Flaws in ZIPs, Mail

By Larry Seltzer  |  Posted 2004-10-14 Print this article Print

Servers and More"> MS04-034, "Vulnerability in Compressed (Zipped) Folders Could Allow Remote Code Execution," relies on either a malicious Web site or a malicious ZIP file. I dont think the Web site issue is a big one, but I can see ZIP-based mail worms such as Bagle incorporating this. Once again, SP2 is exempted.

MS04-035, "Vulnerability in SMTP Could Allow Remote Code Execution," affects only Windows Server 2003, Windows XP 64-Bit Edition, and Exchange Server 2003 on Windows 2000 Server. Russ Cooper of TruSecure Corp. thought this would be the most important flaw in the short term, and I can see why. The workarounds listed in the advisory, such as shutting off TCP port 53, dont seem acceptable. If youre running an Exchange Server 2003 system, you need to drop everything and test this patch.

How many sites are running Windows-based NNTP servers, the subject of MS04-036, "Vulnerability in NNTP Could Allow Remote Code Execution"? I really cant believe there are that many, but its actually more complicated than that. Some versions of Exchange require that NNTP be enabled in order to install.
Exchange 2003 then disables it, eliminating this vulnerability, but Exchange 2000 doesnt. So, those admins need to disable NNTP manually or apply the patch. I suspect there arent enough of these servers out there for attackers to spend a lot of research time on this problem.

MS04-037, "Vulnerability in Windows Shell Could Allow Remote Code Execution," bothers me a lot, but at least its not an issue on SP2. Will someone explain to me why the Program Group converter—a tool for converting Windows 3.x groups to Windows 9x format—is still present in Windows XP? I really dont understand. The other vulnerability in this advisory, a shell vulnerability, sounds like a "shatter attack" of which I have written in the past. I suspect there are tons of these undetected and well hear them continue to dribble out over time.

Finally, the biggie was MS04-038, "Cumulative Security Update for Internet Explorer," affecting almost every version of everything and doing it badly. I recognize some of these problems from recent lists of "unpatched" vulnerabilities, so some of those lists have some housekeeping to do.

This was the only version of relevance to SP2 users for Microsofts final acknowledgement of the infamous "drag-and-drop bug," which allows a malicious Web page to drop a file into the Startup folder to be launched at logon time. You could make a case that this should be critical, but it doesnt have the stuff of a mass attack.

Theres a mix of important and unimportant issues here, but the first impression I get is that its more evidence of how much better off SP2 users are. One patch only, and not a critical one.

Next page: And no, you dont have to load SP2.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel