The one thing I would like to share about MS03-037 that may help clear up some confusion. It states: "When Microsoft Word is being used as the HTML e-mail editor in Outlook, a user would need to reply to or forward a malicious e-mail document sent to them in order for this vulnerability to be exploited." The reason for this is that word doesn't really "kick in" until you have taken the email into an editing mode, by opening a reply or forward window. You don't actually have to complete the forward or reply action, simply hitting reply or forward is enough.
So watch out for viruses offering free stuff to the next 20 people that reply :(
Thor Larholm wrote:
I see a trend going on here, Word, Office, Office, Office and Office. I guess Office has been overdue in regards to security bulletins lately :)
MS03-034 (NetBIOS information disclosure) gets a rating of Low, even though Blaster showed us just how many Windows installations run with all ports accessible.
It's surprising that MS03-035 (circumventing Office Macro security) and MS03-036 (BO in WordPerfect Converter) got ratings of Important rather than Critical, I guess the bulletins are waiting for some autoamtic exploit to surface before revision.
At least MS03-037 (VBA code execution) got a proper Critical rating.
MS03-038 (code execution in Access Snapshot Viewer, an ActiveX control) got a rating of Moderate for webpage based exploits but completely forgets to mention HTML email.
Lots of different ratings and lots of details to consider before system administrators can decide when to apply these patches, but we really want simplicity over complexity. I would still prefer 2 ratings instead of 4, Apply Now or Apply Later - with the latter heading for the bi-weekly patch job. Let's face it, rolling out patches in a big corporation on an almost daily basis is just not very effective or economical.
Which leads to the positive side, it is definitely great to see Microsoft releasing 5 vulnerabilities in a single day, rather than releasing a new every other day. They must have listened to the feedback from administrators who tired of inefficient and constant patch jobs, and should definitely adhere to this practice in the future. It may be a small step in optimizing the entire patch process, but it's a positive trend.
If there is anything we have learnt in the months behind us it is that producing patches is the least of our worries in security, getting administrators and endusers to actually apply those patches is an entirely different ballgame.
Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher
-----Original Message----- From: Microsoft [mailto:0_51922_1B06CAE9-7FDB-4EFF-B651-1869EADE5F25_DK@Newsletters.Micr osoft.com] Sent: 3. september 2003 23:46 To: thor@pivx.com Subject: Microsoft Security Update
-----BEGIN PGP SIGNED MESSAGE-----
THE MICROSOFT SECURITY UPDATE NEWSLETTER
September 3, 2003
The Microsoft Security Update Newsletter for home users and small businesses provides information on security-related updates to Microsoft(R) products, as well as virus alerts and resources for more information on security issues.
You have received this update as a subscriber to the Microsoft Security Update Newsletter. To cancel your subscription, follow the instructions at the bottom of this page. __________________________________________________
SECURITY BULLETIN MS03-034
Security Update for Microsoft Windows http://go.microsoft.com/?linkid=237617
SEVERITY Low
WHY WE ARE ISSUING THIS UPDATE A security issue has been identified in Microsoft Windows(R) that could allow an attacker to see information in your computer's memory over a network. You can help protect your computer by installing this update from Microsoft.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE Windows NT(R) Server 4.0 Windows NT Server 4.0 Terminal Server Edition Windows 2000 Windows XP Windows Server(TM) 2003 __________________________________________________
SECURITY BULLETIN MS03-035
Security Update for Microsoft Word http://go.microsoft.com/?linkid=237618
SEVERITY Important
WHY WE ARE ISSUING THIS UPDATE An identified security issue in Microsoft Word(R) could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could read files on your computer or run programs on it. By installing this update, you can help protect your computer.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE Word 97, 98(J), 2000, and 2002 Works Suite 2001, 2002, and 2003 __________________________________________________
SECURITY BULLETIN MS03-036
Security Update for Microsoft Office http://go.microsoft.com/?linkid=237619
SEVERITY Important
WHY WE ARE ISSUING THIS UPDATE An identified security issue in Microsoft Office could allow an attacker to compromise a system using Microsoft Office and then take a variety of actions. For example, an attacker could read files on your computer or run programs on it. By installing this update, you can help protect your computer.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE Office 97, 2000, and XP Word 98(J) FrontPage 2000 and 2002 Publisher 2000 and 2002 Works Suite 2001, 2002, and 2003 __________________________________________________
SECURITY BULLETIN MS03-037
Security Update for Microsoft Visual Basic for Applications http://go.microsoft.com/?linkid=237620
SEVERITY Critical
WHY WE ARE ISSUING THIS UPDATE An identified security issue in Microsoft Visual Basic(R) for Applications could allow an attacker to compromise a Windows-based system and then take a variety of actions. For example, an attacker could read files on your computer or run programs on it. By installing this update, you can help protect your computer.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE Visual Basic for Applications SDK 5.0, 6.0, 6.2, and 6.3 Office 97, 2000, and XP Word 98(J) Visio 2000 and 2002 Project 2000 and 2002 Publisher 2002 Works Suite 2001, 2002, and 2003 Business Solutions Great Plains 7.5 Business Solutions Dynamics 6.0 and 7.0 Business Solutions eEnterprise 6.0 and 7.0 Business Solutions Solomon 4.5, 5.0, and 5.5 __________________________________________________
SECURITY BULLETIN MS03-038
Security Update for Microsoft Access and Access Snapshot Viewer http://go.microsoft.com/?linkid=237621
SEVERITY Moderate
WHY WE ARE ISSUING THIS UPDATE An identified security issue in Microsoft Access and the downloadable Access Snapshot Viewer could allow an attacker to compromise a system using Microsoft Office or the Microsoft Access Snapshot Viewer and then take a variety of actions. For example, an attacker could read files on your computer or run programs on it. By installing this update, you can help protect your computer.
MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE Access 97, 2000, and 2002 __________________________________________________ <snip rest>
