you think about how many times Outlook has > "inherited" security holes from IE and its HTML rendering engine.) > > It's a traditional buffer overflow problem: the WordPerfect > converter doesn't check to make sure that data coming in fits > inside the allocated area. As a result, a craftily concocted > WordPerfect document can blow away the converter, take over, > and start running any program the attacker likes. > > Microsoft lists the vulnerable programs as Office 97, 2000, > and XP, FrontPage 2000 and 2002, Publisher 2000 and 2002, and > Works 2001, 2002, and 2003. According to Microsoft, all of > those programs automatically install the faulty converter > (although I don't understand how the converter would be > invoked if Word isn't installed - oh well). > > No official word on whether it affects Office 2003, but when > you install Build 5604 of Office 2003 (the final Office 2003 > Build is 5612), you get the same "good" Word Converter file > mention in the Knowledge Base articles. Thus, it's highly > likely that Microsoft caught the problem and fixed it before > Office 2003 went gold. > > eEye Digital Security - the folks who have uncovered more > than a dozen security holes in Internet Explorer - caught > this one, too. They report that it's taken Microsoft four > months to plug the hole. > > http://www.microsoft.com/technet/security/bulletin/MS03-036.asp > http://woodyswatch.com/kb?827103 > http://www.eeye.com/html/Research/Advisories/AD20030903-1.html > > > 4. MS03-037 / 822035 / 822036 > MS03-037: Flaw in Visual Basic for Applications Could Allow > Arbitrary Code Execution > > Patch for Office 2000: http://woodyswatch.com/kb?822035 > Patch for Office XP: http://woodyswatch.com/kb?822036 > > This is the biggie. It's rated "critical" because you can get > infected by simply replying to or forwarding an infected > email message - assuming you use Word as your Email editor. > > Don't get me started. > > There's a buffer overflow problem with the VBA Editor (er, > the "Visual Basic Design Time Environment Library"). Yeah, > you read that right. > > Here's how it works. Say you open a .doc file with Word. One > early part of the process of opening a file involves Word > plucking off a bit of the file and handing it to the VBA > Editor (actually, handing it to the Visual Basic Design Time > Environment Library, VBE.DLL). In effect, to a first > approximation, Word asks the VBA Editor if VBA needs to be > loaded in order to take care of the file. And Word asks > VBE.DLL before it officially "opens" the file. > > That's when the problem occurs. If Word is tricked into > plucking off too much data (which is remarkably easy to do), > VBE.DLL gulps down the whole gob of data, chokes, and starts > running the data that's passed to it, as if it were a > program. If a bad guy jimmies a Word document so the plucked > off part is too long, and sticks a malicious program at the > point where VBE.DLL chokes and starts running the data as if > it were a program, you have a classic buffer overflow attack. > > A lot of people are confused because they think their macro > scanning anti-virus software should handle this sort of > problem. In short, it can't (at least, not in the way you > usually think of virus checkers working). Why? This initial > plucking and feeding to VBE.DLL occurs long before Word even > scans the document for macros, much less invokes the security > levels you've set, or calls your anti-virus package. > > That's why WordMail can get clobbered. If you try to reply to > or forward a message, WordMail plucks a string off the > message and hands it to VBE.DLL, asking VBA if it needs to be > loaded. If the string's too long, VBE.DLL can start running > whatever program the bad guy stuck at the end of the string. > Your anti-virus software will never even see the message. > > It's a helluva bad problem. > > As far as I can tell, anything and everything that uses > Visual Basic for Applications is vulnerable. As mentioned > earlier, that would include all of the 300-plus products made > by companies that paid to have VBA included with their > software. No doubt Corel and AutoCAD and a couple hundred > other vendors are a bit, uh, peeved at this point. > > Remarkably, Microsoft does NOT list Outlook in the MS03-037 > Security Bulletin lineup of afflicted products. That must be > an oversight. Outlook certainly does use VBA. I bet MS fixes > the KB article within minutes of reading this. > > Although there's no mention of Office 2003 in the Security > Bulletin or KB articles, when you install Office 2003 Build > 5604 (RTM is Build 5612), you get the "good" updated VBE6.DLL > discussed in KB articles 822035 and 822036. Apparently MS > fixed this hole before Office 2003 was released to manufacturing. > > eEye caught this one, too. It took Microsoft four months to > patch this hole. > > http://www.microsoft.com/technet/security/bulletin/MS03-037.asp > http://woodyswatch.com/kb?822715 > http://www.eeye.com/html/Research/Advisories/AD20030903-2.html > > > 5. MS03-038 / 826292 / 826293 > MS03-038 - Unchecked Buffer in Microsoft Access Snapshot > Viewer May Permit Code Execution > > Patch for Access 2000: http://woodyswatch.com/kb?826292 > Patch for Access 2002 (Office XP): http://woodyswatch.com/kb?826293 > > This is another buffer overflow bug. (Somebody remind me. > Didn't Microsoft perform a month-long security lockdown and > code review, specifically aimed at buffer overflows and other > common security holes, about a year ago? Hundreds of millions > of dollars, if memory serves. Hmmmmm...) > > The Access Snapshot Viewer is a program that lets you look at > a "snapshot" of an Access database. No, I've never used it, either. > > This particular security hole is susceptible to the same > "kill bit" problem that the old Office Web Components bug > encountered. I talked about the kill bit cat-and-mouse game > in WOW 7.40, > http://www.woodyswatch.com/OFFICE/archtemplate.asp?v7-n40 . > Basically, even if you download and apply the fix, it's still > possible for a really persistent cretin to undo your patch, > remotely, operating from a Web site you visit. As far as I > know, there aren't any good solutions to kill bit problems. > You just have to wait for the next Internet Explorer patch, > and apply it. > > And pray. > > Microsoft credits Oliver Lavery with finding this hole. I've > written to Oliver, and will let you know if he wants to add anything. > > http://www.microsoft.com/technet/security/bulletin/MS03-038.asp > http://woodyswatch.com/kb?827104 > > > 6. IF YOU HAVE OFFICE XP > I hate to do it, but I'm going to recommend that you go to > the Office Update site, > http://www.office.microsoft.com/ProductUpdates/default.aspx , > and apply whatever patches Microsoft may have for you. > > Why? Because there's working "exploit" code already posted on > the Web for MS03-036 and MS03-037. It won't be long before > somebody with a black hat figures out a way to use it. > > I've installed the patches on my own Office XP machines, and > nothing has fallen over yet. I've combed the newsgroups and > haven't heard any wailing or gnashing of teeth - although > many folks are skeptical of Office Update. (No, you *can't* > get these patches from Windows Update. You have to use Office Update.) > > If you want to download individual files, heaven help ya!, > the Administrative Update page with links to all the Office > XP update files is at > http://www.microsoft.com/office/ork/xp/journ/oxpupdte.htm . > You can also try following the instructions in the KB > articles I noted at the end of the discussion for each security hole. > > > 7. IF YOU HAVE OFFICE 2000 > See the above recommendation for Office XP. The only good way > I can figure to get all of the right patches (and there's a > bunch of them, especially if you have FrontPage or Publisher) > is via Office Update. > > Office 2000 (and 97) Administrative Updates (which is > Microsoft speak for "downloadable > patches") are listed at > http://www.microsoft.com/office/ork/xp/journ/o2kupdte.htm > > > 8. IF YOU HAVE OFFICE 97 AND/OR VISIO 2000 > Sez Microsoft: "A supported fix is now available from > Microsoft, but it is only intended to correct the problem > that is described in this article. Apply it only to computers > that are experiencing this specific problem." > > Of course, Microsoft doesn't provide you with enough > information to determine whether or not a specific PC is > experiencing the MS03-035 problem, in particular, but it > appears to me as if all Office 97 computers are vulnerable to > all four threats. > > Worse, if you wait until the 'specific problem' appears it > means you probably have been attacked in some way. > > Here's "Trustworthy Computing" in action - Microsoft is > recommending you do nothing until something bad happens. And > people wonder why I don't take Microsoft a face value. > > For MS03-035: Start at http://woodyswatch.com/kb?827647 and > follow the instructions to beg Microsoft for the patch. > > For MS03-036: Start at http://woodyswatch.com/kb?827656 and beg. > > For MS03-037: Start at http://woodyswatch.com/kb?822150 and > download and apply the generic VBA update. > > For MS03-038: You need to download the new Access Snapshot > Viewer at > http://www.microsoft.com/accessdev/articles/snapshot.htm?&gssnb=1 > > > WOODY's EMAIL ESSENTIALS - our new, free, newsletter, all > about email. WEE will give you news and tips on Outlook > Express - yes, finally a place for all those OE users to call > home. There'll also be advice on email etiquette, spam > prevention, email services and scams. Just click on this > link to join using the same email address as this issue of > WOW http://woodyswatch.com/email/subscribe.asp?cactus@cactus.dk > Or send a blank email to wee at woodyswatch.com > > > 9. THE GOOD POINT: ONE KUDOS FOR MICROSOFT > Somebody in Redmond decided, once again, that Office 97 > applications will be patched, even if Office 97 is, at least > theoretically, orphaned. > > That's the right decision to make, and I want to thank the > person or people who made it. > > It'd sure be nice if we didn't have to beg to get the > updates. But at least they're available. > > Hopefully some sanity will prevail and the patches will be > made available without going cap in hand to Microsoft. Well, > maybe not sanity so much as self-preservation as waves of > unhappy Office 97 / Visio 2000 user call Microsoft support. > > So far, the patches look stable. Let's all keep our fingers crossed. > > > 10. KEEP WOW ALIVE AND FREE > If you like the no-nonsense style you see in this newsletter > - the straight scoop, whether Microsoft likes it or not, > dished out in a way that won't put you to sleep - get one of my books! > > "Windows XP All-In-One Desk Reference For Dummies", Hungry Minds > http://www.woodyswatch.com/l.asp?0764515489 > > "Special Edition Using Microsoft Office XP" with Ed Bott, Que > http://www.woodyswatch.com/l.asp?0789725134 > > "Special Edition Using Microsoft Office 2000" with Ed Bott, Que > http://www.woodyswatch.com/l.asp?0789718421 > > "Woody Leonhard Teaches Office 2000", Que > http://www.woodyswatch.com/l.asp?0789718715 > > > </quote> > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/d> ba-tech > > Website: http://www.databaseadvisors.com > > _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com