Microsoft Task Scheduler is reported prone to a remote stack-based buffer overflow vulnerability. The source of the vulnerability is that data in '.job' files is copied into an internal buffer without sufficient bounds checking. It is reported that a remote attacker may exploit this vulnerability through Internet Explorer or Windows Explorer when the '.job' file is opened or a directory containing the file is rendered. The file could also be hosted on a share. Other attack vectors may also exist. It should be noted that while this issue does not affect Windows NT 4.0 SP6a, it may affect this platform if Internet Explorer 6 SP1 is installed.
Block external access at the network boundary, unless external parties require service.
Filter all unauthorized incoming and outgoing network traffic.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy network intrusion detection systems to monitor all network traffic for signs of anomalous or suspicious activity. This may aid in detecting attacks or malicious activity that occurs as a result of successful exploitation.
Do not accept or execute files from untrusted or unknown sources.
A '.job' file may be used to exploit this vulnerability. Do not accept or open '.job' files that originate from users of questionable integrity.
Do not follow links provided by unknown or untrusted sources.
An attacker may present a link to a malicious Web site designed to exploit this vulnerability. Avoid following links that are received unexpectedly or that originate from users of questionable integrity.
Run all software as a nonprivileged user with minimal access rights.
As a general security precaution, all non-administrative tasks including Web browsing and reading email should be performed as an unprivileged user with minimal access rights. This will limit the impact of client-side exploits.
Microsoft has released a security bulletin (MS04-022) and fixes to address this issue for supported operating systems. Avaya has released an advisory that acknowledges this vulnerability for Avaya products. Avaya advise that customers follow the Microsoft recommendations to address this issue. Please see the referenced Avaya advisory at the following location for further details: http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=197331&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()