Microsoft has warned users of a critical vulnerability
in a component of its Internet Security and Acceleration (ISA)
Server used to control internet protocol telephony
traffic.
Three bulletins were posted on Microsoft's website yesterday,
including lower-priority patches for Exchange Server 2003 and the
Microsoft Data Access Components (MDAC), which is used by certain
versions of Windows and Microsoft SQL Server.
H.323 is a protocol that is used by IP telephony applications to
send audio and video over IP networks. A buffer overflow in a
filter for the H.323 data packets, which is part of ISA Server
2000, could enable a malicious hacker to run their own code on
vulnerable servers, which would, potentially, grant them total
control over the system. Attackers would have to send a special
H.323 packet that was designed to trigger the overflow.
Microsoft was just one of many companies that issued warnings
about the H.323 vulnerability. Cisco Systems also issued software
patches for versions of the Internetwork Operating System
(IOS) which contained the vulnerability. (See
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.)
Attackers would not necessarily have to use voice over IP to
trigger the security hole, as long as the vulnerable service was
enabled and listening for incoming H.323 traffic, said Network
Associates virus research manager Craig Schmugar.
A buffer overrun in a number of versions of MDAC, which support
database operations in Windows and SQL Server, was also
patched.
Attackers who successfully trigger the security hole, which
Microsoft rated "important," could potentially elevate their level
of permission on the vulnerable system to the same level as the
user running the application that uses MDAC, Microsoft said. (See
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/winjan04.asp.)
A third security patch for Exchange Server 2003 was rated
"moderate" and fixes a flaw that could allow Outlook Web Access
users to view the contents of other e-mail boxes on the Exchange
server, Microsoft said. To take advantage of the security hole,
attackers would need a valid Exchange 2003 account. Attackers would
not be able to select which e-mail box they view. (See:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/excjan04.asp.)
The releases continue Microsoft's new policy of issuing monthly
security updates for customers.
While there are no known exploits for any of the security holes
Microsoft patched Tuesday, a fix for at least one actively
exploited flaw in Internet Explorer was missing from the batch of
patches, Schmugar said.
That vulnerability, commonly referred to as the "0x01 exploit"
allows attackers to display a different web address in Internet
Explorer's Address field a from the actual location of the web page
being displayed. The problem is being exploited by online scam
artists in "phishing" scams to harvest online account and personal
identification information.
"It's hard to say why they haven't patched that yet. But as [the
Internet Explorer exploit] becomes even hotter and is exploited
more, I think you'll likely see a patch for that, also," Schmugar
said.
Microsoft has, reportedly, patched the problem in Windows XP
Service Pack 2 and may well be using the release of that software
upgrade to address the problem, said Thor Larholm of security
company PivX Solutions.
Paul Roberts writes for IDG News
Service