TUCoPS :: Windows :: n-116.txt

Flaw in Microsoft Windows Message Handling through Utility Manager (CIAC N-116)

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

Flaw in Microsoft Windows Message Handling through Utility Manager Could 
Enable Privilege Elevation
                     [Microsoft Security Bulletin MS03-025]

July 10, 2003 17:00 GMT                                           Number N-116
______________________________________________________________________________
PROBLEM:       A security vulnerability exists in the way that Utility Manager 
               handles Windows messages because the control that provides the 
               list of accessibility options to the user does not properly 
               validate Windows messages sent to it. It's possible for one 
               process in the interactive desktop to use a specific Windows 
               message to cause the Utility Manager process to execute a 
               callback function at the address of its choice. Because the 
               Utility Manager process runs at higher privileges than the 
               first process, this would provide the first process with a way 
               of exercising those higher privileges. 
SOFTWARE:      Microsoft Windows 2000 
DAMAGE:        An attacker who had the ability to log on to a system 
               interactively could potentially run a program that could send a 
               specially crafted Windows message upon the Utility Manager 
               process, causing it to take any action the attacker specified. 
               This would give the attacker complete control over the system. 
SOLUTION:      Apply patch as stated in Microsoft's security bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The attack cannot be exploited remotely, 
ASSESSMENT:    and the attacker would have to have the ability to 
               interactively log on to the system. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-116.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/
                      default.asp?url=/technet/security/bulletin/MS03-025.asp 
 PATCHES:                                                                     
                     http://microsoft.com/downloads/
                      details.aspx?FamilyId=D415A4AC-E13A-4E8A-BE25-85E7DF686F61
                       &displaylang=en 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS03-025 *****]

Microsoft Security Bulletin MS03-025 

Flaw in Windows Message Handling through Utility Manager Could 
Enable Privilege Elevation (822679)

Originally posted: July 9, 2003

Summary
Who should read this bulletin: Customers using Microsoft® Windows® 2000 

Impact of vulnerability: Privilege elevation 

Maximum Severity Rating: Important 

Recommendation: Customers should install the patch at the earliest 
opportunity. 

End User Bulletin: An end user version of this bulletin is available at:

http://www.microsoft.com/security/security_bulletins/ms03-025.asp. 

Affected Software: 

* Microsoft Windows 2000 

Not Affected Software:

* Microsoft Windows Me 
* Microsoft Windows NT Server 4.0 
* Microsoft Windows NT Server, Terminal Services Edition 
* Microsoft Windows XP 
* Microsoft Windows Server 2003 

 Technical details

Technical description: 

Microsoft Windows 2000 contains support for Accessibility options within 
the operating system. Accessibility support is a series of assistive 
technologies within Windows that allow users with disabilities to still be 
able to access the functions of the operating system. Accessibility support 
is enabled or disabled through shortcuts built into the operating system, 
or through the Accessibility Utility Manager. Utility Manager is an 
accessibility utility that allows users to check the status of accessibility 
programs (Microsoft Magnifier, Narrator, On–Screen Keyboard) and to start or 
stop them.

There is a flaw in the way that Utility Manager handles Windows messages. 
Windows messages provide a way for interactive processes to react to user 
events (for example, keystrokes or mouse movements) and communicate with 
other interactive processes. A security vulnerability results because the 
control that provides the list of accessibility options to the user does not 
properly validate Windows messages sent to it. It's possible for one process 
in the interactive desktop to use a specific Windows message to cause the 
Utility Manager process to execute a callback function at the address of its 
choice. Because the Utility Manager process runs at higher privileges than 
the first process, this would provide the first process with a way of 
exercising those higher privileges. 

By default, the Utility Manager contains controls that run in the interactive 
desktop with Local System privileges. As a result, an attacker who had the 
ability to log on to a system interactively could potentially run a program 
that could send a specially crafted Windows message upon the Utility Manager 
process, causing it to take any action the attacker specified. This would 
give the attacker complete control over the system. 

The attack cannot be exploited remotely, and the attacker would have to have 
the ability to interactively log on to the system.

Mitigating factors: 

* An attacker would need valid logon credentials to exploit the vulnerability. 
  It could not be exploited remotely. 
* Properly secured servers would be at little risk from this vulnerability. 
  Standard best practices recommend only allowing trusted administrators to log 
  on to such systems interactively; without such privileges, an attacker could 
  not exploit the vulnerability. 

Severity Rating: 	Windows 2000 	Important 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0350 

Tested Versions: 
Microsoft tested Windows Me, Windows NT Server 4.0, Windows NT Server, 
Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003 to 
assess whether they are affected by these vulnerabilities. Previous versions 
are no longer supported, and may or may not be affected by these 
vulnerabilities.

Patch availability

Download locations for this patch 

* Microsoft Windows 2000: 
  http://microsoft.com/downloads/
  details.aspx?FamilyId=D415A4AC-E13A-4E8A-BE25-85E7DF686F61&displaylang=en 

 Additional information about this patch 

Installation platforms: 
The Windows 2000 patch can be installed on systems running Windows 2000 Service 
Pack 3. In addition, the fix for this issue is included in Windows 2000 Service 
Pack 4. 

Inclusion in future service packs:
The fix for this issue is included in Windows 2000 Service Pack 4. 

Reboot needed: Yes 

Patch can be uninstalled: Yes 

Superseded patches: None. 

Verifying patch installation: 

* Windows 2000:
  To verify that the patch has been installed on the machine, confirm that the 
  following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q822679

  To verify the individual files, use the date/time and version information 
  provided in the following registry key: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q822679\Filelist 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in 
“Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can be 
  most easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Acknowledgments 

Microsoft thanks Chris Paget of Next Generation Security Software Ltd. for 
reporting this issue to us and working with us to protect customers. 

Support: 

* Microsoft Knowledge Base article 822679 discusses this issue and will be 
  available approximately 24 hours after the release of this bulletin. 
  Knowledge Base articles can be found on the Microsoft Online Support web site. 
* Technical support is available from Microsoft Product Support Services. There 
  is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either express 
or implied, including the warranties of merchantability and fitness for a 
particular purpose. In no event shall Microsoft Corporation or its suppliers be 
liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft 
Corporation or its suppliers have been advised of the possibility of such 
damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 

Revisions: 

* V1.0 (July 9, 2003): Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-025 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-106: SGI Websetup/Webmin Security Vulnerability
N-107: PDF readers/viewers Malicious Hyperlinks Vulnerability
N-108: Sun's XSun Program Buffer Overflow Vulnerability
N-109: Microsoft Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution
N-110: Red Hat Updated XFree86 Packages Provide Security and Bug Fixes
N-111: Red Hat Updated unzip Packages Fix Trojan Vulnerability
N-112: Red Hat Updated PHP Packages Fix Bugs
N-113: Sun Buffer Overflow in LDAP Name Service
N-114: Buffer Overrun in Microsoft HTML Converter Could Allow Code Execution
N-115: Buffer Overrun in Microsoft Windows Could Lead to Data Corruption


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH