[SECURITY-L] CAIS-Alerta: Vulnerabilidade no Microsoft FrontPage Server Extensions (813360)
Security Team - UNICAMP
security em unicamp.br
Qua Nov 12 14:56:02 -02 2003
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Microsoft FrontPage Server Extensions
(813360)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Wed, 12 Nov 2003 10:44:50 -0200 (BRDT)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft
Security Bulletin MS03-051: Buffer Overrun in Microsoft FrontPage Server
Extensions Could Allow Code Execution (813360)", tratando de duas
vulnerabilidades identificadas no FrontPage Server Extensions, sendo a
mais critica capaz de permitir ao atacante executar código arbitrário no
sistema do usuario.
O FrontPage Server Extensions (FPSE) e´ um conjunto de ferramentas que
podem ser instaladas em um web site a fim de desempenhar basicamente duas
funcoes:
. permitir que pessoas autorizadas gerenciem o servidor, incluindo
ou alterando conteudo, alem de outras tarefas;
. adicionar funcoes que sao frequentemente usadas em Web pages,
tais como suporte a formularios e ferramentas de busca.
Maiores informacoes sobre o FPSE podem ser obtidas em:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservext/html/fpovrw.asp
Sistemas Afetados:
. Microsoft Windows 2000 Service Pack 2, Service Pack 3
. Microsoft Windows XP, Microsoft Windows XP Service Pack 1
. Microsoft Office XP, Microsoft Office XP Service Release 1
Sistemas Não Afetados:
. Microsoft Windows Millennium Edition
. Microsoft Windows NT Workstation 4.0, Service Pack 6a
. Microsoft Windows NT Server 4.0, Service Pack 6a
. Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
. Microsoft Windows 2000 Service Pack 4
. Microsoft Windows XP 64-Bit Edition Version 2003
. Microsoft Windows Server 2003 (Windows SharePoint Services)
. Microsoft Windows Server 2003 64-Bit Edition (Windows SharePoint Services)
. Microsoft Office System 2003
Componentes Afetados:
. Microsoft FrontPage Server Extensions 2000
. Microsoft FrontPage Server Extensions 2000
(distribuido com o Windows 2000)
. Microsoft FrontPage Server Extensions 2000
(distribuido com o Windows XP)
. Microsoft FrontPage Server Extensions 2002
. Microsoft SharePoint Team Services 2002
(distribuido com o Office XP)
Correções disponíveis:
A correção consiste na aplicação dos correspondentes patches recomendados
pela Microsoft e disponíveis em:
. Microsoft FrontPage Server Extensions 2000
http://www.microsoft.com/downloads/details.aspx?FamilyId=C84C3D10-A821-4819-BF58-D3BC70A77BFA&displaylang=en
. Microsoft FrontPage Server Extensions 2000 (distribuido com o Windows 2000)
http://www.microsoft.com/downloads/details.aspx?FamilyId=057D5F0E-0E2B-47D2-9F0F-3B15DD8622A2&displaylang=en
. Microsoft FrontPage Server Extensions 2000 (distribuido com o Windows XP)
http://www.microsoft.com/downloads/details.aspx?FamilyId=9B302532-BFAB-489B-82DC-ED1E49A16E1C&displaylang=en
. Microsoft FrontPage Server Extensions 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=3E8A21D9-708E-4E69-8299-86C49321EE25&displaylang=en
. Microsoft SharePoint Team Services 2002 (distribuido com o Office XP)
http://www.microsoft.com/downloads/details.aspx?FamilyId=5923FC2F-D786-4E32-8F15-36A1C9E0A340&displaylang=en
Para maiores detalhes sobre medidas de contorno (workarounds), perguntas
mais frequentes, ou ainda, sobre outras recomendacoes tecnicas para
instalacao das correcoes, recomenda-se consultar o alerta original da
Microsoft.
Maiores informações:
. Microsoft Security Bulletin MS03-051
http://www.microsoft.com/technet/security/bulletin/MS03-051.asp
. Microsoft Windows Security Bulletin Summary for November, 2003
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/winnov03.asp
. What You Should Know About the Windows Security Updates for November 2003
http://www.microsoft.com/security/security_bulletins/20031111_windows.asp
Identificadores do CVE: CAN-2003-0822, CAN-2003-0824
(http://cve.mitre.org)
O CAIS recomenda aos administradores de plataformas Microsoft a
atualizarem seus sistemas com urgencia, devido a criticidade do presente
alerta.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
- --------------------------------------------------------------------
Title: Microsoft Windows Security Bulletin Summary for
November 2003
Issued: November 11, 2003
Version Number: 1.0
Bulletin:
http://www.microsoft.com/technet/security/bulletin/winnov03.asp
- --------------------------------------------------------------------
Summary:
========
Included in this advisory are three updates describing newly
discovered vulnerabilities in Microsoft Windows. These
vulnerabilities, broken down by severity are:
** Critical Security Bulletins
MS03-051 - Buffer Overrun in Microsoft FrontPage Server
Extensions Could Allow Code Execution (813360)
- Affected Software:
- Microsoft Windows 2000 Service Pack 2, Service
Pack 3
- Microsoft Windows XP,
Microsoft Windows XP Service Pack 1
- Microsoft Office XP,
Microsoft Office Service Release 1
- Impact: Remote Code Execution
- Version Number: 1.0
Patch Availability:
===================
Patches are available to fix these vulnerabilities.
For a11itional information, including Technical Details,
Workarounds, answers to Frequently Asked Questions, and Patch
Deployment Information please read the Microsoft Windows Security
Bulletin Summary for November 2003 at:
http://www.microsoft.com/technet/security/bulletin/winnov03.asp
Acknowledgments:
================
Microsoft thanks the following for working with us to protect
customers:
- - jelmer
(jkuperus em planet.nl)
for reporting the issue described in MS03-048.
- - eEye Digital Security
(http://www.eeye.com/)
for reporting the issue described in MS03-049.
- - Brett Moore of Security-Assessment.com
(http://www.security-assessment.com/)
for reporting the issue described in MS03-051.
Support:
========
Technical support is available from Microsoft Product Support
Services at 1-866-PCSAFETY (1-866-727-2338). There is no charge
for support calls associated with security patches.
International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated
with security updates. Information on how to contact Microsoft
support is available at
http://support.microsoft.com/common/international.aspx.
Revisions:
==========
* V1.0 November 2003: Bulletin Created.
********************************************************************
Protect your PC: Microsoft has provided information on how you
can help protect your PC at the following locations:
http://www.microsoft.com/technet/security/tips/pcprotec.asp
If you receive an e-mail that claims to be distributing a
Microsoft security patch, it is a hoax that may be distributing a
virus. Microsoft does not distribute security patches via e-mail.
You can learn more about Microsoft's software distribution
policies here:
http://www.microsoft.com/technet/security/policy/swdist.asp
********************************************************************
- --------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
- --------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBP7IrTOkli63F4U8VAQFSOgQAj8LfYib8rsr77O5xMngAQPEMwXhJR1Ng
u06SeXPg+EdfGFDmPddPJ1DVghv5WNxm0RbdI89zVLNHGNFel556wG3gf+y6InQ4
lTkiLT0gyyQoR86eG1QM+V161MYkM3tErP8abPjDylj+1JY8jqOMybJrfNxqycEy
Hk1svsiaRpU=
=cmEX
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L