[SECURITY-L] [0_47373_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com: Microsoft Security Bulletin MS03-016: Cumulative Patch for BizTalk Server (815206)]

Seg Maio 5 09:48:24 -03 2003

----- Forwarded message from Microsoft <0_47373_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_47373_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Microsoft Security Bulletin MS03-016: Cumulative Patch for BizTalk Server (815206)
To: <mieko em ccuec.unicamp.br>
Date: Wed, 30 Apr 2003 23:12:40 -0700
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- --------------------------------------------------------------------
Title:      Cumulative Patch for BizTalk Server (815206)
Date:       30 April 2003
Software:   Microsoft BizTalk Server 2000 & BizTalk Server 2002
Impact:     Two vulnerabilities, the most serious of which could 
            allow an attacker to run code of their choice
Max Risk:   Important
Bulletin:   MS03-016

Microsoft encourages customers to review the Security Bulletins 
at: http://www.microsoft.com/technet/security/bulletin/MS03-016.asp
http://www.microsoft.com/security/security_bulletins/ms03-016.asp
- --------------------------------------------------------------------

Issue:
======

Microsoft BizTalk Server is an Enterprise Integration product 
that allows organizations to integrate applications, trading 
partners, and business processes. BizTalk is used in intranet 
environments to transfer business documents between different 
back-end systems as well as extranet environments to exchange 
structured messages with trading partners. This patch addresses 
two newly reported vulnerabilities in BizTalk Server. 

The first vulnerability affects Microsoft BizTalk Server 2002 
only. BizTalk Server 2002 provides the ability to exchange 
documents using the HTTP format. A buffer overrun exists in the 
component used to receive HTTP documents - the HTTP receiver - 
and could result in an attacker being able to execute code of 
their choice on the BizTalk Server. 

The second vulnerability affects both Microsoft BizTalk Server 
2000 and BizTalk Server 2002. BizTalk Server provides the ability 
for administrators to manage documents via a Document Tracking 
and Administration (DTA) web interface. A SQL injection 
vulnerability exists in some of the pages used by DTA that could 
allow an attacker to send a crafted URL query string to a 
legitimate DTA user. If that user were to then navigate to the 
URL sent by the attacker, he or she could execute a malicious 
embedded SQL statement in the query string.

Mitigating Factors:
====================

HTTP Receiver Buffer Overflow 

- -The HTTP Receiver is only present in Microsoft BizTalk Server 
2002. BizTalk Server 2000 is not affected by this vulnerability. 

- -The HTTP receiver is not enabled by default. HTTP must be 
explicitly enabled as a receive transport during the setup of a 
BizTalk site. 

- -If the vulnerability was exploited to run arbitrary code, the 
code would run in the security context of the IIS Server. If the 
IIS Server is running under a user account, the attacker's 
permissions will be limited to those of this user account. 

DTA SQL Injection 

- -DTA users by default are not highly privileged SQL users such as 
database owners, since they are only required to be members of 
"BizTalk Server Report Users" security group in order to use DTA 
web interface. In this case, a successful attacker's permissions 
on the SQL Server will be restricted.

Risk Rating:
============
Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at

   http://www.microsoft.com/technet/security/bulletin/ms03-016.asp
   http://www.microsoft.com/security/security_bulletins/ms03-016.asp

   for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks Cesar Cerrudo for reporting this issue to us 
and working with us to protect customers

- --------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL 
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT 
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL 
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----