ID CVE-2003-0807 Type cve Reporter cve@mitre.org Modified 2018-10-12T21:33:00
Description
Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.
{"cert": [{"lastseen": "2020-07-02T16:00:52", "bulletinFamily": "info", "description": "### Overview \n\nA vulnerability in a Microsoft HTTP Proxy component may lead to a denial of service.\n\n### Description \n\nMicrosoft's COM Internet Sevices (CIS) and Remote Procedure Call (RPC) over HTTP Proxy contain a vulnerability that could permit an attacker to cause a denial of service. When a forwarded request is passed over either of these components to the backend system, an attacker may be able to reply to the request with a specially crafted response. This could cause the vulnerable components to stop accepting future requests. This vulnerability affects the following systems:\n\n * Windows NT Server 4.0\n * Windows NT Server 4.0, Terminal Server Edition\n * Windows 2000\n * Windows Server 2003 \n--- \n \n### Impact \n\nA remote attacker may be able to stop the vulnerable component from accepting messages. This would lead to a denial of service. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor** \n[Microsoft Security Bulletin MS04-012](<http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx>) contains patch information to resolve this issue. \n \n--- \n \n### Vendor Information\n\n698564\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: April 13, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n[Microsoft Security Bulletin MS04-012](<http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx>) contains information regarding this issue.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23698564 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n<http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx>\n\n### Acknowledgements\n\nThe Microsoft Security Bulletin thanks Qualys for reporting this vulnerability.\n\nThis document was written by Jason A Rafail.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-0807](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0807>) \n---|--- \n**Severity Metric:** | 5.32 \n**Date Public:** | 2004-04-13 \n**Date First Published:** | 2004-04-14 \n**Date Last Updated: ** | 2004-04-14 00:36 UTC \n**Document Revision: ** | 9 \n", "modified": "2004-04-14T00:36:00", "published": "2004-04-14T00:00:00", "id": "VU:698564", "href": "https://www.kb.cert.org/vuls/id/698564", "type": "cert", "title": "Microsoft CIS and RPC over HTTP Proxy components fail to properly handle responses", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft Windows contains a flaw that may allow a remote denial of service. The issue is triggered due to the COM Internet Service (CIS) and RPC over HTTP Proxy components, which do not properly validate message input. With a specially crafted message, a remote attacker could cause the components to stop responding resulting in loss of availability.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft Windows contains a flaw that may allow a remote denial of service. The issue is triggered due to the COM Internet Service (CIS) and RPC over HTTP Proxy components, which do not properly validate message input. With a specially crafted message, a remote attacker could cause the components to stop responding resulting in loss of availability.\n## References:\nVendor URL: http://www.microsoft.com/\n[Secunia Advisory ID:11065](https://secuniaresearch.flexerasoftware.com/advisories/11065/)\n[Related OSVDB ID: 5247](https://vulners.com/osvdb/OSVDB:5247)\n[Related OSVDB ID: 5245](https://vulners.com/osvdb/OSVDB:5245)\nOther Advisory URL: http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx\nMicrosoft Security Bulletin: MS04-012\nISS X-Force ID: 15709\n[CVE-2003-0807](https://vulners.com/cve/CVE-2003-0807)\nCERT VU: 698564\nBugtraq ID: 10123\n", "modified": "2004-04-13T16:13:01", "published": "2004-04-13T16:13:01", "href": "https://vulners.com/osvdb/OSVDB:5246", "id": "OSVDB:5246", "title": "Microsoft Windows CIS/RPC Over HTTP DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS04-012\r\nCumulative Update for Microsoft RPC/DCOM (828741)\r\n\r\nIssued: April 13, 2004\r\nVersion: 1.0\r\n\r\nSummary\r\nWho should read this document: Customers who use Microsoft\u00ae Windows\u00ae\r\n\r\nImpact of vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately.\r\n\r\nSecurity Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software: \r\n\r\n\u2022 Microsoft Windows NT\u00ae Workstation 4.0 Service Pack 6a \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows NT Server 4.0 Service Pack 6a \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows XP and Microsoft Windows XP Service Pack 1 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows XP 64-Bit Edition Service Pack 1 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows XP 64-Bit Edition Version 2003 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Server\u2122 2003 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Server 2003 64-Bit Edition \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) and Microsoft Windows Millennium Edition (ME) \u2013 Review the FAQ section of this bulletin for details about these operating systems\r\n \r\n\r\nThe software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.\r\n\r\nTop of section\r\nGeneral Information\r\n Technical Details \r\n\r\nExecutive Summary:\r\n\r\nThis update resolves several newly-discovered vulnerabilities in RPC/DCOM. Each vulnerability is documented in this bulletin in its own section.\r\n\r\nAn attacker who successfully exploited the most severe of these vulnerabilities could take complete control of the affected system. An attacker could then take any action on the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. \r\n\r\nMicrosoft recommends customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\n\r\nVulnerability Identifiers Impact Of Vulnerability Windows 98, 98 SE, ME Windows NT Workstation 4.0 Windows NT Server 4.0 Windows NT Server 4.0, Terminal Server Edition Windows 2000 Windows XP Windows Server 2003 \r\nRPC Runtime Library Vulnerability - CAN-2003-0813\r\n Remote Code Execution\r\n None\r\n None\r\n None\r\n None\r\n Critical\r\n Critical\r\n Critical\r\n \r\nRPCSS Service Vulnerability - CAN-2004-0116\r\n Denial Of Service\r\n None\r\n None\r\n None\r\n None\r\n Important\r\n Important\r\n Important\r\n \r\nCOM Internet Services (CIS) \u2013 RPC over HTTP Vulnerability - CAN-2003-0807\r\n Denial Of Service\r\n None\r\n None\r\n Low\r\n Low\r\n Low\r\n None\r\n Low\r\n \r\nObject Identity Vulnerability - CAN-2004-0124\r\n Information Disclosure\r\n Not Critical\r\n Low\r\n Low\r\n Low\r\n Low\r\n Low\r\n Low\r\n \r\nAggregate Severity of all Vulnerabilities\r\n \r\n Not Critical\r\n Low\r\n Low\r\n Low\r\n Critical\r\n Critical\r\n Critical\r\n \r\n\r\nThe above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nTop of section\r\n Frequently asked questions (FAQ) related to this security update \r\n\r\nWhat updates does this release replace?\r\nThis security update replaces several prior security bulletins. The security bulletin IDs and operating systems that are affected are listed in the table below.\r\n\r\nBulletin ID Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003 \r\nMS98-014\r\n Replaced\r\n Not Applicable\r\n Not Applicable\r\n Not Applicable\r\n \r\nMS00-066\r\n Not Applicable\r\n Replaced\r\n Not Applicable\r\n Not Applicable\r\n \r\nMS01-048\r\n Replaced\r\n Not Applicable\r\n Not Applicable\r\n Not Applicable\r\n \r\nMS03-010\r\n Not Applicable\r\n Replaced\r\n Replaced\r\n Not Applicable\r\n \r\nMS03-026\r\n Replaced\r\n Replaced\r\n Replaced\r\n Replaced\r\n \r\nMS03-039\r\n Replaced\r\n Replaced\r\n Replaced\r\n Replaced\r\n \r\n\r\nIs this update a Cumulative Security Update?\r\nYes. This Cumulative Security Update includes support for all prior RPC/DCOM updates as listed in the above table.\r\n\r\nHow does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?\r\nMicrosoft will only be releasing security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.\r\n\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?\r\nNo. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?\r\nYes. MBSA will determine if this update is required. For more information about MBSA, visit the MBSA Web site.\r\n\r\nCan I use Systems Management Server (SMS) to determine if this update is required?\r\nYes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site.\r\n\r\nWhat is Remote Procedure Call (RPC)?\r\nRemote Procedure Call (RPC) is a protocol that the Windows operating system uses. RPC provides an interprocess communication mechanism that allows a program that is running on one system to access services seamlessly on another system. The protocol is derived from the Open Software Foundation (OSF) RPC protocol, with the addition of some Microsoft-specific extensions.\r\n\r\nTop of section\r\n Vulnerability Details \r\n\r\n RPC Runtime Library Vulnerability - CAN-2003-0813: \r\n\r\nA remote code execution vulnerability exists that results from a race condition when the RPC Runtime Library processes specially crafted messages. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, in the most likely attack scenario, this issue is a denial of service vulnerability.\r\n\r\n Mitigating factors for RPC Runtime Library Vulnerability - CAN-2003-0813: \r\n\r\n\u2022 Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n \r\n\u2022 Windows NT 4.0 is not affected by this vulnerability.\r\n \r\n\r\nTop of section\r\n Workarounds for RPC Runtime Library Vulnerability - CAN-2003-0813: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\n\u2022 Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003. \r\n\r\nIf you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet.\r\n\r\nTo enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps: \r\n\r\n1.\r\n Click Start, and then click Control Panel.\r\n \r\n2.\r\n In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet. \r\n \r\n\r\nTo configure Internet Connection Firewall manually for a connection, follow these steps: \r\n\r\n1.\r\n Click Start, and then click Control Panel.\r\n \r\n2.\r\n In the default Category View, click Networking and Internet Connections, and then click Network Connections. \r\n \r\n3.\r\n Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties. \r\n \r\n4.\r\n Click the Advanced tab.\r\n \r\n5.\r\n Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK. \r\n \r\n\r\nNote If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services needed. \r\n \r\n\u2022 Block the following at the firewall:\r\n\r\n\u2022 UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593 \r\n \r\n\u2022 All unsolicited inbound traffic on ports greater than 1024\r\n \r\n\u2022 Any other specifically configured RPC port\r\n \r\n\u2022 If installed, COM Internet Services (CIS) or RPC over HTTP, which listen on ports 80 and 443\r\n \r\n\r\nThese ports are used to initiate a connection with RPC. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports that RPC uses, visit the following Web site. For more information about how to disable CIS, see Microsoft Knowledge Base Article 825819. \r\n \r\n\u2022 Enable advanced TCP/IP filtering on systems that support this feature.\r\n\r\nYou can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For additional information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.\r\n \r\n\u2022 Block the affected ports by using IPSec on the affected systems.\r\n\r\nUse Internet Protocol Security (IPSec) to help protect network communications. Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Articles 313190 and 813878.\r\n \r\n\r\nTop of section\r\n FAQ for RPC Runtime Library Vulnerability - CAN-2003-0813: \r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a race condition vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, race conditions are not predictable. Therefore, in the most likely attack scenario, this issue is a denial of service vulnerability. \r\n\r\nWhat causes the vulnerability?\r\nA race condition could exist when the RPC Runtime Library processes specially crafted messages. \r\n\r\nWhat is the RPC Runtime Library?\r\nBy default, the RPC Runtime Library is installed on all affected systems. The RPC Runtime Library provides services such as communication services, directory services, and security services to application developers. For more information about the RPC Runtime Library, visit the following MSDN Library Web site.\r\n\r\nWhat is wrong with the RPC Runtime Library?\r\nThe vulnerability in the RPC Runtime Library could occur if two separate operating system threads try to process certain specially crafted messages within a specified time. This event is considered to be a race condition because this event depends on the relative timing of the two threads. This race condition could cause the RPC Runtime Library to modify internal data structures incorrectly. Therefore, the affected system could experience unpredictable behavior.\r\n\r\nWhat is a race condition?\r\nRace conditions depend on the relative timing of events in multithreaded operating systems and software. They are frequently difficult to exploit as a way of repeatedly executing arbitrary code. For more information about race conditions, visit the following MSDN Library Web site. For a more general definition of race conditions, visit this Webnox Corporation Web site (HyperDictionary.com).\r\n\r\nWhy does this race condition cause a vulnerability?\r\nThis race condition could create an environment where a series of specially timed requests could cause the RPC Runtime Library to perform an unpredictable action. However, because the circumstances that lead to this condition would change every time that the vulnerability was exploited, it may be difficult for an attacker to exploit this vulnerability. \r\n\r\nWhat might an attacker use the vulnerability to do?\r\nThis vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, race conditions are not predictable. Therefore, in the most likely attack scenario, this issue is a denial of service vulnerability.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who can deliver a series of specially crafted messages to the affected system could attempt to exploit this vulnerability. By default, this ability is enabled on the affected systems. Therefore, any user who can establish a connection to an affected system could attempt to exploit this vulnerability.\r\n\r\nHow could an attacker exploit this vulnerability?\r\nAn attacker could exploit this vulnerability by creating a series of specially crafted network messages and sending the messages to an affected system. These messages could then cause the affected system to execute code.\r\n\r\nAn attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way the RPC Runtime Library synchronizes the threads that are being used to process the specially crafted messages.\r\n\r\nTop of section\r\nTop of section\r\n RPCSS Service Vulnerability - CAN-2004-0116: \r\n\r\nA denial of service vulnerability exists in the RPCSS service. If a specially crafted message is sent to the RPCSS service, the service may not reclaim discarded memory. This behavior could result in a denial of service.\r\n\r\n Mitigating factors for the RPCSS Service Vulnerability - CAN-2004-0116: \r\n\r\n\u2022 Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n \r\n\u2022 Windows NT 4.0 is not affected by this vulnerability.\r\n \r\n\r\nTop of section\r\n Workaround for the RPCSS Service Vulnerability - CAN-2004-0116: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\nThe workarounds that are listed for the RPC Runtime Library Vulnerability- CAN-2003-0813 could also apply to this vulnerability. Additionally, the following workarounds apply:\r\n\r\n\u2022 Disable DCOM on all affected systems. \r\n\r\nWhen a system is part of a network, the DCOM wire protocol enables COM objects on that system to communicate with COM objects on other systems. You can disable DCOM for a specific system to help protect against this vulnerability. However, by doing so, you will also disable all communication between objects on that system and objects on other systems. \r\n\r\nFor more information about how to disable DCOM, see Microsoft Knowledge Base Article 825750. \r\n\r\nIf COM Internet Services (CIS) or RPC over HTTP is installed, Microsoft also recommends that you disable forwarding to DCOM. For more information, see Microsoft Knowledge Base Article 826382.\r\n\r\nNote On Windows 2000, this method works only on systems that are running Service Pack 3 or later. Customers who are using Service Pack 2 or earlier should upgrade to a later Service Pack or use one of the other workarounds. \r\n\r\nImpact of Workaround: If you disable DCOM on a remote system, you cannot access that system remotely later to re-enable DCOM. To re-enable DCOM, you must have physical access to that system.\r\n \r\n\r\nTop of section\r\n FAQ for the RPCSS Service Vulnerability - CAN-2004-0116: \r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the RPCSS Service to stop responding. The affected system would need to be manually restarted in order to restore normal operation.\r\n\r\nNote that the denial of service vulnerability would not allow attackers to execute code or elevate their privileges, but it could cause the affected system to stop accepting requests.\r\n\r\nWhat causes the vulnerability?\r\nThe process used by the RPCSS service to check message inputs under certain circumstances.\r\n\r\nWhat is DCOM?\r\nThe Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network. Previously known as "Network OLE," DCOM is designed for use across multiple network transports, including Internet protocols such as HTTP. For more information about DCOM, visit the following Web site.\r\n\r\nWhat is wrong with the RPCSS Service?\r\nA vulnerability in the RPCSS Service that is involved with DCOM activation could cause an affected system to fail because a specially crafted message is handled incorrectly. This particular failure affects the underlying RPCSS Service that is used for DCOM activation. The RPCSS Service listens on UDP ports 135, 137, 138, and 445, and on TCP ports 135, 139, 445, and 593. Additionally, DCOM can listen on ports 80 and 443 if CIS or RPC over HTTP is enabled.\r\n\r\nBy sending a specially crafted RPC message, an attacker could cause the RPCSS Service on a remote system to fail in such a way that a denial of service could result.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited the vulnerability could cause the RPCSS Service to stop responding. However, this behavior would not cause the affected system to restart automatically. You would have to manually restart the affected system. \r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who can deliver the specially crafted RPC message to an affected system could attempt to exploit this vulnerability. \r\n\r\nHow could an attacker exploit this vulnerability?\r\nTo exploit this vulnerability, an attacker must send a specially crafted RPC message to an affected system over an affected TCP/UDP port. If an affected system receives such a message, the RPCSS service could stop responding.\r\n\r\nAn attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the RPCSS Service validates the information that is passed to it.\r\n\r\nTop of section\r\nTop of section\r\n COM Internet Services (CIS) \u2013 RPC over HTTP Vulnerability - CAN-2003-0807: \r\n\r\nA denial of service vulnerability exists in the CIS and in the RPC over HTTP Proxy components. When a forwarded request to a backend system passes through them, an attacker could reply to the request by using a specially crafted message that could cause the affected components to stop accepting later requests. \r\n\r\n Mitigating factors for the COM Internet Services (CIS) and RPC over HTTP Vulnerability - CAN-2003-0807: \r\n\r\nBy default, none of the affected operating systems are vulnerable. All the affected operating systems would require that an administrator either enable the affected components or enable a vulnerable configuration. For more information about how a vulnerable configuration could occur, see the FAQ.\r\n\r\nTop of section\r\n Workarounds for the COM Internet Services (CIS) and RPC over HTTP Vulnerability - CAN-2003-0807: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\nThe workarounds that are listed for the RPC Runtime Library Vulnerability- CAN-2003-0813 could also apply to this vulnerability. Additionally, the following workarounds apply: \r\n\r\n\u2022 Disable forwarding to untrusted sources for CIS and for RPC over HTTP if they have been enabled manually on the affected systems.\r\n\r\n\u2022 If an administrator has installed and has enabled forwarding to untrusted servers through CIS for Windows NT 4.0 or for Windows 2000, verify that CIS and RPC over HTTP are configured to permit forwarding only to trusted servers. \r\n \r\n\u2022 If an administrator has configured RPC over HTTP on Windows Server 2003, verify that RPC over HTTP is not running in IIS 5 compatibility mode. The default mode, IIS 6.0, does not contain the vulnerability. Therefore, the default mode is the preferred configuration. For more information about deployment recommendations and configuration settings, visit the following MSDN Library Web site. \r\n\r\nNote Microsoft also recommends that administrators disable forwarding to DCOM. For more information, see Microsoft Knowledge Base Article 826382.\r\n \r\n \r\n\u2022 If you do not need CIS or RPC over HTTP, disable this functionality on the affected systems. \r\n\r\n\u2022 For information about how to disable CIS, see Microsoft Knowledge Base Article 825819. \r\n \r\n\u2022 For information about RPC over HTTP, visit the following MSDN Library Web site.\r\n \r\n \r\n\r\nTop of section\r\n FAQ for the COM Internet Services (CIS) and RPC Over HTTP Vulnerability - CAN-2003-0807: \r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the COM Internet Services or the RPC over HTTP component to stop accepting connections and could cause the affected system to stop responding. An administrator would need to restart Internet Information Services (IIS) manually to restore normal operation. \r\n\r\nWhat causes the vulnerability?\r\nThe process used by the affected components to validate message inputs under certain circumstances. \r\n\r\nWhat are COM Internet Services (CIS) and RPC over HTTP?\r\nRPC over HTTP version 1 (v1) (Windows NT 4.0, Windows 2000) and v2 (Windows Server 2003) allow RPC to operate over TCP ports 80 and 443 (v2 only) so that a client and a server can communicate through most proxy servers and firewalls. COM Internet Services (CIS) allows DCOM to use RPC over HTTP to communicate between DCOM clients and DCOM servers. Windows Server 2003 can be configured to support RPC over HTTP v1 if Windows Server 2003 is set to IIS 5 compatibility mode. IIS 6.0 mode uses RPC over HTTP v2. IIS 6.0 mode does not contain the vulnerability. Therefore, IIS 6.0 mode is the preferred configuration. For more information about deployment recommendations and configuration settings, visit the following MSDN Library Web site.\r\n\r\nFor more information about RPC over HTTP for Windows Server 2003, visit the following MSDN Library Web site. \r\nFor more information about CIS, visit the following MSDN Library Web site.\r\n\r\nHow do I know if I have CIS or RPC over HTTP installed?\r\nTo determine whether a server has CIS or RPC over HTTP installed, use one of the following methods, depending on your operating system: \r\n\r\n\u2022 On systems that are running Windows NT 4.0 that have the Windows NT Option Pack installed:\r\n\r\nSearch on all partitions for "rpcproxy.dll." If the Rpcproxy.dll file is located on the server, CIS is probably installed. \r\n \r\n\u2022 On systems that are running Windows 2000 or Windows Server 2003:\r\n\r\nIn Control Panel, double-click Add/Remove Programs, and then double-click Add/Remove Windows Components.\r\n\r\nThe Windows Components Wizard starts.\r\n\r\nClick Networking Services, and then click Details.\r\n\r\nIf the COM Internet Services Proxy (for Windows 2000 Server) or the RPC over HTTP Proxy (for Windows Server 2003) check box is selected, CIS or RPC over HTTP support is enabled on the server. \r\n\r\nTo search for a specific file on your system, click Start, click Search, click For Files or Folders, and then type the name of the file you want to search for. The search may take several minutes, depending on the size of your hard disk. \r\n \r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited the denial of service vulnerability could cause the affected components to stop responding.\r\n\r\nWho could exploit the vulnerability?\r\nOn Windows NT 4.0 and on Windows 2000, when a forwarded request to a backend system passes through the affected components, an anonymous attacker could reply to the request by using a specially crafted message that could cause the affected components to stop accepting later requests.\r\n\r\nOn Windows Server 2003, an attacker must also provide valid logon credentials.\r\n\r\nHow could an attacker exploit this vulnerability?\r\nAn attacker could exploit this vulnerability in several ways: \r\n\r\n\u2022 If an attacker controls a system that is configured to receive traffic through CIS or RPC over HTTP, the attacker could create a malicious response to a request from CIS or RPC over HTTP that could exploit this vulnerability.\r\n \r\n\u2022 An attacker could also try to exploit this vulnerability by listening locally on the network for traffic from a system that has CIS or RPC over HTTP Proxy enabled. The attacker could then try to send a specially crafted malicious response to a forwarded request on behalf of the system that CIS or RPC over HTTP is trying to communicate with.\r\n \r\n\r\nIf a system receives either type of these specially crafted messages, the message could cause the affected components to stop responding. \r\n\r\nAn attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely). \r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nBy default, the affected components are not enabled on any affected operating system.\r\n\r\nHowever, if the Windows NT 4.0 Option Pack has been installed, the affected components are installed on Windows NT 4.0 Server and Windows NT 4.0 Terminal Server Edition. This is the default behavior. The affected components are not enabled until an administrator performs the steps that are described in Microsoft Knowledge Base article 282261.\r\n\r\nBy default, the affected components are not installed on Windows 2000 or on Windows Server 2003. An administrator must install the affected components manually for a system to be at risk from this vulnerability.\r\n\r\nIn both cases, an administrator must manually configure the affected components to forward requests to another system for the affected components to become vulnerable.\r\n\r\nOn Windows Server 2003, the impact is reduced more because the default configuration of Internet Information Service is not vulnerable, even with an affected component installed. Windows Server 2003 would only become vulnerable if you enabled IIS 5.0 compatibility mode. Microsoft does not recommend enabling IIS 5.0 compatibility mode for use with RPC over HTTP. For more information about deployment recommendations, visit the following MSDN Library Web site.\r\n\r\nWindows NT 4.0 Workstation and Windows XP do not support the installation of the affected components. Therefore, these operating systems are not affected by this vulnerability.\r\n\r\nDoes this update require any manual steps?\r\nYes, if you are using CIS on Windows NT 4.0. Windows NT 4.0 requires administrators to manually perform the steps that are described in Microsoft Knowledge Base Article 282261 to enable CIS, including specifying the physical location of Rpcproxy.dll file. To help protect against this vulnerability, administrators must manually copy the updated version of the Rpcproxy.dll file to the location that they first used to enable CIS because the update cannot determine this location programmatically.\r\n\r\nWhat does the update do?\r\nThe update addresses the vulnerability by modifying the way that the affected components validate the information that they receive.\r\n\r\nTop of section\r\nTop of section\r\n Object Identity Vulnerability - CAN-2004-0124: \r\n\r\nA information disclosure vulnerability exists in the way that object identities are created. This vulnerability could allow an attacker to enable applications to open network communication ports. Although this vulnerability does not directly enable an attacker to compromise a system, it could be used to enable network communication through unexpected communication ports.\r\n\r\n Mitigating factors for the Object Identity Vulnerability - CAN-2004-0124: \r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\r\nTop of section\r\n Workarounds for the Object Identity Vulnerability - CAN-2004-0124: \r\n\r\nThe workarounds that are listed for the RPC Runtime Library Vulnerability- CAN-2003-0813 could also apply to this vulnerability.\r\n\r\nTop of section\r\n FAQ for the Object Identity Vulnerability - CAN-2004-0124: \r\n\r\nWhat is the scope of the vulnerability?\r\nThis is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could enable applications to open network communication ports, including applications that are not designed for network communication. This vulnerability does not directly enable an attacker to compromise a system. However, it could be used to enable network communication through unexpected communications ports.\r\n\r\nWhat causes the vulnerability?\r\nThe way that COM object identifiers are created.\r\n\r\nWhat is a COM object identifier?\r\nEach COM object has an object identifier. An object identifier is a unique number that identifies the COM object in an application to the operating system. For more information about the use of object identities, visit the following Web site. For more information about COM objects, visit the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could force an application to accept inbound communication requests. This vulnerability does not directly enable an attacker to compromise a system. However, this vulnerability could be used to enable network communication through unexpected communications ports.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver the specially crafted RPC message to an affected system could exploit this vulnerability. \r\n\r\nHow could an attacker exploit this vulnerability?\r\nTo exploit this vulnerability, an attacker would need to send a specially crafted RPC message to an affected system over an affected TCP/UDP port. For more information about the ports that RPC uses, visit the following Web site.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?\r\nNo. Although these operating systems may contain the affected component, the vulnerability is not critical. For more information about severity ratings, visit the following Web site.\r\n\r\nWhat does the update do?\r\nThis update modifies the way that object identities are created. The new behavior makes it more difficult for a potential attacker to learn an object\u2019s identifier.\r\n\r\nTop of section\r\nTop of section\r\nTop of section\r\n Security Update Information \r\n\r\nInstallation Platforms and Prerequisites:\r\n\r\nFor information about the specific security update for your platform, click the appropriate link:\r\n\r\n Windows Server 2003 (all versions) \r\n\r\nPrerequisites\r\nThis security update requires a released version of Windows Server 2003.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in Windows Server 2003 Service Pack 1.\r\n\r\nInstallation Information\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Use Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003: \r\n\r\nWindowsserver2003-kb828741-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003: \r\n\r\nWindowsserver2003-kb828741-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe is located in the %Windir%\$NTUninstallKB828741$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n/?: Show the list of installation switches. \r\n\r\n/u: Use unattended mode. \r\n\r\n/f: Force other programs to quit when the computer shuts down.\r\n\r\n/z: Do not restart when the installation is complete. \r\n\r\n/q: Use Quiet mode (no user interaction). \r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, and Windows Server 2003 Datacenter Edition:\r\n\r\n Date Time Version Size File name Folder\r\n ------------------------------------------------------------------------\r\n 16-Mar-2004 03:09 2001.12.4720.130 263,680 Catsrv.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 587,264 Catsrvut.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 98,304 Clbcatex.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 493,056 Clbcatq.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 58,368 Colbact.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.139 189,440 Comadmin.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 1,202,176 Comsvcs.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 566,272 Comuid.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 226,816 Es.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 443,904 Msdtcprx.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 972,288 Msdtctm.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 160,768 Msdtcuiu.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 76,288 Mtxclu.dll RTMGDR\r\n 16-Mar-2004 03:09 2001.12.4720.130 108,032 Mtxoci.dll RTMGDR\r\n 16-Mar-2004 03:09 5.2.3790.138 1,189,376 Ole32.dll RTMGDR\r\n 16-Mar-2004 03:09 5.2.3790.137 26,112 Rpcproxy.dll RTMGDR\r\n 16-Mar-2004 03:09 5.2.3790.137 660,992 Rpcrt4.dll RTMGDR\r\n 16-Mar-2004 03:09 5.2.3790.132 294,400 Rpcss.dll RTMGDR\r\n 16-Mar-2004 03:17 2001.12.4720.130 263,680 Catsrv.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 587,264 Catsrvut.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 98,304 Clbcatex.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 493,056 Clbcatq.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 58,368 Colbact.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.139 189,440 Comadmin.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 1,202,176 Comsvcs.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 566,272 Comuid.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 226,816 Es.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 443,904 Msdtcprx.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 972,288 Msdtctm.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 160,768 Msdtcuiu.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 76,288 Mtxclu.dll RTMQFE\r\n 16-Mar-2004 03:17 2001.12.4720.130 108,032 Mtxoci.dll RTMQFE\r\n 16-Mar-2004 03:17 5.2.3790.139 1,188,352 Ole32.dll RTMQFE\r\n 16-Mar-2004 03:17 5.2.3790.141 26,112 Rpcproxy.dll RTMQFE\r\n 16-Mar-2004 03:17 5.2.3790.141 659,968 Rpcrt4.dll RTMQFE\r\n 16-Mar-2004 03:17 5.2.3790.142 293,888 Rpcss.dll RTMQFE\r\n\r\nWindows Server 2003 64-Bit Enterprise Edition and Windows Server 2003 64-Bit Datacenter Edition: \r\n\r\n Date Time Version Size File name Platform Folder\r\n -------------------------------------------------------------------------------\r\n 31-Mar-2004 03:29 2001.12.4720.130 641,024 Catsrv.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,567,744 Catsrvut.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 263,680 Clbcatex.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,294,336 Clbcatq.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 179,712 Colbact.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.139 412,160 Comadmin.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 3,127,296 Comsvcs.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,873,408 Comuid.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 653,312 Es.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,301,504 Msdtcprx.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 3,166,208 Msdtctm.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 462,848 Msdtcuiu.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 203,776 Mtxclu.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 315,904 Mtxoci.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 5.2.3790.146 3,567,616 Ole32.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 5.2.3790.137 73,216 Rpcproxy.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 5.2.3790.137 2,140,160 Rpcrt4.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 5.2.3790.146 687,104 Rpcss.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 263,680 Wcatsrv.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 587,264 Wcatsrvut.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 98,304 Wclbcatex.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 493,056 Wclbcatq.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 58,368 Wcolbact.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.139 189,440 Wcomadmin.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,202,176 Wcomsvcs.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 226,816 Wes.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 443,904 Wmsdtcprx.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 160,768 Wmsdtcuiu.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 76,288 Wmtxclu.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 108,032 Wmtxoci.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 5.2.3790.146 1,189,376 Wole32.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 5.2.3790.137 26,112 Wrpcproxy.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 5.2.3790.137 542,208 Wrpcrt4.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:25 2001.12.4720.130 641,024 Catsrv.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 1,567,744 Catsrvut.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 263,680 Clbcatex.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 1,294,336 Clbcatq.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 179,712 Colbact.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.139 412,160 Comadmin.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 3,127,296 Comsvcs.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 1,873,408 Comuid.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 653,312 Es.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 1,301,504 Msdtcprx.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 3,166,208 Msdtctm.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 462,848 Msdtcuiu.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 203,776 Mtxclu.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 315,904 Mtxoci.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 5.2.3790.146 3,565,056 Ole32.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 5.2.3790.141 73,216 Rpcproxy.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 5.2.3790.141 2,150,400 Rpcrt4.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 5.2.3790.146 685,568 Rpcss.dll IA64 RTMQFE\r\n 31-Mar-2004 03:26 2001.12.4720.130 263,680 Wcatsrv.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 587,264 Wcatsrvut.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 98,304 Wclbcatex.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 493,056 Wclbcatq.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 58,368 Wcolbact.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.139 189,440 Wcomadmin.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 1,202,176 Wcomsvcs.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 226,816 Wes.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 443,904 Wmsdtcprx.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 160,768 Wmsdtcuiu.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 76,288 Wmtxclu.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 108,032 Wmtxoci.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 5.2.3790.146 1,188,352 Wole32.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 5.2.3790.141 26,112 Wrpcproxy.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 5.2.3790.141 544,256 Wrpcrt4.dll X86 RTMQFE\WOW\r\n\r\nNote When you install this security update on Windows Server 2003 or on Windows XP 64-Bit Edition Version 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828741\Filelist\r\n\r\nNote This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 828741 security update into the Windows installation source files.\r\n\r\nTop of section\r\n Windows XP (all versions) \r\n\r\nNote For Windows XP 64-Bit Edition Version 2003, this security update is the same as the Windows Server 2003 64-Bit Edition security update.\r\n\r\nPrerequisites\r\nThis security update requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For more information, see Microsoft Knowledge Base Article 322389.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for these issues will be included in Windows XP Service Pack 2.\r\n\r\nInstallation Information\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Use Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, view Microsoft Knowledge Base Article 262841.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows XP:\r\n\r\nWindowsxp-kb828741-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP:\r\n\r\nWindowsxp-kb828741-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828741$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n/?: Show the list of installation switches. \r\n\r\n/u: Use unattended mode. \r\n\r\n/f: Force other programs to quit when the computer shuts down.\r\n\r\n/z: Do not restart when the installation is complete. \r\n\r\n/q: Use Quiet mode (no user interaction). \r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:\r\n\r\n Date Time Version Size File name Folder \r\n -----------------------------------------------------------------------\r\n 06-Mar-2004 02:04 2001.12.4414.53 225,280 Catsrv.dll (pre-sp1)\r\n 06-Mar-2004 02:04 2001.12.4414.53 596,480 Catsrvut.dll (pre-sp1)\r\n 06-Mar-2004 02:04 2001.12.4414.53 110,080 Clbcatex.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 499,712 Clbcatq.dll (pre-sp1)\r\n 06-Mar-2004 02:04 2001.12.4414.53 64,512 Colbact.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 187,904 Comadmin.dll (pre-sp1)\r\n 17-Feb-2004 18:49 2001.12.4414.53 8,192 Comrepl.exe (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 1,177,088 Comsvcs.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 499,200 Comuid.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 226,816 Es.dll (pre-sp1)\r\n 17-Feb-2004 18:50 2001.12.4414.53 6,656 Migregdb.exe (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 365,568 Msdtcprx.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 977,920 Msdtctm.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 150,528 Msdtcuiu.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 64,512 Mtxclu.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 82,432 Mtxoci.dll (pre-sp1)\r\n 06-Mar-2004 02:05 5.1.2600.136 1,105,408 Ole32.dll (pre-sp1)\r\n 06-Mar-2004 02:05 5.1.2600.135 442,880 Rpcrt4.dll (pre-sp1)\r\n 06-Mar-2004 02:05 5.1.2600.135 214,528 Rpcss.dll (pre-sp1)\r\n 06-Mar-2004 02:05 2001.12.4414.53 97,280 Txflog.dll (pre-sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 225,280 Catsrv.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 594,944 Catsrvut.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 110,080 Clbcatex.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 499,712 Clbcatq.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 64,512 Colbact.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 187,904 Comadmin.dll (with sp1)\r\n 17-Feb-2004 18:49 2001.12.4414.53 8,192 Comrepl.exe (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 1,194,496 Comsvcs.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 499,200 Comuid.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 226,816 Es.dll (with sp1)\r\n 17-Feb-2004 18:50 2001.12.4414.53 6,656 Migregdb.exe (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 367,616 Msdtcprx.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 977,920 Msdtctm.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 150,528 Msdtcuiu.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 64,512 Mtxclu.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 82,432 Mtxoci.dll (with sp1)\r\n 06-Mar-2004 02:16 5.1.2600.1362 1,183,744 Ole32.dll (with sp1)\r\n 06-Mar-2004 02:16 5.1.2600.1361 535,552 Rpcrt4.dll (with sp1)\r\n 06-Mar-2004 02:16 5.1.2600.1361 263,680 Rpcss.dll (with sp1)\r\n 06-Mar-2004 02:16 2001.12.4414.53 97,280 Txflog.dll (with sp1)\r\n\r\nWindows XP 64-Bit Edition Service Pack 1:\r\n\r\n Date Time Version Size File name Platform\r\n ---------------------------------------------------------------------\r\n 06-Mar-2004 02:07 2001.12.4414.53 695,808 Catsrv.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 2,127,360 Catsrvut.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 360,960 Clbcatex.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 1,554,432 Clbcatq.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 204,288 Colbact.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 478,720 Comadmin.dll IA64\r\n 09-Jan-2004 22:50 2001.12.4414.53 20,992 Comrepl.exe IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 3,591,168 Comsvcs.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 1,817,600 Comuid.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 740,864 Es.dll IA64\r\n 09-Jan-2004 22:51 2001.12.4414.53 12,800 Migregdb.exe IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 1,509,888 Msdtcprx.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 3,484,160 Msdtctm.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 513,024 Msdtcuiu.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 194,048 Mtxclu.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 286,720 Mtxoci.dll IA64\r\n 06-Mar-2004 02:07 5.1.2600.1362 4,339,200 Ole32.dll IA64\r\n 06-Mar-2004 02:07 5.1.2600.1361 2,317,824 Rpcrt4.dll IA64\r\n 06-Mar-2004 02:07 5.1.2600.1361 780,288 Rpcss.dll IA64\r\n 06-Mar-2004 02:07 2001.12.4414.53 345,088 Txflog.dll IA64\r\n 06-Mar-2004 02:16 2001.12.4414.53 225,280 Wcatsrv.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 594,944 Wcatsrvut.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 110,080 Wclbcatex.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 499,712 Wclbcatq.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 64,512 Wcolbact.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 187,904 Wcomadmin.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 1,194,496 Wcomsvcs.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 226,816 Wes.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 367,616 Wmsdtcprx.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 150,528 Wmsdtcuiu.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 64,512 Wmtxclu.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 82,432 Wmtxoci.dll X86\r\n 06-Mar-2004 02:16 5.1.2600.1362 1,183,744 Wole32.dll X86\r\n 06-Mar-2004 02:16 5.1.2600.1361 509,440 Wrpcrt4.dll X86\r\n 06-Mar-2004 02:16 2001.12.4414.53 97,280 Wtxflog.dll X86\r\n\r\nWindows XP 64-Bit Edition Version 2003: \r\n\r\n Date Time Version Size File name Platform Folder\r\n ------------------------------------------------------------------------------\r\n 31-Mar-2004 03:29 2001.12.4720.130 641,024 Catsrv.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,567,744 Catsrvut.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 263,680 Clbcatex.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,294,336 Clbcatq.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 179,712 Colbact.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.139 412,160 Comadmin.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 3,127,296 Comsvcs.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,873,408 Comuid.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 653,312 Es.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,301,504 Msdtcprx.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 3,166,208 Msdtctm.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 462,848 Msdtcuiu.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 203,776 Mtxclu.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 315,904 Mtxoci.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 5.2.3790.146 3,567,616 Ole32.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 5.2.3790.137 73,216 Rpcproxy.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 5.2.3790.137 2,140,160 Rpcrt4.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 5.2.3790.146 687,104 Rpcss.dll IA64 RTMGDR\r\n 31-Mar-2004 03:29 2001.12.4720.130 263,680 Wcatsrv.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 587,264 Wcatsrvut.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 98,304 Wclbcatex.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 493,056 Wclbcatq.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 58,368 Wcolbact.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.139 189,440 Wcomadmin.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 1,202,176 Wcomsvcs.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 226,816 Wes.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 443,904 Wmsdtcprx.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 160,768 Wmsdtcuiu.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 76,288 Wmtxclu.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 2001.12.4720.130 108,032 Wmtxoci.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 5.2.3790.146 1,189,376 Wole32.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 5.2.3790.137 26,112 Wrpcproxy.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:29 5.2.3790.137 542,208 Wrpcrt4.dll X86 RTMGDR\WOW\r\n 31-Mar-2004 03:25 2001.12.4720.130 641,024 Catsrv.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 1,567,744 Catsrvut.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 263,680 Clbcatex.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 1,294,336 Clbcatq.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 179,712 Colbact.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.139 412,160 Comadmin.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 3,127,296 Comsvcs.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 1,873,408 Comuid.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 653,312 Es.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 1,301,504 Msdtcprx.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 3,166,208 Msdtctm.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 462,848 Msdtcuiu.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 203,776 Mtxclu.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 2001.12.4720.130 315,904 Mtxoci.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 5.2.3790.146 3,565,056 Ole32.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 5.2.3790.141 73,216 Rpcproxy.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 5.2.3790.141 2,150,400 Rpcrt4.dll IA64 RTMQFE\r\n 31-Mar-2004 03:25 5.2.3790.146 685,568 Rpcss.dll IA64 RTMQFE\r\n 31-Mar-2004 03:26 2001.12.4720.130 263,680 Wcatsrv.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 587,264 Wcatsrvut.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 98,304 Wclbcatex.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 493,056 Wclbcatq.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 58,368 Wcolbact.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.139 189,440 Wcomadmin.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 1,202,176 Wcomsvcs.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 226,816 Wes.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 443,904 Wmsdtcprx.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 160,768 Wmsdtcuiu.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 76,288 Wmtxclu.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 2001.12.4720.130 108,032 Wmtxoci.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 5.2.3790.146 1,188,352 Wole32.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 5.2.3790.141 26,112 Wrpcproxy.dll X86 RTMQFE\WOW\r\n 31-Mar-2004 03:26 5.2.3790.141 544,256 Wrpcrt4.dll X86 RTMQFE\WOW\r\n\r\nNote The Windows XP and Windows XP 64-Bit Edition Version 2003 versions of this security update are packaged as dual-mode packages, which contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, see Microsoft Knowledge Base Article 328848.\r\n\r\nWhen you install the Windows XP 64-Bit Edition Version 2003 security update, the installer checks to see if any of the files that are being updated on your system previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys:\r\n\r\nFor Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP 64-Bit Edition Service Pack 1, Windows XP Tablet PC Edition, and Windows XP Media Center Edition:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB828741\Filelist\r\n\r\nFor Windows XP 64-Bit Edition Version 2003:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828741\Filelist\r\n\r\nNote This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 828741 security update into the Windows installation source files.\r\n\r\nTop of section\r\n Windows 2000 (all versions) \r\n\r\nPrerequisites\r\nFor Windows 2000, this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).\r\n\r\nThe software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for these issues will be included in Windows 2000 Service Pack 5.\r\n\r\nInstallation Information\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Use Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that are used by the previous version of the Setup utility. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:\r\n\r\nWindows2000-kb828741-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:\r\n\r\nWindows2000-kb828741-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828741$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n/?: Show the list of installation switches. \r\n\r\n/u: Use unattended mode. \r\n\r\n/f: Force other programs to quit when the computer shuts down.\r\n\r\n/z: Do not restart when the installation is complete. \r\n\r\n/q: Use Quiet mode (no user interaction). \r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nNote Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files.\r\n\r\nWindows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:\r\n\r\n Date Time Version Size File name\r\n ------------------------------------------------------------\r\n 11-Mar-2004 21:29 2000.2.3511.0 169,232 Catsrv.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 595,728 Catsrvut.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 97,040 Clbcatex.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 552,720 Clbcatq.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 41,744 Colbact.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 198,416 Comadmin.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 97,552 Comrepl.dll \r\n 11-Mar-2004 21:29 2000.2.3421.351 342,288 Comsetup.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 1,467,664 Comsvcs.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 625,936 Comuid.dll \r\n 19-Feb-2004 22:03 2000.2.3511.0 1,816,552 Dtcsetup.exe \r\n 11-Mar-2004 21:29 2000.2.3511.0 239,888 Es.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 96,016 Msdtclog.dll \r\n 11-Mar-2004 21:29 2000.2.3513.0 717,584 Msdtcprx.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 1,139,984 Msdtctm.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 153,872 Msdtcui.dll \r\n 19-Feb-2004 22:44 2000.2.3511.0 155,408 Mtstocom.exe \r\n 11-Mar-2004 21:29 2000.2.3511.0 52,496 Mtxclu.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 26,896 Mtxdm.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 35,600 Mtxlegih.dll \r\n 11-Mar-2004 21:29 2000.2.3513.0 120,592 Mtxoci.dll \r\n 11-Mar-2004 21:29 5.0.2195.6906 954,640 Ole32.dll \r\n 11-Mar-2004 21:29 5.0.2195.6904 16,656 Rpcproxy.dll \r\n 11-Mar-2004 21:29 5.0.2195.6904 449,808 Rpcrt4.dll \r\n 11-Mar-2004 21:29 5.0.2195.6906 211,728 Rpcss.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 398,608 Txfaux.dll \r\n 11-Mar-2004 21:29 2000.2.3511.0 18,704 Xolehlp.dll \r\n\r\nVerifying Update Installation\r\n\r\nTo verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828741\Filelist\r\n\r\nNote This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 828741 security update into the Windows installation source files.\r\n\r\nTop of section\r\n Windows NT 4.0 (all versions) \r\n\r\nPrerequisites\r\nThis security update requires Windows NT Workstation 4.0 Service Pack 6a (SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0 Terminal Server Edition Service Pack 6 (SP6).\r\n\r\nThe software that is listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.\r\n\r\nFor more information on obtaining the latest service pack, see Microsoft Knowledge Base Article 152734.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /y: Perform removal (only with /m or /q )\r\n\r\n /f: Force programs to quit during the shutdown process \r\n\r\n /n: Do not create an Uninstall folder\r\n\r\n /z: Do not restart when the update completes\r\n\r\n /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ) \r\n\r\n /m: Use Unattended mode with a user interface \r\n\r\n /l: List the installed hotfixes \r\n\r\n /x: Extract the files without running Setup\r\n\r\nNote You can combine these switches into one command. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows NT Server 4.0:\r\n\r\nWindowsnt4server-kb828741-x86-enu /q\r\n\r\nFor Windows NT Server 4.0 Terminal Server Edition:\r\n\r\nWindowsnt4terminalserver-kb828741-x86-enu /q\r\n\r\nFor Windows NT Workstation 4.0:\r\n\r\nWindowsnt4workstation-kb828741-x86-enu /q\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows NT Server 4.0:\r\n\r\nWindowsnt4server-kb828741-x86-enu /z\r\n\r\nFor Windows NT Server 4.0 Terminal Server Edition:\r\n\r\nWindowsnt4terminalserver-kb828741-x86-enu /z\r\n\r\nFor Windows NT Workstation 4.0:\r\n\r\nWindowsnt4workstation-kb828741-x86-enu /z\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add/Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can use the Hotfix.exe utility to remove this security update. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB828741$ folder. The Hotfix.exe utility supports the following setup switches:\r\n\r\n /y: Perform removal (only with the /m or /q switch) \r\n\r\n /f: Force programs to quit during the shutdown process \r\n\r\n /n: Do not create an Uninstall folder \r\n\r\n /z: Do not restart when the installation is complete \r\n\r\n /q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch)\r\n\r\n /m: Use Unattended mode with a user interface \r\n\r\n /l: List the installed hotfixes\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. \r\n\r\nNote Date and time information could change during installation. Version, size, and file name information should be used to determine the correctness of files.\r\n\r\nWindows NT Workstation 4.0 and Windows NT Server 4.0:\r\n\r\n Date Time Version Size File name\r\n ----------------------------------------------------------\r\n 25-Feb-2004 15:53 4.0.1381.7263 701,200 Ole32.dll \r\n 08-Jan-2004 11:37 4.0.1381.7255 21,264 Rpcproxy.dll \r\n 11-Aug-2003 14:29 4.0.1381.7230 345,872 Rpcrt4.dll \r\n 25-Feb-2004 15:53 4.0.1381.7263 122,128 Rpcss.exe \r\n\r\nWindows NT Server 4.0 Terminal Server Edition:\r\n\r\n Date Time Version Size File name\r\n ----------------------------------------------------------\r\n 25-Feb-2004 15:52 4.0.1381.33562 701,200 Ole32.dll \r\n 05-Dec-2003 17:51 4.0.1381.33559 21,264 Rpcproxy.dll \r\n 11-Aug-2003 15:14 4.0.1381.33551 345,360 Rpcrt4.dll \r\n 25-Feb-2004 15:52 4.0.1381.33562 124,176 Rpcss.exe \r\n\r\nVerifying Update Installation\r\n\r\nTo verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, which allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key: \r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828741\File 1\r\n\r\nNote This registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 828741 security update into the Windows installation source files.\r\n\r\nTop of section\r\nTop of section\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\r\n\u2022 eEye Digital Security for reporting the RPC Runtime Library Vulnerability (CAN-2003-0813) and the RPCSS Service Vulnerability (CAN-2004-0116).\r\n \r\n\u2022 Qualys for reporting the CIS \u2013 RPC over HTTP Vulnerability (CAN-2003-0807).\r\n \r\n\u2022 Todd Sabin of BindView for reporting the Object Identity Vulnerability (CAN-2004-0124).\r\n \r\n\r\nObtaining other security updates:\r\n\r\nUpdates for other security issues are available from the following locations:\r\n\r\n\u2022 Security updates are available from the Microsoft Download Center: you can find them most easily by doing a keyword search for \u201csecurity_patch\u201d.\r\n \r\n\u2022 Updates for consumer platforms are available from the Windows Update Web site. \r\n \r\n\r\nSupport: \r\n\r\n\u2022 Customers in the U.S. and Canada can get technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n \r\n\u2022 International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. For more information on how to contact Microsoft for support issues, visit the International Support Web site.\r\n \r\n\r\nSecurity Resources: \r\n\r\n\u2022 The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. \r\n \r\n\u2022 Microsoft Software Update Services\r\n \r\n\u2022 Microsoft Baseline Security Analyzer (MBSA) \r\n \r\n\u2022 Windows Update \r\n \r\n\u2022 Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n \r\n\u2022 Office Update \r\n \r\n\r\nSoftware Update Services (SUS):\r\n\r\nMicrosoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows\u00ae 2000 and Windows Server\u2122 2003-based servers, as well as to desktop systems running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. \r\n\r\nSystems Management Server (SMS):\r\n\r\nSystems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer\r\n\r\nNote The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted.\r\n\r\nDisclaimer: \r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\r\n\u2022 V1.0 April 13, 2004: Bulletin published \r\n \r\n", "modified": "2004-04-14T00:00:00", "published": "2004-04-14T00:00:00", "id": "SECURITYVULNS:DOC:6058", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6058", "title": "Microsoft Security Bulletin MS04-012", "type": "securityvulns", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nMultiple Vulnerabilities in Microsoft Products\r\n\r\n Original release date: April 13, 2004\r\n Last revised: --\r\n Source: US-CERT\r\n\r\nSystems Affected\r\n\r\n * Microsoft Windows Operating Systems\r\n\r\n * Microsoft Windows Remote Procedure Call (RPC) and Distributed\r\n Component Object Model (DCOM) subsystems\r\n\r\n * Microsoft Windows MHTML Protocol Handler\r\n\r\n * Microsoft Jet Database Engine\r\n\r\nOverview\r\n\r\n Microsoft Corporation has released a series of security bulletins\r\n affecting most users of the Microsoft Windows operating system. Users\r\n of systems running Microsoft Windows are strongly encouraged to visit\r\n the "Windows Security Updates for April 2004" site at\r\n\r\n <https://www.microsoft.com/security/security_bulletins/200404_windows.\r\n asp>\r\n\r\n and take actions appropriate to their system configurations.\r\n\r\nI. Description\r\n\r\n Microsoft has released four security bulletins listing a number of\r\n vulnerabilities which affect a variety of Microsoft Windows software\r\n packages. The following section summarizes the issues identified in\r\n their bulletins.\r\n\r\nSummary of Microsoft Bulletins for April 2004\r\n\r\n Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)\r\n\r\n This bulletin addresses 14 vulnerabilities affecting the systems\r\n listed below. There are several new vulnerabilities address by this\r\n bulletin, and several updates to previously reported vulnerabilities.\r\n\r\n Impact\r\n\r\n Remote attackers could execute arbitrary code on vulnerable systems.\r\n\r\n Systems affected\r\n\r\n * Windows NT Workstation 4.0\r\n * Windows NT Server 4.0\r\n * Windows NT Server 4.0, Terminal Server Edition\r\n * Windows 2000\r\n * Windows XP\r\n * Windows Server 2003\r\n\r\n Vulnerability identifiers\r\n\r\n The following table outlines these issues and is based on Microsoft's\r\n Security Bulletin:\r\n\r\n Vulnerability Title |US-CERT ID |CVE ID | Impact of Vulnerability\r\n --------------------+-----------+-------------+------------------------\r\n LSASS Vulnerability |VU#753212 |CAN-2003-0533| Remote Code Execution\r\n LDAP Vulnerability |VU#639428 |CAN-2003-0663| Denial of Service\r\n PCT Vulnerability |VU#586540 |CAN-2003-0719| Remote Code Execution\r\n Winlogon Vulnerabili|VU#471260 |CAN-2003-0806| Remote Code Execution\r\n Metafile Vulnerabili|VU#547028 |CAN-2003-0906| Remote Code Execution\r\n Help and Support Cen|VU#260588 |CAN-2003-0907| Remote Code Execution\r\n Utility Manager Vuln|VU#526084 |CAN-2003-0908| Privilege Elevation\r\n Windows Management V|VU#206468 |CAN-2003-0909| Privilege Elevation\r\n Local Descriptor Tab|VU#122076 |CAN-2003-0910| Privilege Elevation\r\n H.323 Vulnerability |VU#353956 |CAN-2004-0117| Remote Code Execution\r\n Virtual DOS Machine |VU#783748 |CAN-2004-0118| Privilege Elevation\r\n Negotiate SSP Vulner|VU#638548 |CAN-2004-0119| Remote Code Execution\r\n SSL Vulnerability |VU#150236 |CAN-2004-0120| Denial of Service\r\n ASN.1 "Double Free" |VU#255924 |CAN-2004-0123 Remote Code Execution\r\n\r\n\r\n Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM\r\n (828741)\r\n\r\n This bulletin addresses several new vulnerabilities affecting the\r\n systems listed below. These vulnerabilities are in Microsoft Windows\r\n Remote Procedure Call (RPC) and Distributed Component Object Model\r\n (DCOM).\r\n\r\n Impact\r\n\r\n Remote attackers could execute arbitrary code on vulnerable systems.\r\n\r\n Systems affected\r\n\r\n * Windows NT Workstation 4.0\r\n * Windows NT Server 4.0\r\n * Windows NT Server 4.0, Terminal Server Edition\r\n * Windows 2000\r\n * Windows XP\r\n * Windows Server 2003\r\n\r\n Vulnerability identifiers\r\n\r\n The following table outlines these issues and is based on Microsoft's\r\n Security Bulletin:\r\n\r\n Vulnerability Title |US-CERT ID |CVE ID | Impact of Vulnerability\r\n --------------------+-----------+-------------+------------------------\r\n RPC Runtime Library |VU#547820 |CAN-2003-0813| Remote Code Execution\r\n RPCSS Service Vulner|VU#417052 |CAN-2004-0116| Denial of Service\r\n RPC over HTTP Vulner|VU#698564 |CAN-2003-0807| Denial of Service\r\n Object Identity Vuln|VU#212892 |CAN-2004-0124| Information Disclosure\r\n\r\n\r\n Security Bulletin MS04-013:Cumulative Security Update for Outlook Express\r\n (837009)\r\n\r\n This bulletin addresses a vulnerability affecting the systems listed\r\n below. The vulnerability affects the Microsoft Windows MHTML Protocol\r\n handler and any applications that use it, including Microsoft Outlook\r\n and Internet Explorer. This vulnerability has been assigned VU#323070\r\n and CAN-2004-0380.\r\n\r\n Note: MS04-013 includes patches remediating the vulnerability\r\n described in TA04-099A.\r\n\r\n Impact\r\n\r\n Remote attackers could execute arbitrary code on vulnerable systems.\r\n\r\n Systems affected\r\n\r\n * Windows NT Workstation 4.0\r\n * Windows NT Server 4.0\r\n * Windows NT Server 4.0, Terminal Server Edition\r\n * Windows 2000\r\n * Windows XP\r\n * Windows Server 2003\r\n * Windows 98\r\n * Windows 98 Second Edition (SE)\r\n * Windows Millennium Edition (Windows Me)\r\n\r\n Note: This issue affects systems with Outlook Express installed.\r\n Outlook Express is installed by default on most (if not all) current\r\n versions of Microsoft Windows.\r\n\r\n\r\n Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database\r\n Engine Could Allow Code Execution (837001)\r\n\r\n This bulletin addresses a vulnerability affecting the systems listed\r\n below. There is a buffer overflow vulnerability in Microsoft's Jet\r\n Database Engine (Jet). An attacker could take control of a vulnerable\r\n system, including installing programs; viewing, changing, or deleting\r\n data; or creating new accounts that have full privileges. This\r\n vulnerability has been assigned VU#740716 and CAN-2004-0197.\r\n\r\n Impact\r\n\r\n Remote attackers could execute arbitrary code on vulnerable systems.\r\n\r\n Systems affected\r\n\r\n * Windows NT Workstation 4.0\r\n * Windows NT Server 4.0\r\n * Windows NT Server 4.0, Terminal Server Edition\r\n * Windows 2000\r\n * Windows XP\r\n * Windows Server 2003\r\n\r\n\r\nUpdate to TA04-099A\r\n\r\n Microsoft has released a patch that addresses the cross-domain\r\n vulnerability discussed in TA04-099A: "Vulnerability in Internet\r\n Explorer ITS Protocol Handler". US-CERT is tracking this issue as\r\n VU#323070. This reference number corresponds to CVE candidate\r\n CAN-2004-0380.\r\n\r\n The patches and further information about the vulnerability are\r\n available in Microsoft Security Bulletin MS04-013. MS04-013 is titled\r\n "Cumulative Security Update for Outlook Express". Since most (if not\r\n all) current Windows systems have Outlook Express installed by\r\n default, and the MHTML protocol handler is part of the Outlook Express\r\n software package, most (if not all) Windows systems should be\r\n considered vulnerable.\r\n\r\n TA04-099A and VU#323070 focused on the ITS protocol handlers; however,\r\n the latent vulnerability appears to be in the MHTML handler shipped as\r\n part of Outlook Express. These documents have been updated.\r\n\r\nII. Impact\r\n\r\n Several of the issues identified by Microsoft have been described as\r\n "Critical" in nature.Each bulletin contains at least one vulnerability\r\n which may allow remote attackers to execute arbitrary code on affected\r\n systems. The privileges gained would depend on the security context of\r\n the software and vulnerability exploited.\r\n\r\nIII. Solution\r\n\r\nApply an appropriate set of updates from Microsoft\r\n\r\n Please see the following site for more information about appropriate\r\n remediation.\r\n\r\n Windows Security Updates for April 2004 -\r\n\r\n <http://www.microsoft.com/security/security_bulletins/200404_windows\r\n .asp>\r\n\r\nAppendix A. Vendor Information\r\n\r\n This appendix contains information provided by vendors for this\r\n technical alert. As vendors report new information to US-CERT, we will\r\n update this section and note the changes in our revision history. If a\r\n particular vendor is not listed below, we have not received their\r\n comments.\r\n\r\nMicrosoft Corporation\r\n\r\n Windows Security Updates for April 2004\r\n\r\n + Microsoft Security Bulletin MS04-011 - \r\n Security Update for Microsoft Windows (835732)\r\n\r\n + Microsoft Security Bulletin MS04-012 -\r\n Cumulative Update for Microsoft RPC/DCOM (828741)\r\n\r\n + Microsoft Security Bulletin MS04-013 - \r\n Cumulative Security Update for Outlook Express (837009)\r\n\r\n + Microsoft Security Bulletin MS04-014 - \r\n Vulnerability in the Microsoft Jet Database Engine Could\r\n Allow Code Execution (837001)\r\n\r\n\r\nAppendix B. References\r\n\r\n * Technical Cyber Security Alert TA04-099A: Cross-Domain\r\n Vulnerability in Outlook Express MHTML Protocol Handler -\r\n <http://www.us-cert.gov/cas/techalerts/TA04-099A.html>\r\n\r\n * US-CERT Cyber Security Alert SA04-104A: Summary of Windows\r\n Security Updates for April 2004 -\r\n <http://www.us-cert.gov/cas/alerts/SA04-104A.html>\r\n\r\n * Windows Security Updates for April 2004 -\r\n <http://www.microsoft.com/security/security_bulletins/200404_windo\r\n ws.asp>\r\n\r\n * Microsoft Security Bulletin MS04-011 - Security Update for\r\n Microsoft Windows (835732) -\r\n <http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>\r\n\r\n * Microsoft Security Bulletin MS04-012 - Cumulative Update for\r\n Microsoft RPC/DCOM (828741) -\r\n <http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx>\r\n\r\n * Microsoft Security Bulletin MS04-013 - Cumulative Security Update\r\n for Outlook Express (837009) -\r\n <http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx>\r\n\r\n * Microsoft Security Bulletin MS04-014 - Vulnerability in the\r\n Microsoft Jet Database Engine Could Allow Code Execution (837001)\r\n -\r\n <http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx>\r\n\r\n * Microsoft Security Response Center Security Bulletin Severity\r\n Rating System (Revised, November 2002) -\r\n <http://www.microsoft.com/technet/security/bulletin/rating.mspx>\r\n\r\n * Vulnerability Note VU#323070: Outlook Express MHTML protocol\r\n handler does not properly validate location of alternate data -\r\n <http://www.kb.cert.org/vuls/id/323070>\r\n\r\n * Vulnerability Note VU#547820: Microsoft Windows DCOM/RPC\r\n vulnerability - <http://www.kb.cert.org/vuls/id/547820>\r\n\r\n * Vulnerability Note VU#740716: Microsoft Jet Database Engine\r\n database request handling buffer overflow -\r\n <http://www.kb.cert.org/vuls/id/740716>\r\n _________________________________________________________________\r\n\r\n Feedback about this technical alert should be sent to "US-CERT\r\n Technical Alert" at <mailto:cert@cert.org>. Please include the Subject\r\n line "TA04-104A Feedback VU#667571".\r\n _________________________________________________________________\r\n\r\n Copyright 2004 Carnegie Mellon University.\r\n\r\n Terms of use: <http://www.us-cert.gov/legal.html>\r\n\r\n Revision History\r\n\r\n April 13, 2004: Initial release\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niD8DBQFAfJtjXlvNRxAkFWARAmmUAJ4jbj7Mm8I5NdasPeDIliOCUTJutQCfaeoC\r\nuIhq7G9V+u7Cg0B78NzRMGk=\r\n=UEBC\r\n-----END PGP SIGNATURE-----", "modified": "2004-04-14T00:00:00", "published": "2004-04-14T00:00:00", "id": "SECURITYVULNS:DOC:6061", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6061", "title": "US-CERT Technical Cyber Security Alert TA04-104A -- Multiple Vulnerabilities in Microsoft Products", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-07-01T04:23:58", "bulletinFamily": "scanner", "description": "The remote host has multiple bugs in its RPC/DCOM implementation\n(828741).\n\nAn attacker could exploit one of these flaws to execute arbitrary code\non the remote system.", "modified": "2020-07-02T00:00:00", "id": "SMB_NT_MS04-012.NASL", "href": "https://www.tenable.com/plugins/nessus/12206", "published": "2004-04-13T00:00:00", "title": "MS04-012: Microsoft Hotfix (credentialed check) (828741)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12206);\n script_version(\"1.45\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\n \"CVE-2003-0813\",\n \"CVE-2004-0116\",\n \"CVE-2003-0807\",\n \"CVE-2004-0124\"\n );\n script_bugtraq_id(10121, 10123, 10127, 8811);\n script_xref(name:\"CERT\", value:\"547820\");\n script_xref(name:\"CERT\", value:\"698564\");\n script_xref(name:\"CERT\", value:\"212892\");\n script_xref(name:\"MSFT\", value:\"MS04-012\");\n script_xref(name:\"MSKB\", value:\"828741\");\n\n script_name(english:\"MS04-012: Microsoft Hotfix (credentialed check) (828741)\");\n script_summary(english:\"Checks for ms04-012\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"Arbitrary code can be executed on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has multiple bugs in its RPC/DCOM implementation\n(828741).\n\nAn attacker could exploit one of these flaws to execute arbitrary code\non the remote system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows NT, 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS04-012';\nkb = '828741';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Rpcrt4.dll\", version:\"5.2.3790.137\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Rpcrt4.dll\", version:\"5.1.2600.1361\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:0, file:\"Rpcrt4.dll\", version:\"5.1.2600.135\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Rpcrt4.dll\", version:\"5.0.2195.6904\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"4.0\", file:\"Rpcrt4.dll\", version:\"4.0.1381.7230\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"4.0\", file:\"Rpcrt4.dll\", version:\"4.0.1381.33551\", min_version:\"4.0.1381.33000\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:23:57", "bulletinFamily": "scanner", "description": "The remote host has multiple bugs in its RPC/DCOM implementation\n(828741).\n\nAn attacker may exploit one of these flaws to execute arbitrary code\non the remote system.", "modified": "2020-07-02T00:00:00", "id": "SMB_KB828741.NASL", "href": "https://www.tenable.com/plugins/nessus/21655", "published": "2007-03-16T00:00:00", "title": "MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21655);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2003-0813\", \"CVE-2004-0116\", \"CVE-2003-0807\", \"CVE-2004-0124\");\n script_bugtraq_id(10121, 10123, 10127, 8811);\n script_xref(name:\"MSFT\", value:\"MS04-012\");\n script_xref(name:\"MSKB\", value:\"828741\");\n\n script_name(english:\"MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)\");\n script_summary(english:\"Checks for MS04-012\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"Arbitrary code can be executed on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has multiple bugs in its RPC/DCOM implementation\n(828741).\n\nAn attacker may exploit one of these flaws to execute arbitrary code\non the remote system.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows NT, 2000, XP and\n2003.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/03/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"Host/OS/smb\");\n script_require_ports(135, 139, 445);\n exit(0);\n}\n\n#\n\ninclude ('smb_func.inc');\n\nfunction SCMActivatorGetClassObject (socket, type)\n{\n local_var data, ret, resp, code;\n\n data =\n\t# struct 1\n\traw_word(w:0) +\n\traw_word(w:0) +\n\traw_dword(d:0) +\n\traw_dword(d:0) +\n\traw_dword(d:0) +\n\traw_word(w:0) +\n\traw_word(w:0) +\n\traw_dword(d:0) + raw_dword(d:0) +\n\traw_dword(d:0) +\n\n\t# struct 2\n\traw_dword(d:0) +\n\traw_dword(d:0) +\n\n\t# struct4\n\traw_dword(d:0x20000) +\n\traw_dword(d:4) +\n\traw_dword(d:4) +\n\traw_dword(d:0);\n\n ret = dce_rpc_request (code:0x03, data:data);\n send (socket:socket, data:ret);\n resp = recv (socket:socket, length:4096);\n if (isnull(resp))\n return 0;\n\n if (strlen(resp) < 32 || ord(resp[2]) != 3)\n return 0;\n\n # 0x80010110 -> bad dcom header. Path should check it is a local call first and return ACCESS_DENIED\n code = get_dword (blob:resp, pos:24);\n if (code == 0x80010110)\n return 1;\n\n return 0;\n}\n\n\nos = get_kb_item(\"Host/OS/smb\");\nif ( \"Windows\" >!< os ) exit (0);\n\n\nport = 135;\n\nif ( ! get_port_state(port) ) exit(0);\nsoc = open_sock_tcp (port);\nif (!soc) exit (0);\n\nret = dce_rpc_bind(cid:session_get_cid(), uuid:\"00000136-0000-0000-c000-000000000046\", vers:0);\nsend (socket:soc, data:ret);\nresp = recv (socket:soc, length:4096);\n\nif (!resp)\n{\n close (soc);\n exit (0);\n}\n\nret = dce_rpc_parse_bind_ack (data:resp);\nif (isnull (ret) || (ret != 0))\n{\n close (soc);\n exit (0);\n}\n\n\nret = SCMActivatorGetClassObject (socket:soc);\nif (ret == 1)\n security_hole(port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
