A Group Policy Bug Fix; a WebDav Vulnerability; a Critical Scripting Vulnerability; and more

Find out about a GPO vulnerablity, a WebDav vulnerability that affects IIS servers, a flaw in Windows Script Engine that could allow code execution, and more.

Paula Sharick

March 31, 2003

4 Min Read
ITPro Today logo in a gray background | ITPro Today

A Group Policy Bug Fix
If you use a Group Policy Object (GPO) to disable browsing in Network Neighborhood or the My Documents folder, users might experience an access violation when they try to open a file. The access violation occurs when a user clicks the Look in field in the Open dialog box to locate a document in other than the default location. Last week, Microsoft Product Support Services (PSS) published a fix—a new version of comdlg32.dll with a file release date of March 25. When you call PSS, cite the Microsoft article "You Receive an Access Violation Error Message When You Click the Look In Drop Down Menu of an Open Dialog Box" (http://support.microsoft.com/?kbid=816372) as a reference.

WebDav Vulnerability Affects IIS Servers
If you’re foolish enough to run a Microsoft IIS Web server without first running the IIS Lockdown Tool, this security hotfix is for you. Microsoft Security Bulletin MS03-007 (Unchecked Buffer In Windows Component Could Cause Web Server Compromise) indicates that a smart programmer can leverage a WWW Distributed Authoring and Versioning (WebDav) scripting weakness with potentially disastrous consequences. This vulnerability affects Windows 2000–based IIS servers that you haven't configured with the IIS Lockdown Tool and Web servers on which you haven't installed the URLScan tool. If your Web server isn't protected, a malicious user can send a specially formatted HTML message that crashes the server or runs code with the rights and privileges of the local system account. Because the consequences of this Win2K-specific flaw are severe, the vulnerability has a critical rating. To protect Web servers, you should run the IIS Lockdown Tool, which you can download at http://www.microsoft.com/technet/security/tools/tools/locktool.asp; or, at a minimum, install the URLScan tool, which you can download at http://www.microsoft.com/technet/security/urlscan.asp. Users who don't take advantage of these tools can download and install security hotfix Q815021 at http://microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=c9a38d45-5145-4844-b62e-c69d32ac929b&displaylang=en. This hotfix contains a new version of a core OS component and is only compatible with Win2K Service Pack 3 (SP3). If IIS is running on Win2K SP2 or earlier, this hotfix can corrupt the OS. See the Microsoft article "MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise" (http://support.microsoft.com/?kbid=815021) for information about the circumstances under which you can successfully install this hotfix.

Critical Scripting Vulnerability
Here’s a security flaw that a malicious user can leverage either on a Web server or through an HTML-based email message. Security Bulletin MS03-008 (Flaw in Windows Script Engine Could Allow Code Execution) indicates that by taking advantage of a bug in JScript, a malicious user can run code on the local system by using the credentials of the logged-on user. If the logged-on user is an administrator, the code potentially could have unlimited access to the system and mapped resources. This security vulnerability affects all Microsoft platforms, including Windows XP, Win2K, Windows NT, Windows Me, and Windows 9x. You can download the hotfix for all platforms at the sites specified in the bulletin.

DoS Vulnerability
A bug in how a remote procedure call (RPC) handles malformed messages provides an opportunity for an attacker to implement a Denial of Service (DoS) attack against XP, Win2K, and NT platforms. According to Security Bulletin MS03-010 (Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks), published March 26, a coding error in the RPC endpoint mapper can let a malicious user overwhelm a system with packets directed to a specific service on a specific port. Your systems are vulnerable to this DoS attack when you don't block external access to TCP port 135, which is the port the endpoint mapper listens to for incoming client requests. If you ignore or block traffic on TCP port 135, a malicious user will be unable to exploit this vulnerability. However, this workaround is practical only when network systems are Win2K or later. If you support a legacy environment with NT or Win9x clients and servers, these systems rely heavily on the NetBIOS protocol, which uses TCP port 135. Legacy systems use NetBIOS to browse for network resources and for WINS name resolution. If you disable this port in such an environment, clients won't be able to locate domain controllers (DCs) and shared resources on the network. Because this vulnerability is limited to a DoS attack, the hotfix has a rating of important (not critical); you easily restore typical operation by rebooting a system that suffers from such an attack. The hotfix contains new versions of three files for Win2K systems: ole32.dll, rpcrt4.dll, and rpcss.dll. All files have a release date of October 25, 2002. The XP version of the hotfix updates only one file, rpcrt4.dll, with a file release date of November 8, 2002. You'll find download links to the RPC security hotfix in the Microsoft article "MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks" (http://support.microsoft.com/?kbid=331953). Microsoft didn't publish an equivalent hotfix for NT systems. Instead, the company recommends you protect NT systems from this exploit by disabling Internet-based access to TCP port 135 on your firewall.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like