[AccessD] Re: [dba-Tech] Recent MS Security Updates

Andy Lacey andy at minstersystems.co.uk
Sun Sep 7 11:30:30 CDT 2003


That's heartening :-(

Andy

> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com 
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of 
> Erwin Craps
> Sent: 07 September 2003 16:16
> To: Discussion of Hardware and Software issues
> Subject: RE: [AccessD] Re: [dba-Tech] Recent MS Security Updates
> 
> 
> Because it has not been regression tested...
> Erwin
> 
>  
> 
> Erwin Craps
> 
> Zaakvoerder 
> 
> www.ithelps.be/jonathan
> 
>  
> 
> This E-mail is confidential, may be legally privileged, and 
> is for the intended recipient only. Access, disclosure, 
> copying, distribution, or reliance on any of it by anyone 
> else is prohibited and may be a criminal offence. Please 
> delete if obtained in error and E-mail confirmation to the sender.
> 
> IT Helps - I.T. Help Center  ***  Box Office Belgium & Luxembourg
> 
> www.ithelps.be  *  www.boxoffice.be  *  www.stadleuven.be
> 
> IT Helps bvba* ** Mercatorpad 3 **  3000 Leuven
> 
> IT Helps  *  Phone: +32 16 296 404  *  Fax: +32 16 296 405 
> E-mail: Info at ithelps.be 
> 
> Box Office **  Fax: +32 16 296 406 **  Box Office E-mail: 
> Staff at boxoffice.be
> 
> 
> 
> -----Oorspronkelijk bericht-----
> Van: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] Namens Andy Lacey
> Verzonden: zondag 7 september 2003 14:07
> Aan: 'Discussion of Hardware and Software issues'
> Onderwerp: RE: [AccessD] Re: [dba-Tech] Recent MS Security Updates
> 
> 
> Thanks Gustav
> I obviously have to beg MS for the patch. What a PITA! Why 
> the hell can't they make it downloadable like the others?
> 
> Andy
> 
> > -----Original Message-----
> > From: dba-tech-bounces at databaseadvisors.com
> > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of
> > Gustav Brock
> > Sent: 06 September 2003 16:42
> > To: Discussion of Hardware and Software issues
> > Cc: accessd at databaseadvisors.com
> > Subject: Re: [AccessD] Re: [dba-Tech] Recent MS Security Updates
> > 
> > 
> > Oops, some cannot see the attachment.
> > 
> > I can highly recommend this newsletter.
> > 
> > /gustav
> > 
> > 
> > > I think you have hit same dead end as have Woody in 
> paragraph 8 ...
> > 
> > <quote>
> > 
> >          --==>> WOW -- WOODY's OFFICE WATCH <<==--
> >     Microsoft Office advice and news from Woody Leonhard
> >                 4 September 2003        Vol 8 No 35
> > 
> > 
> > Within the past 12 hours, Microsoft released four Security 
> Bulletins 
> > for Office products. This is our "rapid response" WOW to 
> the flurry of 
> > activity. There are good points, bad points, at least one 
> gotcha, and 
> > a host of unanswered questions, but the bottom line is that I 
> > recommend you install all the patches, immediately.
> > 
> > Please pass this edition of WOW along to your friends, family, 
> > co-workers - even that weird guy in the cubicle across from 
> you. It's 
> > important. It's complicated, too, as you'll soon see.
> > 
> > Anyone can join WOW, it's free and your email address is 
> private.  Hop 
> > to http://woodyswatch.com/wow/  or send a blank email to 
> > wow at woodyswatch.com
> > 
> > 
> > 1. What Happened
> > 2. MS03-035 / 824936 / 824934
> > 3. MS03-036 / 824993 / 824938
> > 4. MS03-037 / 822035 / 822036
> > 5. MS03-038 / 826292 / 826293
> > 6. If You Have Office XP
> > 7. If You Have Office 2000
> > 8. If You Have Office 97 and/or Visio 2000
> > 9. The Good Point: One Kudos for Microsoft
> > 10. Keep WOW Alive and Free
> > 
> > 
> > 1. WHAT HAPPENED
> > Microsoft has just released four security patches: three rated 
> > "Important" and one "Critical". I recommend that you 
> install them all 
> > right away, but read the specific instructions below first.
> > 
> > No matter which version of Office or which Office products you use 
> > (including Access), you need to patch your PC. You also 
> need to patch 
> > your PC if you have FrontPage 2000 or 2002, Project 2000 or 2002, 
> > Publisher 2002, Visio 2000 or 2002, Works 2001, 2002, or 2003, or 
> > several of the "MS Business Solutions" products.
> > 
> > VBA is a big part of this round of security fixes, and many, many 
> > applications run VBA. Folks who own any of the 300 products 
> listed at 
> > http://msdn.microsoft.com/vba/companies/company.asp
> > (including AutoCAD, CorelDRAW, WordPerfect, Peachtree, and
> > many more) will undoubtedly be receiving instructions to 
> > patch their systems, too. It would be a good idea to wait 
> > until the manufacturer contacts you, or to keep an eye on the 
> > manufacturer's Web site. The patching instructions for each 
> > product may vary a bit. Good luck.
> > 
> > 
> > In the headings below, I've identified each patch by 
> security bulletin 
> > number (MS03-???), and also by the Knowledge Base article 
> number which 
> > is used to identify and track the patch. Many of the 
> references you'll 
> > see in the press relate to bulletin numbers. But when you go to 
> > install a patch, all you'll see is the KB article number. Worse, 
> > there's also a Knowledge Base article with a completely different 
> > number that gives technical details on the hole and the fix. I
> > listed those KB article numbers at the bottom of each 
> > security hole's description. It's a real mess. I hope this 
> > kinda cuts through some of the obfuscation.
> > 
> > 
> > 2. MS03-035 / 824936 / 824934
> > MS03-035: "Flaw in Microsoft Word Could Enable Macros to Run
> > Automatically"
> > 
> > Patch for Word 2000: http://woodyswatch.com/kb?824936
> > Patch for Word 2002 (Office XP): http://woodyswatch.com/kb?824934
> > 
> > The problem described in MS03-035 affects Word 97, 2000, and
> > 2002 (the version of Word in Office XP). It also affects 
> > Works 2001, 2002 and 2003 because they all contain vulnerable 
> > versions of Word.
> > 
> > At this point, I don't know if it affects Word 2003, but
> > based on the way they handled the other patches (see below), 
> > I'll bet Microsoft built the fix into Office 2003 before it 
> > released the gold code. 
> > 
> > There are very few details online about this security hole,
> > although it sounds like the "flipped macro bit" hole that I 
> > discussed more than two years ago in WOW 6.30 
> > (http://www.woodyswatch.com/office/archtemplate.asp?v6-n30 ). 
> > In that earlier exploit, Steven McLeod discovered a way to 
> > flip a single bit in a Word document, and have Word bypass 
> > macro screening. It led to the first patch of Word 2002. 
> > 
> > According to MS's Web page, the particular problem in
> > MS03-035 was discovered by Jim Bassett. Jim reports, "I just 
> > stumbled on the security hole by accident. A co-worker 
> > (non-developer) made a Word template in an unusual way. I 
> > noticed that new documents created from this template behaved 
> > strangely. I investigated and discovered that when you create 
> > a template in a particular manner, derived documents always 
> > get past macro security. It happened on all versions of Word 
> > including 2003 Beta."
> > 
> > Jim reports that he first notified Microsoft in May, so it
> > took four months for this patch to appear.
> > 
> > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp
> > http://woodyswatch.com/kb?827653
> > 
> > 
> > 3. MS03-036 / 824993 / 824938
> > MS03-036: Buffer Overrun in WordPerfect Converter Could Allow
> > Code Execution
> > 
> > Patch for Office 2000: http://woodyswatch.com/kb?824993
> > Patch for Office XP: http://woodyswatch.com/kb?824938
> > 
> > This is a gaping security hole in the program that Word uses
> > to open WordPerfect-formatted documents. Because Internet 
> > Explorer cranks up Word whenever it tries to open a .doc, IE 
> > "inherits" the security hole from Word. (A bit ironic, 
> > actually, when you think about how many times Outlook has 
> > "inherited" security holes from IE and its HTML rendering engine.)
> > 
> > It's a traditional buffer overflow problem: the WordPerfect
> > converter doesn't check to make sure that data coming in fits 
> > inside the allocated area. As a result, a craftily concocted 
> > WordPerfect document can blow away the converter, take over, 
> > and start running any program the attacker likes.
> > 
> > Microsoft lists the vulnerable programs as Office 97, 2000,
> > and XP, FrontPage 2000 and 2002, Publisher 2000 and 2002, and 
> > Works 2001, 2002, and 2003. According to Microsoft, all of 
> > those programs automatically install the faulty converter 
> > (although I don't understand how the converter would be 
> > invoked if Word isn't installed - oh well). 
> > 
> > No official word on whether it affects Office 2003, but when
> > you install Build 5604 of Office 2003 (the final Office 2003 
> > Build is 5612), you get the same "good" Word Converter file 
> > mention in the Knowledge Base articles. Thus, it's highly 
> > likely that Microsoft caught the problem and fixed it before 
> > Office 2003 went gold.
> > 
> > eEye Digital Security - the folks who have uncovered more
> > than a dozen security holes in Internet Explorer - caught 
> > this one, too. They report that it's taken Microsoft four 
> > months to plug the hole.
> > 
> > http://www.microsoft.com/technet/security/bulletin/MS03-036.asp
> > http://woodyswatch.com/kb?827103
> > http://www.eeye.com/html/Research/Advisories/AD20030903-1.html
> > 
> > 
> > 4. MS03-037 / 822035 / 822036
> > MS03-037: Flaw in Visual Basic for Applications Could Allow
> > Arbitrary Code Execution 
> > 
> > Patch for Office 2000: http://woodyswatch.com/kb?822035
> > Patch for Office XP: http://woodyswatch.com/kb?822036
> > 
> > This is the biggie. It's rated "critical" because you can get
> > infected by simply replying to or forwarding an infected 
> > email message - assuming you use Word as your Email editor.
> > 
> > Don't get me started.
> > 
> > There's a buffer overflow problem with the VBA Editor (er,
> > the "Visual Basic Design Time Environment Library"). Yeah, 
> > you read that right. 
> > 
> > Here's how it works. Say you open a .doc file with Word. One
> > early part of the process of opening a file involves Word 
> > plucking off a bit of the file and handing it to the VBA 
> > Editor (actually, handing it to the Visual Basic Design Time 
> > Environment Library, VBE.DLL). In effect, to a first 
> > approximation, Word asks the VBA Editor if VBA needs to be 
> > loaded in order to take care of the file. And Word asks 
> > VBE.DLL before it officially "opens" the file.
> > 
> > That's when the problem occurs. If Word is tricked into
> > plucking off too much data (which is remarkably easy to do), 
> > VBE.DLL gulps down the whole gob of data, chokes, and starts 
> > running the data that's passed to it, as if it were a 
> > program. If a bad guy jimmies a Word document so the plucked 
> > off part is too long, and sticks a malicious program at the 
> > point where VBE.DLL chokes and starts running the data as if 
> > it were a program, you have a classic buffer overflow attack.
> > 
> > A lot of people are confused because they think their macro
> > scanning anti-virus software should handle this sort of 
> > problem. In short, it can't (at least, not in the way you 
> > usually think of virus checkers working). Why? This initial 
> > plucking and feeding to VBE.DLL occurs long before Word even 
> > scans the document for macros, much less invokes the security 
> > levels you've set, or calls your anti-virus package.
> > 
> > That's why WordMail can get clobbered. If you try to reply to
> > or forward a message, WordMail plucks a string off the 
> > message and hands it to VBE.DLL, asking VBA if it needs to be 
> > loaded. If the string's too long, VBE.DLL can start running 
> > whatever program the bad guy stuck at the end of the string. 
> > Your anti-virus software will never even see the message.
> > 
> > It's a helluva bad problem.
> > 
> > As far as I can tell, anything and everything that uses
> > Visual Basic for Applications is vulnerable. As mentioned 
> > earlier, that would include all of the 300-plus products made 
> > by companies that paid to have VBA included with their 
> > software. No doubt Corel and AutoCAD and a couple hundred 
> > other vendors are a bit, uh, peeved at this point.
> > 
> > Remarkably, Microsoft does NOT list Outlook in the MS03-037
> > Security Bulletin lineup of afflicted products. That must be 
> > an oversight. Outlook certainly does use VBA. I bet MS fixes 
> > the KB article within minutes of reading this.
> > 
> > Although there's no mention of Office 2003 in the Security
> > Bulletin or KB articles, when you install Office 2003 Build 
> > 5604 (RTM is Build 5612), you get the "good" updated VBE6.DLL 
> > discussed in KB articles 822035 and 822036. Apparently MS 
> > fixed this hole before Office 2003 was released to manufacturing.
> > 
> > eEye caught this one, too. It took Microsoft four months to
> > patch this hole.
> > 
> > http://www.microsoft.com/technet/security/bulletin/MS03-037.asp
> > http://woodyswatch.com/kb?822715
> > http://www.eeye.com/html/Research/Advisories/AD20030903-2.html
> > 
> > 
> > 5. MS03-038 / 826292 / 826293
> > MS03-038 - Unchecked Buffer in Microsoft Access Snapshot
> > Viewer May Permit Code Execution
> > 
> > Patch for Access 2000: http://woodyswatch.com/kb?826292
> > Patch for Access 2002 (Office XP): http://woodyswatch.com/kb?826293
> > 
> > This is another buffer overflow bug. (Somebody remind me.
> > Didn't Microsoft perform a month-long security lockdown and 
> > code review, specifically aimed at buffer overflows and other 
> > common security holes, about a year ago? Hundreds of millions 
> > of dollars, if memory serves. Hmmmmm...)
> > 
> > The Access Snapshot Viewer is a program that lets you look at
> > a "snapshot" of an Access database. No, I've never used it, either.
> > 
> > This particular security hole is susceptible to the same
> > "kill bit" problem that the old Office Web Components bug 
> > encountered. I talked about the kill bit cat-and-mouse game 
> > in WOW 7.40, 
> > http://www.woodyswatch.com/OFFICE/archtemplate.asp?v7-n40 . 
> > Basically, even if you download and apply the fix, it's still 
> > possible for a really persistent cretin to undo your patch, 
> > remotely, operating from a Web site you visit. As far as I 
> > know, there aren't any good solutions to kill bit problems. 
> > You just have to wait for the next Internet Explorer patch, 
> > and apply it.
> > 
> > And pray.
> > 
> > Microsoft credits Oliver Lavery with finding this hole. I've
> > written to Oliver, and will let you know if he wants to add 
> anything.
> > 
> > http://www.microsoft.com/technet/security/bulletin/MS03-038.asp
> > http://woodyswatch.com/kb?827104
> > 
> > 
> > 6. IF YOU HAVE OFFICE XP
> > I hate to do it, but I'm going to recommend that you go to
> > the Office Update site, 
> > http://www.office.microsoft.com/ProductUpdates/default.aspx , 
> > and apply whatever patches Microsoft may have for you.
> > 
> > Why? Because there's working "exploit" code already posted on
> > the Web for MS03-036 and MS03-037. It won't be long before 
> > somebody with a black hat figures out a way to use it.
> > 
> > I've installed the patches on my own Office XP machines, and
> > nothing has fallen over yet. I've combed the newsgroups and 
> > haven't heard any wailing or gnashing of teeth - although 
> > many folks are skeptical of Office Update. (No, you *can't* 
> > get these patches from Windows Update. You have to use 
> Office Update.)
> > 
> > If you want to download individual files, heaven help ya!,
> > the Administrative Update page with links to all the Office 
> > XP update files is at 
> > http://www.microsoft.com/office/ork/xp/journ/oxpupdte.htm . 
> > You can also try following the instructions in the KB 
> > articles I noted at the end of the discussion for each 
> security hole.
> > 
> > 
> > 7. IF YOU HAVE OFFICE 2000
> > See the above recommendation for Office XP. The only good way
> > I can figure to get all of the right patches (and there's a 
> > bunch of them, especially if you have FrontPage or Publisher) 
> > is via Office Update.
> > 
> > Office 2000 (and 97) Administrative Updates (which is
> > Microsoft speak for "downloadable
> > patches") are listed at 
> > http://www.microsoft.com/office/ork/xp/journ/o2kupdte.htm
> > 
> > 
> > 8. IF YOU HAVE OFFICE 97 AND/OR VISIO 2000
> > Sez Microsoft: "A supported fix is now available from
> > Microsoft, but it is only intended to correct the problem 
> > that is described in this article. Apply it only to computers 
> > that are experiencing this specific problem." 
> > 
> > Of course, Microsoft doesn't provide you with enough
> > information to determine whether or not a specific PC is 
> > experiencing the MS03-035 problem, in particular, but it 
> > appears to me as if all Office 97 computers are vulnerable to 
> > all four threats.
> > 
> > Worse, if you wait until the 'specific problem' appears it
> > means you probably have been attacked in some way.
> > 
> > Here's "Trustworthy Computing" in action - Microsoft is
> > recommending you do nothing until something bad happens.  And 
> > people wonder why I don't take Microsoft a face value.
> > 
> > For MS03-035: Start at http://woodyswatch.com/kb?827647 and
> > follow the instructions to beg Microsoft for the patch.
> > 
> > For MS03-036: Start at http://woodyswatch.com/kb?827656 and beg.
> > 
> > For MS03-037: Start at http://woodyswatch.com/kb?822150 and
> > download and apply the generic VBA update.
> > 
> > For MS03-038: You need to download the new Access Snapshot
> > Viewer at 
> > http://www.microsoft.com/accessdev/articles/snapshot.htm?&gssnb=1
> > 
> > 
> > WOODY's EMAIL ESSENTIALS - our new, free, newsletter, all
> > about email. WEE will give you news and tips on Outlook 
> > Express - yes, finally a place for all those OE users to call 
> > home. There'll also be advice on email etiquette, spam 
> > prevention, email services and scams.  Just click on this 
> > link to join using the same email address as this issue of 
> > WOW http://woodyswatch.com/email/subscribe.asp?cactus@cactus.dk
> > Or send a blank email to wee at woodyswatch.com
> > 
> > 
> > 9. THE GOOD POINT: ONE KUDOS FOR MICROSOFT
> > Somebody in Redmond decided, once again, that Office 97
> > applications will be patched, even if Office 97 is, at least 
> > theoretically, orphaned.
> > 
> > That's the right decision to make, and I want to thank the
> > person or people who made it.
> > 
> > It'd sure be nice if we didn't have to beg to get the
> > updates. But at least they're available.
> > 
> > Hopefully some sanity will prevail and the patches will be
> > made available without going cap in hand to Microsoft.  Well, 
> > maybe not sanity so much as self-preservation as waves of 
> > unhappy Office 97 / Visio 2000 user call Microsoft support.
> > 
> > So far, the patches look stable. Let's all keep our fingers crossed.
> > 
> > 
> > 10. KEEP WOW ALIVE AND FREE
> > If you like the no-nonsense style you see in this newsletter
> > - the straight scoop, whether Microsoft likes it or not, 
> > dished out in a way that won't put you to sleep - get one 
> of my books!
> > 
> > "Windows XP All-In-One Desk Reference For Dummies", Hungry Minds
> >      http://www.woodyswatch.com/l.asp?0764515489
> > 
> > "Special Edition Using Microsoft Office XP" with Ed Bott, Que
> >      http://www.woodyswatch.com/l.asp?0789725134
> > 
> > "Special Edition Using Microsoft Office 2000" with Ed Bott, Que
> >      http://www.woodyswatch.com/l.asp?0789718421
> > 
> > "Woody Leonhard Teaches Office 2000", Que
> >      http://www.woodyswatch.com/l.asp?0789718715
> > 
> > 
> > </quote>
> > 
> > _______________________________________________
> > dba-Tech mailing list
> > dba-Tech at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/d> ba-tech
> > 
> > Website: http://www.databaseadvisors.com
> > 
> > 
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 




More information about the dba-Tech mailing list