__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities
[Microsoft Security Bulletin MS03-045]
October 16, 2003 14:00 GMT Number O-009
[REVISED 17 Oct 2003]
[REVISED 30 Oct 2003]
______________________________________________________________________________
PROBLEM: A vulnerability exists because the ListBox control and the
ComboBox control both call a function, which is located in the
User32.dll file, that contains a buffer overrun. The function
does not correctly validate the parameters that are sent to it.
The controls can be made to run arbitrary code in the security
context of the program that contains the control.
SOFTWARE: MS Windows NT Workstation 4.0, Service Pack 6a
MS Windows NT Server 4.0, Service Pack 6a
MS Windows NT Server 4.0, Terminal Server Edition, Service 6
MS Windows 2000, Service Pack 2
MS Windows 2000, Service Pack 3, Service Pack 4
MS Windows XP Gold, Service Pack 1
MS Windows XP 64-bit Edition
MS Windows XP 64-bit Edition Version 2003
MS Windows Server 2003
MS Windows Server 2003 64-bit Edition
DAMAGE: A local attacker who has the ability to log onto a system
interactively could run a program that could send a
specially-crafted Windows message to any applications that have
implemented the ListBox or the ComboBox controls, causing the
application to take any action an attacker specified. This
could give an attacker complete control over the system by
using Utility Manager in Windows 2000 which runs with
Administrator privileges.
SOLUTION: Apply appropriate patches or implement workarounds.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. An attacker with a user account could
ASSESSMENT: elevate their privileges to the Administrator level.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-009.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/MS03-045.asp
CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2003-0659
ADDITIONAL LINKS: CERT Advisory CA-2003-27
http://www.cert.org/advisories/CA-2003-27.html
______________________________________________________________________________
REVISION HISTORY:
10/17/03 - added link to CERT Advisory CA-2003-27.
10/30/03 - Microsoft released a revised security patch for Windows XP,
to address the problem described in their Knowledge Base Article
#830846 where installation of the previous patch may stop
responding (hang). The revised patch contains version 5.4.1.0 of
Update.exe. Version 5.4.1.0 or later versions of Update.exe no
longer require the Debug Programs user right.
[***** Start Microsoft Security Bulletin MS03-045 *****]
Microsoft Security Bulletin MS03-045
Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code
Execution
(824141)
Issued: October 15, 2003
Version Number: 1.0
Summary
Who Should Read This Document: Customers using Microsoft® Windows®
Impact of Vulnerability: Local Elevation of Privilege
Maximum Severity Rating: Important
Recommendation: Customers should install this security patch at the earliest
opportunity
Patch Replacement: None
Caveats: None
Tested Software and Patch Download Locations:
Affected Software:
* Microsoft Windows NT Workstation 4.0, Service Pack 6a – Download the patch
* Microsoft Windows NT Server 4.0, Service Pack 6a – Download the patch
* Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 –
Download the patch
* Microsoft Windows 2000, Service Pack 2 – Download the patch
* Microsoft Windows 2000 Service Pack 3, Service Pack 4 – Download the patch
* Microsoft Windows XP Gold, Service Pack 1 – Download the patch
* Microsoft Windows XP 64 bit Edition – Download the patch
* Microsoft Windows XP 64 bit Edition Version 2003 – Download the patch
* Microsoft Windows Server 2003 – Download the patch
* Microsoft Windows Server 2003 64 bit Edition – Download the Patch
Non Affected Software:
* Microsoft Windows Millennium Edition
The software listed above has been tested to determine if the versions are affected.
Other versions are no longer supported, and may or may not be affected.
Technical Details
Technical Description:
A vulnerability exists because the ListBox control and the ComboBox control both call
a function, which is located in the User32.dll file, that contains a buffer overrun.
The function does not correctly validate the parameters that are sent from a specially-
crafted Windows message. Windows messages provide a way for interactive processes to
react to user events (for example, keystrokes or mouse movements) and to communicate
with other interactive processes. A security vulnerability exists because the function
that provides the list of accessibility options to the user does not correctly validate
Windows messages that are sent to it. One process in the interactive desktop could use
a specific Windows message to cause the ListBox control or the ComboBox control to
execute arbitrary code. Any program that implements the ListBox control or the ComboBox
control could allow code to be executed at an elevated level of administrative credentials,
as long as the program is running at an elevated level of privileges (for example, Utility
Manager in Windows 2000). This could include third-party applications.
An attacker who had the ability to log on to a system interactively could run a program
that could send a specially-crafted Windows message to any applications that have
implemented the ListBox control or the ComboBox control, causing the application to take
any action an attacker specified. This could give an attacker complete control over the
system by using Utility Manager in Windows 2000.
Mitigating factors:
* An attacker must have valid logon credentials to exploit the vulnerability. The
vulnerability could not be exploited remotely.
* Properly-secured systems are at little risk from this vulnerability. Standard best
practices recommend only allowing trusted users to log on to systems interactively.
* Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are affected by this
vulnerability in the ListBox control and in the ComboBox control. However, in Windows
XP and in Windows Server 2003, Utility Manager runs under the context of the logged-on
user and does not allow for elevation of privileges. Windows NT 4.0 does not implement
Utility Manager.
Severity Rating:
Microsoft Windows NT 4.0 Low
Microsoft Windows NT Server 4.0, Terminal Server Edition Low
Microsoft Windows 2000 Important
Microsoft Windows XP Low
Microsoft Windows Server 2003 Low
The above assessment is based on the types of systems that are affected by the
vulnerability, their typical deployment patterns, and the effect that exploiting the
vulnerability would have on them.
Vulnerability identifier: CAN-2003-0659
Workarounds
Microsoft has tested the following workarounds. These workarounds will not correct the
underlying vulnerability however they help block known attack vectors. Workarounds may
cause a reduction in functionality in some cases - in such situations this is identified
below.
* Disable the Utility Manager on all affected systems that do not need this feature
through software polices
Since the Utility Manager Service is a possible attack vector this can be disabled using
software restriction polices within Active Directory or within the Local Security Policy.
The Utility Manager process name is utilman.exe. You may use the following software
restriction policy guides to help prevent users from accessing this file:
* Using Software Restriction Policies to Protect Against Unauthorized Software
* HOW TO: Use Software Restriction Policies in Windows Server 2003 (324036)
* Protect Your System from Viruses (Using Software Restriction Polices)
* To create new software restriction policies
Impact of Vulnerability:
The Utility Manager Service provides many of the accessibility features of the operating
system. These would be unavailable until the restrictions are removed.
Security Patch Information
Installation platforms and Prerequisites:
For information about the specific security patch for your platform, click the appropriate
link:
* Windows Server 2003 (all versions)
* Windows XP (all versions)
* Windows 2000 (all versions)
* Windows NT 4.0 (all versions)
Acknowledgments
Microsoft thanks the following for working with us to protect customers:
* Brett Moore of Security-Assessment.com for reporting the issue in MS03-045.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
Support:
* Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY.
There is no charge for support calls associated with security patches.
Security Resources:
* The Microsoft TechNet Security Web Site provides additional information about security in
Microsoft products.
* Microsoft Software Update Services: http://www.microsoft.com/sus/
* Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa.
Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of
security patches that have detection limitations with MBSA tool.
* Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
* Windows Update: http://windowsupdate.microsoft.com
* Office Update: http://office.microsoft.com/officeupdate/
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose. In no
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not
apply.
Revisions:
* V1.0 (October 15, 2003): Bulletin published.
[***** End Microsoft Security Bulletin MS03-045 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-158: CERT/CC Vulnerability Note Portable OpenSSH server PAM
N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing
O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely
O-002: Microsoft Internet Explorer Cumulative Patch
O-003: HP Potential Security Vulnerability in dtprintinfo
O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution
O-005: Microsoft Exchange Server Vulnerabilities
O-006: Microsoft Authenticode Verification Vulnerability
O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability
O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
