Erwin Craps
Erwin.Craps at ithelps.be
Mon Sep 8 00:39:46 CDT 2003
I know, I know And I find my self calling more and more to get these fixes out of necessetay... About a year ago I ignored those fixes. Erwin Craps Zaakvoerder www.ithelps.be/jonathan This E-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and E-mail confirmation to the sender. IT Helps - I.T. Help Center *** Box Office Belgium & Luxembourg www.ithelps.be * www.boxoffice.be * www.stadleuven.be IT Helps bvba* ** Mercatorpad 3 ** 3000 Leuven IT Helps * Phone: +32 16 296 404 * Fax: +32 16 296 405 E-mail: Info at ithelps.be Box Office ** Fax: +32 16 296 406 ** Box Office E-mail: Staff at boxoffice.be -----Oorspronkelijk bericht----- Van: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] Namens Andy Lacey Verzonden: zondag 7 september 2003 18:31 Aan: 'Discussion of Hardware and Software issues' Onderwerp: RE: [AccessD] Re: [dba-Tech] Recent MS Security Updates That's heartening :-( Andy > -----Original Message----- > From: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of > Erwin Craps > Sent: 07 September 2003 16:16 > To: Discussion of Hardware and Software issues > Subject: RE: [AccessD] Re: [dba-Tech] Recent MS Security Updates > > > Because it has not been regression tested... > Erwin > > > > Erwin Craps > > Zaakvoerder > > www.ithelps.be/jonathan > > > > This E-mail is confidential, may be legally privileged, and > is for the intended recipient only. Access, disclosure, > copying, distribution, or reliance on any of it by anyone > else is prohibited and may be a criminal offence. Please > delete if obtained in error and E-mail confirmation to the sender. > > IT Helps - I.T. Help Center *** Box Office Belgium & Luxembourg > > www.ithelps.be * www.boxoffice.be * www.stadleuven.be > > IT Helps bvba* ** Mercatorpad 3 ** 3000 Leuven > > IT Helps * Phone: +32 16 296 404 * Fax: +32 16 296 405 > E-mail: Info at ithelps.be > > Box Office ** Fax: +32 16 296 406 ** Box Office E-mail: > Staff at boxoffice.be > > > > -----Oorspronkelijk bericht----- > Van: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] Namens Andy Lacey > Verzonden: zondag 7 september 2003 14:07 > Aan: 'Discussion of Hardware and Software issues' > Onderwerp: RE: [AccessD] Re: [dba-Tech] Recent MS Security Updates > > > Thanks Gustav > I obviously have to beg MS for the patch. What a PITA! Why > the hell can't they make it downloadable like the others? > > Andy > > > -----Original Message----- > > From: dba-tech-bounces at databaseadvisors.com > > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Gustav > > Brock > > Sent: 06 September 2003 16:42 > > To: Discussion of Hardware and Software issues > > Cc: accessd at databaseadvisors.com > > Subject: Re: [AccessD] Re: [dba-Tech] Recent MS Security Updates > > > > > > Oops, some cannot see the attachment. > > > > I can highly recommend this newsletter. > > > > /gustav > > > > > > > I think you have hit same dead end as have Woody in > paragraph 8 ... > > > > <quote> > > > > --==>> WOW -- WOODY's OFFICE WATCH <<==-- > > Microsoft Office advice and news from Woody Leonhard > > 4 September 2003 Vol 8 No 35 > > > > > > Within the past 12 hours, Microsoft released four Security > Bulletins > > for Office products. This is our "rapid response" WOW to > the flurry of > > activity. There are good points, bad points, at least one > gotcha, and > > a host of unanswered questions, but the bottom line is that I > > recommend you install all the patches, immediately. > > > > Please pass this edition of WOW along to your friends, family, > > co-workers - even that weird guy in the cubicle across from > you. It's > > important. It's complicated, too, as you'll soon see. > > > > Anyone can join WOW, it's free and your email address is > private. Hop > > to http://woodyswatch.com/wow/ or send a blank email to > > wow at woodyswatch.com > > > > > > 1. What Happened > > 2. MS03-035 / 824936 / 824934 > > 3. MS03-036 / 824993 / 824938 > > 4. MS03-037 / 822035 / 822036 > > 5. MS03-038 / 826292 / 826293 > > 6. If You Have Office XP > > 7. If You Have Office 2000 > > 8. If You Have Office 97 and/or Visio 2000 > > 9. The Good Point: One Kudos for Microsoft > > 10. Keep WOW Alive and Free > > > > > > 1. WHAT HAPPENED > > Microsoft has just released four security patches: three rated > > "Important" and one "Critical". I recommend that you > install them all > > right away, but read the specific instructions below first. > > > > No matter which version of Office or which Office products you use > > (including Access), you need to patch your PC. You also > need to patch > > your PC if you have FrontPage 2000 or 2002, Project 2000 or 2002, > > Publisher 2002, Visio 2000 or 2002, Works 2001, 2002, or 2003, or > > several of the "MS Business Solutions" products. > > > > VBA is a big part of this round of security fixes, and many, many > > applications run VBA. Folks who own any of the 300 products > listed at > > http://msdn.microsoft.com/vba/companies/company.asp > > (including AutoCAD, CorelDRAW, WordPerfect, Peachtree, and many > > more) will undoubtedly be receiving instructions to patch their > > systems, too. It would be a good idea to wait until the manufacturer > > contacts you, or to keep an eye on the manufacturer's Web site. The > > patching instructions for each product may vary a bit. Good luck. > > > > > > In the headings below, I've identified each patch by > security bulletin > > number (MS03-???), and also by the Knowledge Base article > number which > > is used to identify and track the patch. Many of the > references you'll > > see in the press relate to bulletin numbers. But when you go to > > install a patch, all you'll see is the KB article number. Worse, > > there's also a Knowledge Base article with a completely different > > number that gives technical details on the hole and the fix. I > > listed those KB article numbers at the bottom of each > > security hole's description. It's a real mess. I hope this > > kinda cuts through some of the obfuscation. > > > > > > 2. MS03-035 / 824936 / 824934 > > MS03-035: "Flaw in Microsoft Word Could Enable Macros to Run > > Automatically" > > > > Patch for Word 2000: http://woodyswatch.com/kb?824936 > > Patch for Word 2002 (Office XP): http://woodyswatch.com/kb?824934 > > > > The problem described in MS03-035 affects Word 97, 2000, and 2002 > > (the version of Word in Office XP). It also affects Works 2001, 2002 > > and 2003 because they all contain vulnerable versions of Word. > > > > At this point, I don't know if it affects Word 2003, but based on > > the way they handled the other patches (see below), I'll bet > > Microsoft built the fix into Office 2003 before it released the gold > > code. > > > > There are very few details online about this security hole, although > > it sounds like the "flipped macro bit" hole that I discussed more > > than two years ago in WOW 6.30 > > (http://www.woodyswatch.com/office/archtemplate.asp?v6-n30 ). In > > that earlier exploit, Steven McLeod discovered a way to flip a > > single bit in a Word document, and have Word bypass macro screening. > > It led to the first patch of Word 2002. > > > > According to MS's Web page, the particular problem in MS03-035 was > > discovered by Jim Bassett. Jim reports, "I just stumbled on the > > security hole by accident. A co-worker > > (non-developer) made a Word template in an unusual way. I > > noticed that new documents created from this template behaved > > strangely. I investigated and discovered that when you create > > a template in a particular manner, derived documents always > > get past macro security. It happened on all versions of Word > > including 2003 Beta." > > > > Jim reports that he first notified Microsoft in May, so it took four > > months for this patch to appear. > > > > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp > > http://woodyswatch.com/kb?827653 > > > > > > 3. MS03-036 / 824993 / 824938 > > MS03-036: Buffer Overrun in WordPerfect Converter Could Allow Code > > Execution > > > > Patch for Office 2000: http://woodyswatch.com/kb?824993 Patch for > > Office XP: http://woodyswatch.com/kb?824938 > > > > This is a gaping security hole in the program that Word uses to open > > WordPerfect-formatted documents. Because Internet Explorer cranks up > > Word whenever it tries to open a .doc, IE "inherits" the security > > hole from Word. (A bit ironic, actually, when you think about how > > many times Outlook has "inherited" security holes from IE and its > > HTML rendering engine.) > > > > It's a traditional buffer overflow problem: the WordPerfect > > converter doesn't check to make sure that data coming in fits inside > > the allocated area. As a result, a craftily concocted WordPerfect > > document can blow away the converter, take over, and start running > > any program the attacker likes. > > > > Microsoft lists the vulnerable programs as Office 97, 2000, and XP, > > FrontPage 2000 and 2002, Publisher 2000 and 2002, and Works 2001, > > 2002, and 2003. According to Microsoft, all of those programs > > automatically install the faulty converter (although I don't > > understand how the converter would be invoked if Word isn't > > installed - oh well). > > > > No official word on whether it affects Office 2003, but when you > > install Build 5604 of Office 2003 (the final Office 2003 Build is > > 5612), you get the same "good" Word Converter file mention in the > > Knowledge Base articles. Thus, it's highly likely that Microsoft > > caught the problem and fixed it before Office 2003 went gold. > > > > eEye Digital Security - the folks who have uncovered more than a > > dozen security holes in Internet Explorer - caught this one, too. > > They report that it's taken Microsoft four months to plug the hole. > > > > http://www.microsoft.com/technet/security/bulletin/MS03-036.asp > > http://woodyswatch.com/kb?827103 > > http://www.eeye.com/html/Research/Advisories/AD20030903-1.html > > > > > > 4. MS03-037 / 822035 / 822036 > > MS03-037: Flaw in Visual Basic for Applications Could Allow > > Arbitrary Code Execution > > > > Patch for Office 2000: http://woodyswatch.com/kb?822035 Patch for > > Office XP: http://woodyswatch.com/kb?822036 > > > > This is the biggie. It's rated "critical" because you can get > > infected by simply replying to or forwarding an infected email > > message - assuming you use Word as your Email editor. > > > > Don't get me started. > > > > There's a buffer overflow problem with the VBA Editor (er, the > > "Visual Basic Design Time Environment Library"). Yeah, you read that > > right. > > > > Here's how it works. Say you open a .doc file with Word. One early > > part of the process of opening a file involves Word plucking off a > > bit of the file and handing it to the VBA Editor (actually, handing > > it to the Visual Basic Design Time Environment Library, VBE.DLL). In > > effect, to a first approximation, Word asks the VBA Editor if VBA > > needs to be loaded in order to take care of the file. And Word asks > > VBE.DLL before it officially "opens" the file. > > > > That's when the problem occurs. If Word is tricked into plucking off > > too much data (which is remarkably easy to do), VBE.DLL gulps down > > the whole gob of data, chokes, and starts running the data that's > > passed to it, as if it were a program. If a bad guy jimmies a Word > > document so the plucked off part is too long, and sticks a malicious > > program at the point where VBE.DLL chokes and starts running the > > data as if it were a program, you have a classic buffer overflow > > attack. > > > > A lot of people are confused because they think their macro scanning > > anti-virus software should handle this sort of problem. In short, it > > can't (at least, not in the way you usually think of virus checkers > > working). Why? This initial plucking and feeding to VBE.DLL occurs > > long before Word even scans the document for macros, much less > > invokes the security levels you've set, or calls your anti-virus > > package. > > > > That's why WordMail can get clobbered. If you try to reply to or > > forward a message, WordMail plucks a string off the message and > > hands it to VBE.DLL, asking VBA if it needs to be loaded. If the > > string's too long, VBE.DLL can start running whatever program the > > bad guy stuck at the end of the string. Your anti-virus software > > will never even see the message. > > > > It's a helluva bad problem. > > > > As far as I can tell, anything and everything that uses Visual Basic > > for Applications is vulnerable. As mentioned earlier, that would > > include all of the 300-plus products made by companies that paid to > > have VBA included with their software. No doubt Corel and AutoCAD > > and a couple hundred other vendors are a bit, uh, peeved at this > > point. > > > > Remarkably, Microsoft does NOT list Outlook in the MS03-037 Security > > Bulletin lineup of afflicted products. That must be an oversight. > > Outlook certainly does use VBA. I bet MS fixes the KB article within > > minutes of reading this. > > > > Although there's no mention of Office 2003 in the Security Bulletin > > or KB articles, when you install Office 2003 Build 5604 (RTM is > > Build 5612), you get the "good" updated VBE6.DLL discussed in KB > > articles 822035 and 822036. Apparently MS fixed this hole before > > Office 2003 was released to manufacturing. > > > > eEye caught this one, too. It took Microsoft four months to patch > > this hole. > > > > http://www.microsoft.com/technet/security/bulletin/MS03-037.asp > > http://woodyswatch.com/kb?822715 > > http://www.eeye.com/html/Research/Advisories/AD20030903-2.html > > > > > > 5. MS03-038 / 826292 / 826293 > > MS03-038 - Unchecked Buffer in Microsoft Access Snapshot Viewer May > > Permit Code Execution > > > > Patch for Access 2000: http://woodyswatch.com/kb?826292 Patch for > > Access 2002 (Office XP): http://woodyswatch.com/kb?826293 > > > > This is another buffer overflow bug. (Somebody remind me. Didn't > > Microsoft perform a month-long security lockdown and code review, > > specifically aimed at buffer overflows and other common security > > holes, about a year ago? Hundreds of millions of dollars, if memory > > serves. Hmmmmm...) > > > > The Access Snapshot Viewer is a program that lets you look at a > > "snapshot" of an Access database. No, I've never used it, either. > > > > This particular security hole is susceptible to the same "kill bit" > > problem that the old Office Web Components bug encountered. I talked > > about the kill bit cat-and-mouse game in WOW 7.40, > > http://www.woodyswatch.com/OFFICE/archtemplate.asp?v7-n40 . > > Basically, even if you download and apply the fix, it's still > > possible for a really persistent cretin to undo your patch, > > remotely, operating from a Web site you visit. As far as I > > know, there aren't any good solutions to kill bit problems. > > You just have to wait for the next Internet Explorer patch, > > and apply it. > > > > And pray. > > > > Microsoft credits Oliver Lavery with finding this hole. I've written > > to Oliver, and will let you know if he wants to add > anything. > > > > http://www.microsoft.com/technet/security/bulletin/MS03-038.asp > > http://woodyswatch.com/kb?827104 > > > > > > 6. IF YOU HAVE OFFICE XP > > I hate to do it, but I'm going to recommend that you go to the > > Office Update site, > > http://www.office.microsoft.com/ProductUpdates/default.aspx , and > > apply whatever patches Microsoft may have for you. > > > > Why? Because there's working "exploit" code already posted on the > > Web for MS03-036 and MS03-037. It won't be long before somebody with > > a black hat figures out a way to use it. > > > > I've installed the patches on my own Office XP machines, and nothing > > has fallen over yet. I've combed the newsgroups and haven't heard > > any wailing or gnashing of teeth - although many folks are skeptical > > of Office Update. (No, you *can't* get these patches from Windows > > Update. You have to use > Office Update.) > > > > If you want to download individual files, heaven help ya!, the > > Administrative Update page with links to all the Office XP update > > files is at > > http://www.microsoft.com/office/ork/xp/journ/oxpupdte.htm . You can > > also try following the instructions in the KB articles I noted at > > the end of the discussion for each > security hole. > > > > > > 7. IF YOU HAVE OFFICE 2000 > > See the above recommendation for Office XP. The only good way I can > > figure to get all of the right patches (and there's a bunch of them, > > especially if you have FrontPage or Publisher) is via Office Update. > > > > Office 2000 (and 97) Administrative Updates (which is Microsoft > > speak for "downloadable > > patches") are listed at > > http://www.microsoft.com/office/ork/xp/journ/o2kupdte.htm > > > > > > 8. IF YOU HAVE OFFICE 97 AND/OR VISIO 2000 > > Sez Microsoft: "A supported fix is now available from Microsoft, but > > it is only intended to correct the problem that is described in this > > article. Apply it only to computers that are experiencing this > > specific problem." > > > > Of course, Microsoft doesn't provide you with enough information to > > determine whether or not a specific PC is experiencing the MS03-035 > > problem, in particular, but it appears to me as if all Office 97 > > computers are vulnerable to all four threats. > > > > Worse, if you wait until the 'specific problem' appears it means you > > probably have been attacked in some way. > > > > Here's "Trustworthy Computing" in action - Microsoft is recommending > > you do nothing until something bad happens. And people wonder why I > > don't take Microsoft a face value. > > > > For MS03-035: Start at http://woodyswatch.com/kb?827647 and follow > > the instructions to beg Microsoft for the patch. > > > > For MS03-036: Start at http://woodyswatch.com/kb?827656 and beg. > > > > For MS03-037: Start at http://woodyswatch.com/kb?822150 and download > > and apply the generic VBA update. > > > > For MS03-038: You need to download the new Access Snapshot Viewer at > > http://www.microsoft.com/accessdev/articles/snapshot.htm?&gssnb=1 > > > > > > WOODY's EMAIL ESSENTIALS - our new, free, newsletter, all > > about email. WEE will give you news and tips on Outlook > > Express - yes, finally a place for all those OE users to call > > home. There'll also be advice on email etiquette, spam > > prevention, email services and scams. Just click on this > > link to join using the same email address as this issue of > > WOW http://woodyswatch.com/email/subscribe.asp?cactus@cactus.dk > > Or send a blank email to wee at woodyswatch.com > > > > > > 9. THE GOOD POINT: ONE KUDOS FOR MICROSOFT > > Somebody in Redmond decided, once again, that Office 97 > > applications will be patched, even if Office 97 is, at least > > theoretically, orphaned. > > > > That's the right decision to make, and I want to thank the > > person or people who made it. > > > > It'd sure be nice if we didn't have to beg to get the > > updates. But at least they're available. > > > > Hopefully some sanity will prevail and the patches will be > > made available without going cap in hand to Microsoft. Well, > > maybe not sanity so much as self-preservation as waves of > > unhappy Office 97 / Visio 2000 user call Microsoft support. > > > > So far, the patches look stable. Let's all keep our fingers crossed. > > > > > > 10. KEEP WOW ALIVE AND FREE > > If you like the no-nonsense style you see in this newsletter > > - the straight scoop, whether Microsoft likes it or not, > > dished out in a way that won't put you to sleep - get one > of my books! > > > > "Windows XP All-In-One Desk Reference For Dummies", Hungry Minds > > http://www.woodyswatch.com/l.asp?0764515489 > > > > "Special Edition Using Microsoft Office XP" with Ed Bott, Que > > http://www.woodyswatch.com/l.asp?0789725134 > > > > "Special Edition Using Microsoft Office 2000" with Ed Bott, Que > > http://www.woodyswatch.com/l.asp?0789718421 > > > > "Woody Leonhard Teaches Office 2000", Que > > http://www.woodyswatch.com/l.asp?0789718715 > > > > > > </quote> > > > > _______________________________________________ > > dba-Tech mailing list > > dba-Tech at databaseadvisors.com > > http://databaseadvisors.com/mailman/listinfo/d> ba-tech > > > > Website: http://www.databaseadvisors.com > > > > > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com