Flaws in ZIPs, Mail
Servers and More"> MS04-034, "Vulnerability in Compressed (Zipped) Folders Could Allow Remote Code Execution," relies on either a malicious Web site or a malicious ZIP file. I dont think the Web site issue is a big one, but I can see ZIP-based mail worms such as Bagle incorporating this. Once again, SP2 is exempted. MS04-035, "Vulnerability in SMTP Could Allow Remote Code Execution," affects only Windows Server 2003, Windows XP 64-Bit Edition, and Exchange Server 2003 on Windows 2000 Server. Russ Cooper of TruSecure Corp. thought this would be the most important flaw in the short term, and I can see why. The workarounds listed in the advisory, such as shutting off TCP port 53, dont seem acceptable. If youre running an Exchange Server 2003 system, you need to drop everything and test this patch.Exchange 2003 then disables it, eliminating this vulnerability, but Exchange 2000 doesnt. So, those admins need to disable NNTP manually or apply the patch. I suspect there arent enough of these servers out there for attackers to spend a lot of research time on this problem. MS04-037, "Vulnerability in Windows Shell Could Allow Remote Code Execution," bothers me a lot, but at least its not an issue on SP2. Will someone explain to me why the Program Group convertera tool for converting Windows 3.x groups to Windows 9x formatis still present in Windows XP? I really dont understand. The other vulnerability in this advisory, a shell vulnerability, sounds like a "shatter attack" of which I have written in the past. I suspect there are tons of these undetected and well hear them continue to dribble out over time. Finally, the biggie was MS04-038, "Cumulative Security Update for Internet Explorer," affecting almost every version of everything and doing it badly. I recognize some of these problems from recent lists of "unpatched" vulnerabilities, so some of those lists have some housekeeping to do. This was the only version of relevance to SP2 users for Microsofts final acknowledgement of the infamous "drag-and-drop bug," which allows a malicious Web page to drop a file into the Startup folder to be launched at logon time. You could make a case that this should be critical, but it doesnt have the stuff of a mass attack. Theres a mix of important and unimportant issues here, but the first impression I get is that its more evidence of how much better off SP2 users are. One patch only, and not a critical one. Next page: And no, you dont have to load SP2.
How many sites are running Windows-based NNTP servers, the subject of MS04-036, "Vulnerability in NNTP Could Allow Remote Code Execution"? I really cant believe there are that many, but its actually more complicated than that. Some versions of Exchange require that NNTP be enabled in order to install.