Selected Summary of CERT Advisories and Incidents Related to Microsoft Windows Operating System
Period Covered: January 1, 2003 - August 18, 2003
Â
1. W32/Sobig.F Worm
On August 18, the CERT/CC began receiving a large volume of
reports of a mass mailing worm, referred to as W32/Sobig.F,
spreading on the Internet. The W32/Sobig.F worm is an e-mail borne
malicious program with a specially crafted attachment that has a
.pif extension. The W32/Sobig.F worm requires a user to execute
the attachment either manually or by using an e-mail client that
will open the attachment automatically. The CERT/CC has released
an Incident Note on the W32/Sobig.F worm.
CERT Incident Note IN-2003-03
W32/Sobig.F Worm
http://www.cert.org/incident_notes/IN-2003-03.html
2. Exploitation of Vulnerabilities in Microsoft RPC Interface
In late July, the CERT/CC began receiving reports of widespread
scanning and exploitation of two recently discovered
vulnerabilities in Microsoft Remote Procedure Call (RPC)
Interface. The CERT/CC released an advisory and a Vulnerability
Note which described these vulnerabilities approximately two weeks
prior to the reports of exploitation.
CERT Advisory CA-2003-19
Exploitation of Vulnerabilities in Microsoft RPC
Interface
http://www.cert.org/advisories/CA-2003-19.html
CERT Advisory CA-2003-16
Buffer Overflow in Microsoft RPC
http://www.cert.org/advisories/CA-2003-16.html
Vulnerability Note VU#568148
Microsoft Windows RPC vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/568148
a. W32/Blaster Worm
Shortly after we released multiple documents describing Microsoft
RPC vulnerabilities, we began receiving reports of widespread
activity related to a new piece of malicious code known as
W32/Blaster. The W32/Blaster worm exploits a vulnerability in the
Microsoft DCOM RPC interface. On August 11, the CERT/CC released
an advisory on W32/Blaster. We also released step-by-step recovery
tips for W32/Blaster.
CERT Advisory CA-2003-20
W32/Blaster Worm
http://www.cert.org/advisories/CA-2003-20.html
W32/Blaster Recovery tips
http://www.cert.org/tech_tips/w32_blaster.html
b. W32/Welchia
Additionally, a worm was reported that attempted to exploit the
same vulnerability as W32/Blaster. This worm, known alternately as
'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been
reported to kill and remove the msblast.exe artifact left behind
by W32/Blaster, perform ICMP scanning to identify systems to
target for exploitation, apply the patch from Microsoft (described
in MS03-026), and reboot the system. The greatest impact of this
worm appears to be the potential for denial-of-service conditions
within an organization due to high levels of ICMP traffic.
3. Vulnerabilities in Microsoft Windows Libraries and Internet Explorer
During this quarter, there were a number of vulnerabilities reported
in Microsoft Windows Libraries and within Internet Explorer. Below is
a summary of those vulnerabilities.
a. Buffer Overflow in Microsoft Windows HTML Conversion Library
A buffer overflow vulnerability exists in a shared HTML conversion
library included in Microsoft Windows. An attacker could exploit
this vulnerability to execute arbitrary code or cause a denial of
service. On July 14, the CERT/CC issued an advisory describing
this vulnerability.
CERT Advisory CA-2003-14
Buffer Overflow in Microsoft Windows HTML Conversion
Library
http://www.cert.org/advisories/CA-2003-14.html
Vulnerability Note VU#823260
Microsoft Windows HTML conversion library vulnerable
to buffer overflow
http://www.kb.cert.org/vuls/id/823260
b. Integer Overflows in Microsoft Windows DirectX MIDI Library
A set of integer overflows exists in a DirectX library included in
Microsoft Windows. An attacker could exploit these vulnerabilities
to execute arbitrary code or to cause a denial of service. On July
25, the CERT/CC issued an advisory describing these
vulnerabilities.
CERT Advisory CA-2003-18
Integer Overflows in Microsoft Windows DirectX MIDI
Library
http://www.cert.org/advisories/CA-2003-18.html
Vulnerability Note VU#561284
Microsoft Windows DirectX MIDI library does not
adequately validate Text or Copyright parameters in MIDI
files
http://www.kb.cert.org/vuls/id/561284
Vulnerability Note VU#265232
Microsoft Windows DirectX MIDI library does not
adequately validate MThd track values in MIDI files
http://www.kb.cert.org/vuls/id/265232
c. Multiple Vulnerabilities in Microsoft Internet Explorer
Microsoft Internet Explorer (IE) contains multiple
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code with the privileges of the user
running Internet Explorer. On August 26, the CERT/CC issued an
advisory describing these vulnerabilities.
CERT Advisory CA-2003-22
Multiple Vulnerabilities in Microsoft Internet Explorer
http://www.cert.org/advisories/CA-2003-22.html
Vulnerability Note VU#205148
Microsoft Internet Explorer does not properly evaluate
Content-Type and Content-Disposition headers
http://www.kb.cert.org/vuls/id/205148
Vulnerability Note VU#865940
Microsoft Internet Explorer does not properly evaluate
"application/hta" MIME type referenced by DATA attribute
of OBJECT element
http://www.kb.cert.org/vuls/id/865940
Vulnerability Note VU#548964
Microsoft Windows BR549.DLL ActiveX control contains
vulnerability
http://www.kb.cert.org/vuls/id/548964
Vulnerability Note VU#813208
Internet Explorer does not properly render an input type
tag
http://www.kb.cert.org/vuls/id/813208
Vulnerability Note VU#334928
Microsoft Internet Explorer contains buffer overflow in
Type attribute of OBJECT element on double-byte character
set systems
http://www.kb.cert.org/vuls/id/334928
5. Malicious Code Propagation and Antivirus Software Updates
Recent reports to the CERT/CC have highlighted that the speed at which
viruses are spreading is increasing and that users who were
compromised may have been under the incorrect impression that merely
having antivirus software installed was enough to protect them from
all malicious code attacks. On July 14, the CERT/CC issued an Incident
Note describing this trend.
CERT Incident Note IN-2003-01
Malicious Code Propagation and Antivirus Software Updates
http://www.cert.org/incident_notes/IN-2003-01.html
6. Buffer Overflow Vulnerability in Core Windows DLL
A buffer overflow vulnerability exists in ntdll.dll. This
vulnerability may allow a remote attacker to execute arbitrary
code on the victim machine.
An exploit is publicly available for this vulnerability which
increases the urgency that system administrators apply a patch.
The CERT/CC strongly encourages sites Windows to read CERT
Advisory CA-2003-09, examine their systems for signs of compromise
and apply the appropriate patch as soon as possible.
CERT Advisory CA-2003-09:
Buffer Overflow Vulnerability in Core Windows DLL
http://www.cert.org/advisories/CA-2003-09.html
7. Increased Activity Targeting Windows Shares
Over the past few weeks, the CERT/CC has received an increasing
number of reports of intruder activity involving the exploitation
of Null (i.e., non-existent) or weak Administrator passwords on
Server Message Block (SMB) file shares used on systems running
Windows 2000 or Windows XP. This activity has resulted in the
successful compromise of thousands of systems, with home broadband
users' systems being a prime target. More information on this
activity and the attack tools known to be involved are described
in CERT Advisory CA-2003-08.
CERT Advisory CA-2003-08:
Increased Activity Targeting Windows Shares
http://www.cert.org/advisories/CA-2003-08.html
8. MS-SQL Server Worm
The CERT/CC has received reports of self-propagating malicious
code that exploits a vulnerability in the Resolution Service of
Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE)
2000. This worm has been referred to as the SQLSlammer,
W32.Slammer, and Sapphire worm. The propagation of this malicious
code has caused varied levels of network degradation across the
Internet and the compromise of vulnerable machines. In January,
2003, the CERT/CC issued an advisory describing the SQL Server
Worm.
CERT Advisory CA-2003-04:
MS-SQL Server Worm
http://www.cert.org/advisories/CA-2003-04.html
Administrators of all systems running Microsoft SQL Server 2000
and MSDE 2000 are encouraged to review CA-2002-22 and VU#484891.
For detailed vendor recommendations regarding installing the patch
see the following:
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp
Six months earlier, the CERT/CC issued an advisory describing
several serious vulnerabilities in Microsoft SQL Server that allow
attackers to obtain sensitive information, alter database
contents, and compromise server hosts.
CERT Advisory CA-2002-22:
Multiple Vulnerabilities in Microsoft SQL Server
http://www.cert.org/advisories/CA-2002-22.html
8. Buffer Overflow in Microsoft Windows Shell
A buffer overflow vulnerability exists in the Microsoft Windows
Shell. An attacker can exploit this vulnerability by enticing a
victim to read a malicious email message, visit a malicious web
page, or browse to a folder containing a malicious .MP3 or .WMA
file. The attacker can then execute arbitrary code with the
privileges of the victim.
CERT Advisory CA-2002-37:
Buffer Overflow in Microsoft Windows Shell
http://www.cert.org/advisories/CA-2002-37.html
9. Buffer Overflow in Windows Locator Service
A buffer overflow vulnerability in the Microsoft Windows Locator
service could allow a remote attacker to execute arbitrary code or
cause the Windows Locator service to fail. This service is enabled
and running by default on Windows 2000 domain controllers and
Windows NT 4.0 domain controllers. On January 23, 2003, the
CERT/CC issued an advisory describing the vulnerabilities in
Windows Locator Service and provided patch information.
CERT Advisory CA-2003-03:
Buffer Overflow in Windows Locator Service
http://www.cert.org/advisories/CA-2003-03.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
Â
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday;
they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Â
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Â
Getting security information
CERT publications and other security information are available from our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org.
Please include in the body of your message subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis.
Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including,
but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use
of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent,
trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision HistoryÂ