Andy Lacey
andy at minstersystems.co.uk
Sun Sep 7 11:30:30 CDT 2003
That's heartening :-( Andy > -----Original Message----- > From: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of > Erwin Craps > Sent: 07 September 2003 16:16 > To: Discussion of Hardware and Software issues > Subject: RE: [AccessD] Re: [dba-Tech] Recent MS Security Updates > > > Because it has not been regression tested... > Erwin > > > > Erwin Craps > > Zaakvoerder > > www.ithelps.be/jonathan > > > > This E-mail is confidential, may be legally privileged, and > is for the intended recipient only. Access, disclosure, > copying, distribution, or reliance on any of it by anyone > else is prohibited and may be a criminal offence. Please > delete if obtained in error and E-mail confirmation to the sender. > > IT Helps - I.T. Help Center *** Box Office Belgium & Luxembourg > > www.ithelps.be * www.boxoffice.be * www.stadleuven.be > > IT Helps bvba* ** Mercatorpad 3 ** 3000 Leuven > > IT Helps * Phone: +32 16 296 404 * Fax: +32 16 296 405 > E-mail: Info at ithelps.be > > Box Office ** Fax: +32 16 296 406 ** Box Office E-mail: > Staff at boxoffice.be > > > > -----Oorspronkelijk bericht----- > Van: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] Namens Andy Lacey > Verzonden: zondag 7 september 2003 14:07 > Aan: 'Discussion of Hardware and Software issues' > Onderwerp: RE: [AccessD] Re: [dba-Tech] Recent MS Security Updates > > > Thanks Gustav > I obviously have to beg MS for the patch. What a PITA! Why > the hell can't they make it downloadable like the others? > > Andy > > > -----Original Message----- > > From: dba-tech-bounces at databaseadvisors.com > > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of > > Gustav Brock > > Sent: 06 September 2003 16:42 > > To: Discussion of Hardware and Software issues > > Cc: accessd at databaseadvisors.com > > Subject: Re: [AccessD] Re: [dba-Tech] Recent MS Security Updates > > > > > > Oops, some cannot see the attachment. > > > > I can highly recommend this newsletter. > > > > /gustav > > > > > > > I think you have hit same dead end as have Woody in > paragraph 8 ... > > > > <quote> > > > > --==>> WOW -- WOODY's OFFICE WATCH <<==-- > > Microsoft Office advice and news from Woody Leonhard > > 4 September 2003 Vol 8 No 35 > > > > > > Within the past 12 hours, Microsoft released four Security > Bulletins > > for Office products. This is our "rapid response" WOW to > the flurry of > > activity. There are good points, bad points, at least one > gotcha, and > > a host of unanswered questions, but the bottom line is that I > > recommend you install all the patches, immediately. > > > > Please pass this edition of WOW along to your friends, family, > > co-workers - even that weird guy in the cubicle across from > you. It's > > important. It's complicated, too, as you'll soon see. > > > > Anyone can join WOW, it's free and your email address is > private. Hop > > to http://woodyswatch.com/wow/ or send a blank email to > > wow at woodyswatch.com > > > > > > 1. What Happened > > 2. MS03-035 / 824936 / 824934 > > 3. MS03-036 / 824993 / 824938 > > 4. MS03-037 / 822035 / 822036 > > 5. MS03-038 / 826292 / 826293 > > 6. If You Have Office XP > > 7. If You Have Office 2000 > > 8. If You Have Office 97 and/or Visio 2000 > > 9. The Good Point: One Kudos for Microsoft > > 10. Keep WOW Alive and Free > > > > > > 1. WHAT HAPPENED > > Microsoft has just released four security patches: three rated > > "Important" and one "Critical". I recommend that you > install them all > > right away, but read the specific instructions below first. > > > > No matter which version of Office or which Office products you use > > (including Access), you need to patch your PC. You also > need to patch > > your PC if you have FrontPage 2000 or 2002, Project 2000 or 2002, > > Publisher 2002, Visio 2000 or 2002, Works 2001, 2002, or 2003, or > > several of the "MS Business Solutions" products. > > > > VBA is a big part of this round of security fixes, and many, many > > applications run VBA. Folks who own any of the 300 products > listed at > > http://msdn.microsoft.com/vba/companies/company.asp > > (including AutoCAD, CorelDRAW, WordPerfect, Peachtree, and > > many more) will undoubtedly be receiving instructions to > > patch their systems, too. It would be a good idea to wait > > until the manufacturer contacts you, or to keep an eye on the > > manufacturer's Web site. The patching instructions for each > > product may vary a bit. Good luck. > > > > > > In the headings below, I've identified each patch by > security bulletin > > number (MS03-???), and also by the Knowledge Base article > number which > > is used to identify and track the patch. Many of the > references you'll > > see in the press relate to bulletin numbers. But when you go to > > install a patch, all you'll see is the KB article number. Worse, > > there's also a Knowledge Base article with a completely different > > number that gives technical details on the hole and the fix. I > > listed those KB article numbers at the bottom of each > > security hole's description. It's a real mess. I hope this > > kinda cuts through some of the obfuscation. > > > > > > 2. MS03-035 / 824936 / 824934 > > MS03-035: "Flaw in Microsoft Word Could Enable Macros to Run > > Automatically" > > > > Patch for Word 2000: http://woodyswatch.com/kb?824936 > > Patch for Word 2002 (Office XP): http://woodyswatch.com/kb?824934 > > > > The problem described in MS03-035 affects Word 97, 2000, and > > 2002 (the version of Word in Office XP). It also affects > > Works 2001, 2002 and 2003 because they all contain vulnerable > > versions of Word. > > > > At this point, I don't know if it affects Word 2003, but > > based on the way they handled the other patches (see below), > > I'll bet Microsoft built the fix into Office 2003 before it > > released the gold code. > > > > There are very few details online about this security hole, > > although it sounds like the "flipped macro bit" hole that I > > discussed more than two years ago in WOW 6.30 > > (http://www.woodyswatch.com/office/archtemplate.asp?v6-n30 ). > > In that earlier exploit, Steven McLeod discovered a way to > > flip a single bit in a Word document, and have Word bypass > > macro screening. It led to the first patch of Word 2002. > > > > According to MS's Web page, the particular problem in > > MS03-035 was discovered by Jim Bassett. Jim reports, "I just > > stumbled on the security hole by accident. A co-worker > > (non-developer) made a Word template in an unusual way. I > > noticed that new documents created from this template behaved > > strangely. I investigated and discovered that when you create > > a template in a particular manner, derived documents always > > get past macro security. It happened on all versions of Word > > including 2003 Beta." > > > > Jim reports that he first notified Microsoft in May, so it > > took four months for this patch to appear. > > > > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp > > http://woodyswatch.com/kb?827653 > > > > > > 3. MS03-036 / 824993 / 824938 > > MS03-036: Buffer Overrun in WordPerfect Converter Could Allow > > Code Execution > > > > Patch for Office 2000: http://woodyswatch.com/kb?824993 > > Patch for Office XP: http://woodyswatch.com/kb?824938 > > > > This is a gaping security hole in the program that Word uses > > to open WordPerfect-formatted documents. Because Internet > > Explorer cranks up Word whenever it tries to open a .doc, IE > > "inherits" the security hole from Word. (A bit ironic, > > actually, when you think about how many times Outlook has > > "inherited" security holes from IE and its HTML rendering engine.) > > > > It's a traditional buffer overflow problem: the WordPerfect > > converter doesn't check to make sure that data coming in fits > > inside the allocated area. As a result, a craftily concocted > > WordPerfect document can blow away the converter, take over, > > and start running any program the attacker likes. > > > > Microsoft lists the vulnerable programs as Office 97, 2000, > > and XP, FrontPage 2000 and 2002, Publisher 2000 and 2002, and > > Works 2001, 2002, and 2003. According to Microsoft, all of > > those programs automatically install the faulty converter > > (although I don't understand how the converter would be > > invoked if Word isn't installed - oh well). > > > > No official word on whether it affects Office 2003, but when > > you install Build 5604 of Office 2003 (the final Office 2003 > > Build is 5612), you get the same "good" Word Converter file > > mention in the Knowledge Base articles. Thus, it's highly > > likely that Microsoft caught the problem and fixed it before > > Office 2003 went gold. > > > > eEye Digital Security - the folks who have uncovered more > > than a dozen security holes in Internet Explorer - caught > > this one, too. They report that it's taken Microsoft four > > months to plug the hole. > > > > http://www.microsoft.com/technet/security/bulletin/MS03-036.asp > > http://woodyswatch.com/kb?827103 > > http://www.eeye.com/html/Research/Advisories/AD20030903-1.html > > > > > > 4. MS03-037 / 822035 / 822036 > > MS03-037: Flaw in Visual Basic for Applications Could Allow > > Arbitrary Code Execution > > > > Patch for Office 2000: http://woodyswatch.com/kb?822035 > > Patch for Office XP: http://woodyswatch.com/kb?822036 > > > > This is the biggie. It's rated "critical" because you can get > > infected by simply replying to or forwarding an infected > > email message - assuming you use Word as your Email editor. > > > > Don't get me started. > > > > There's a buffer overflow problem with the VBA Editor (er, > > the "Visual Basic Design Time Environment Library"). Yeah, > > you read that right. > > > > Here's how it works. Say you open a .doc file with Word. One > > early part of the process of opening a file involves Word > > plucking off a bit of the file and handing it to the VBA > > Editor (actually, handing it to the Visual Basic Design Time > > Environment Library, VBE.DLL). In effect, to a first > > approximation, Word asks the VBA Editor if VBA needs to be > > loaded in order to take care of the file. And Word asks > > VBE.DLL before it officially "opens" the file. > > > > That's when the problem occurs. If Word is tricked into > > plucking off too much data (which is remarkably easy to do), > > VBE.DLL gulps down the whole gob of data, chokes, and starts > > running the data that's passed to it, as if it were a > > program. If a bad guy jimmies a Word document so the plucked > > off part is too long, and sticks a malicious program at the > > point where VBE.DLL chokes and starts running the data as if > > it were a program, you have a classic buffer overflow attack. > > > > A lot of people are confused because they think their macro > > scanning anti-virus software should handle this sort of > > problem. In short, it can't (at least, not in the way you > > usually think of virus checkers working). Why? This initial > > plucking and feeding to VBE.DLL occurs long before Word even > > scans the document for macros, much less invokes the security > > levels you've set, or calls your anti-virus package. > > > > That's why WordMail can get clobbered. If you try to reply to > > or forward a message, WordMail plucks a string off the > > message and hands it to VBE.DLL, asking VBA if it needs to be > > loaded. If the string's too long, VBE.DLL can start running > > whatever program the bad guy stuck at the end of the string. > > Your anti-virus software will never even see the message. > > > > It's a helluva bad problem. > > > > As far as I can tell, anything and everything that uses > > Visual Basic for Applications is vulnerable. As mentioned > > earlier, that would include all of the 300-plus products made > > by companies that paid to have VBA included with their > > software. No doubt Corel and AutoCAD and a couple hundred > > other vendors are a bit, uh, peeved at this point. > > > > Remarkably, Microsoft does NOT list Outlook in the MS03-037 > > Security Bulletin lineup of afflicted products. That must be > > an oversight. Outlook certainly does use VBA. I bet MS fixes > > the KB article within minutes of reading this. > > > > Although there's no mention of Office 2003 in the Security > > Bulletin or KB articles, when you install Office 2003 Build > > 5604 (RTM is Build 5612), you get the "good" updated VBE6.DLL > > discussed in KB articles 822035 and 822036. Apparently MS > > fixed this hole before Office 2003 was released to manufacturing. > > > > eEye caught this one, too. It took Microsoft four months to > > patch this hole. > > > > http://www.microsoft.com/technet/security/bulletin/MS03-037.asp > > http://woodyswatch.com/kb?822715 > > http://www.eeye.com/html/Research/Advisories/AD20030903-2.html > > > > > > 5. MS03-038 / 826292 / 826293 > > MS03-038 - Unchecked Buffer in Microsoft Access Snapshot > > Viewer May Permit Code Execution > > > > Patch for Access 2000: http://woodyswatch.com/kb?826292 > > Patch for Access 2002 (Office XP): http://woodyswatch.com/kb?826293 > > > > This is another buffer overflow bug. (Somebody remind me. > > Didn't Microsoft perform a month-long security lockdown and > > code review, specifically aimed at buffer overflows and other > > common security holes, about a year ago? Hundreds of millions > > of dollars, if memory serves. Hmmmmm...) > > > > The Access Snapshot Viewer is a program that lets you look at > > a "snapshot" of an Access database. No, I've never used it, either. > > > > This particular security hole is susceptible to the same > > "kill bit" problem that the old Office Web Components bug > > encountered. I talked about the kill bit cat-and-mouse game > > in WOW 7.40, > > http://www.woodyswatch.com/OFFICE/archtemplate.asp?v7-n40 . > > Basically, even if you download and apply the fix, it's still > > possible for a really persistent cretin to undo your patch, > > remotely, operating from a Web site you visit. As far as I > > know, there aren't any good solutions to kill bit problems. > > You just have to wait for the next Internet Explorer patch, > > and apply it. > > > > And pray. > > > > Microsoft credits Oliver Lavery with finding this hole. I've > > written to Oliver, and will let you know if he wants to add > anything. > > > > http://www.microsoft.com/technet/security/bulletin/MS03-038.asp > > http://woodyswatch.com/kb?827104 > > > > > > 6. IF YOU HAVE OFFICE XP > > I hate to do it, but I'm going to recommend that you go to > > the Office Update site, > > http://www.office.microsoft.com/ProductUpdates/default.aspx , > > and apply whatever patches Microsoft may have for you. > > > > Why? Because there's working "exploit" code already posted on > > the Web for MS03-036 and MS03-037. It won't be long before > > somebody with a black hat figures out a way to use it. > > > > I've installed the patches on my own Office XP machines, and > > nothing has fallen over yet. I've combed the newsgroups and > > haven't heard any wailing or gnashing of teeth - although > > many folks are skeptical of Office Update. (No, you *can't* > > get these patches from Windows Update. You have to use > Office Update.) > > > > If you want to download individual files, heaven help ya!, > > the Administrative Update page with links to all the Office > > XP update files is at > > http://www.microsoft.com/office/ork/xp/journ/oxpupdte.htm . > > You can also try following the instructions in the KB > > articles I noted at the end of the discussion for each > security hole. > > > > > > 7. IF YOU HAVE OFFICE 2000 > > See the above recommendation for Office XP. The only good way > > I can figure to get all of the right patches (and there's a > > bunch of them, especially if you have FrontPage or Publisher) > > is via Office Update. > > > > Office 2000 (and 97) Administrative Updates (which is > > Microsoft speak for "downloadable > > patches") are listed at > > http://www.microsoft.com/office/ork/xp/journ/o2kupdte.htm > > > > > > 8. IF YOU HAVE OFFICE 97 AND/OR VISIO 2000 > > Sez Microsoft: "A supported fix is now available from > > Microsoft, but it is only intended to correct the problem > > that is described in this article. Apply it only to computers > > that are experiencing this specific problem." > > > > Of course, Microsoft doesn't provide you with enough > > information to determine whether or not a specific PC is > > experiencing the MS03-035 problem, in particular, but it > > appears to me as if all Office 97 computers are vulnerable to > > all four threats. > > > > Worse, if you wait until the 'specific problem' appears it > > means you probably have been attacked in some way. > > > > Here's "Trustworthy Computing" in action - Microsoft is > > recommending you do nothing until something bad happens. And > > people wonder why I don't take Microsoft a face value. > > > > For MS03-035: Start at http://woodyswatch.com/kb?827647 and > > follow the instructions to beg Microsoft for the patch. > > > > For MS03-036: Start at http://woodyswatch.com/kb?827656 and beg. > > > > For MS03-037: Start at http://woodyswatch.com/kb?822150 and > > download and apply the generic VBA update. > > > > For MS03-038: You need to download the new Access Snapshot > > Viewer at > > http://www.microsoft.com/accessdev/articles/snapshot.htm?&gssnb=1 > > > > > > WOODY's EMAIL ESSENTIALS - our new, free, newsletter, all > > about email. WEE will give you news and tips on Outlook > > Express - yes, finally a place for all those OE users to call > > home. There'll also be advice on email etiquette, spam > > prevention, email services and scams. Just click on this > > link to join using the same email address as this issue of > > WOW http://woodyswatch.com/email/subscribe.asp?cactus@cactus.dk > > Or send a blank email to wee at woodyswatch.com > > > > > > 9. THE GOOD POINT: ONE KUDOS FOR MICROSOFT > > Somebody in Redmond decided, once again, that Office 97 > > applications will be patched, even if Office 97 is, at least > > theoretically, orphaned. > > > > That's the right decision to make, and I want to thank the > > person or people who made it. > > > > It'd sure be nice if we didn't have to beg to get the > > updates. But at least they're available. > > > > Hopefully some sanity will prevail and the patches will be > > made available without going cap in hand to Microsoft. Well, > > maybe not sanity so much as self-preservation as waves of > > unhappy Office 97 / Visio 2000 user call Microsoft support. > > > > So far, the patches look stable. Let's all keep our fingers crossed. > > > > > > 10. KEEP WOW ALIVE AND FREE > > If you like the no-nonsense style you see in this newsletter > > - the straight scoop, whether Microsoft likes it or not, > > dished out in a way that won't put you to sleep - get one > of my books! > > > > "Windows XP All-In-One Desk Reference For Dummies", Hungry Minds > > http://www.woodyswatch.com/l.asp?0764515489 > > > > "Special Edition Using Microsoft Office XP" with Ed Bott, Que > > http://www.woodyswatch.com/l.asp?0789725134 > > > > "Special Edition Using Microsoft Office 2000" with Ed Bott, Que > > http://www.woodyswatch.com/l.asp?0789718421 > > > > "Woody Leonhard Teaches Office 2000", Que > > http://www.woodyswatch.com/l.asp?0789718715 > > > > > > </quote> > > > > _______________________________________________ > > dba-Tech mailing list > > dba-Tech at databaseadvisors.com > > http://databaseadvisors.com/mailman/listinfo/d> ba-tech > > > > Website: http://www.databaseadvisors.com > > > > > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com >