O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities Privacy and Legal Notice

CIAC INFORMATION BULLETIN

O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities

[Microsoft Security Bulletin MS03-045]

 October 16, 2003 14:00 GMT
[REVISED 17 Oct 2003]
[REVISED 30 Oct 2003]
[REVISED 4 Nov 2003]
[REVISED 6 Nov 2003]
PROBLEM: A vulnerability exists because the ListBox control and the ComboBox control both call a function, which is located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate the parameters that are sent to it. The controls can be made to run arbitrary code in the security context of the program that contains the control.
SOFTWARE: MS Windows NT Workstation 4.0, Service Pack 6a
MS Windows NT Server 4.0, Service Pack 6a
MS Windows NT Server 4.0, Terminal Server Edition, Service 6
MS Windows 2000, Service Pack 2
MS Windows 2000, Service Pack 3, Service Pack 4
MS Windows XP Gold, Service Pack 1
MS Windows XP 64-bit Edition
MS Windows XP 64-bit Edition Version 2003
MS Windows Server 2003
MS Windows Server 2003 64-bit Edition
DAMAGE: A local attacker who has the ability to log onto a system interactively could run a program that could send a specially-crafted Windows message to any applications that have implemented the ListBox or the ComboBox controls, causing the application to take any action an attacker specified. This could give an attacker complete control over the system by using Utility Manager in Windows 2000 which runs with Administrator privileges.
SOLUTION: Apply appropriate patches or implement workarounds.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. An attacker with a user account could elevate their privileges to the Administrator level.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-009.shtml
  ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-045.asp
  CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2003-0659
  ADDITIONAL LINKS: CERT Advisory CA-2003-27
   http://www.cert.org/advisories/CA-2003-27.html 
REVISION HISTORY:
10/17/03 - added link to CERT Advisory CA-2003-27.

10/30/03 - Microsoft released a revised security patch for Windows XP,
           to address the problem described in their Knowledge Base Article 
           #830846 where installation of the previous patch may stop 
           responding (hang). The revised patch contains version 5.4.1.0 of 
           Update.exe. Version 5.4.1.0 or later versions of Update.exe no 
           longer require the Debug Programs user right.

11/04/03 - Microsoft has revised MS03-045 with a Patch Replacement.  This 
           Patch also replaces the patch provided by MS02-071 [CIAC N-027].

11/06/03 - Microsoft has revised MS03-045 Technical Details Section with 
           information point to a new Knowledge Base Article 831739.    

[***** Start Microsoft Security Bulletin MS03-045 *****]

Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
Issued: October 15, 2003
Updated: November 5, 2003
Version Number: 3.2 

See all Windows bulletins released October, 2003

Summary

Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should install this security patch at the earliest opportunity

Patch Replacement: MS02-071

Caveats: None

Tested Software and Patch Download Locations: 

Affected Software: 

The software listed above has been tested to determine if the versions are affected. Other versions are 
no longer supported, and may or may not be affected.


Technical Details
Technical Description:

Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows 
XP patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some 
customers experienced with the original patch that is discussed in Knowledge Base Article 830846. This 
problem is unrelated to the security vulnerability discussed in this bulletin, however the problem has 
caused some customers difficulty installing the patch. If you have previously applied this security patch, 
this update does not need to be installed.

Microsoft has also investigated reports of application compatibilty problems with some third party a
pplications. Many of the affected applications have released updated versions to address these issues. For 
more information on these issues please view Knowledge Base Article 831739. 

Microsoft re-issued this bulletin on October 22, 2003 to advise of a compatibility problem with some third 
party software that has been identified with a set of language specific versions of the Windows 2000 Service 
Pack 4 patch. This problem is unrelated to the security vulnerability discussed in this bulletin. Customers 
who have applied the patch are protected against the vulnerability discussed in this bulletin. Subsequent 
to the release of this bulletin and the associated patches, a compatibility problem with some third party 
software has been identified with a set of language specific versions of the Windows 2000 Service Pack 4 
patch. This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who 
have applied the patch are protected against the vulnerability discussed in this bulletin.

Microsoft has developed a fix for this issue and is re-releasing this bulletin to reflect the new updated 
patches. The compatibility problems only affect the language versions of the patch listed below and only 
those versions of the patch are being re-released. Other language versions of this patch are not affected 
and are not being re-released. Please note that the new security patches support both the Setup switches 
originally documented in this bulletin as well as a set of new Setup switches that are document in the 
Installation Information Section of this bulletin. Additionally, the updated language versions support 
Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4 in a single 
security patch.

Brazilian
Czech
Danish
Finnish
Hungarian
Italian
Norwegian
Polish
Portuguese
Russian
Spanish
Swedish
Turkish

Not Affected versions:

Arabic
Dutch
English
French
German
Greek
Hebrew
Hong Kong
Japanese
Korean
Simplified Chinese
Traditional Chinese

A vulnerability exists because the ListBox control and the ComboBox control both call a function, which is 
located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate 
the parameters that are sent from a specially-crafted Windows message. Windows messages provide a way for 
interactive processes to react to user events (for example, keystrokes or mouse movements) and to 
communicate with other interactive processes. A security vulnerability exists because the function that 
provides the list of accessibility options to the user does not correctly validate Windows messages that 
are sent to it. One process in the interactive desktop could use a specific Windows message to cause the 
ListBox control or the ComboBox control to execute arbitrary code. Any program that implements the ListBox 
control or the ComboBox control could allow code to be executed at an elevated level of administrative 
credentials, as long as the program is running at an elevated level of privileges (for example, Utility 
Manager in Windows 2000). This could include third-party applications.

An attacker who had the ability to log on to a system interactively could run a program that could send a 
specially-crafted Windows message to any applications that have implemented the ListBox control or the 
ComboBox control, causing the application to take any action an attacker specified. This could give an 
attacker complete control over the system by using Utility Manager in Windows 2000.

Mitigating factors: 


Severity Rating:
************************************************************************
Microsoft Windows NT 4.0                                      Low 
************************************************************************
Microsoft Windows NT Server 4.0, Terminal Server Edition      Low 
************************************************************************
Microsoft Windows 2000                                      Important 
************************************************************************
Microsoft Windows XP                                          Low 
************************************************************************
Microsoft Windows Server 2003                                 Low 
************************************************************************

The above assessment is based on the types of systems that are affected by the vulnerability, their typical 
deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0659



Workarounds

Microsoft has tested the following workarounds. These workarounds will not correct the underlying 
vulnerability however they help block known attack vectors. Workarounds may cause a reduction in 
functionality in some cases - in such situations this is identified below.


Impact of Vulnerability:
The Utility Manager Service provides many of the accessibility features of the operating system. These 
would be unavailable until the restrictions are removed.


Security Patch Information

Installation platforms and Prerequisites: 

For information about the specific security patch for your platform, click the appropriate link: 



Acknowledgments

Microsoft thanks the following for working with us to protect customers: 


Obtaining other security patches:

Patches for other security issues are available from the following locations: 


Support:


Security Resources: 


Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. 
Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability 
and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable 
for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits 
or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of 
such damages. Some states do not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply. 

Revisions:

  • V1.0 October 15, 2003: First Published. 
    • 

  • V1.1 October 17, 2003: Re-issued to advise of a language specific compatibility issue with some third-party 
software. 
    • 

  • V2.0 October 22, 2003: Version changed to reflect the availability of updated patch for specific languages.
    •  

  • V3.0 October 29, 2003: A revised version of the security patch for Windows XP has been released to correct 
the issue documented by Knowledge Base Article 830846. 
    • 

  • V3.1 November 3, 2003: Updated Patch Replacement section. This patch replaces the patch provided by Security 
Bulletin MS02-071. 
    • 

  • V3.2 November 5, 2003: Updated Technical Details and Frequently Asked Questions sections. This update 
documents the availability of Knowledge Base Article 831739 which addresses reports of application 
compatibilty problems with some third party applications. 
    • 


[***** End Microsoft Security Bulletin MS03-045 *****]
    CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin.
    DOE-CIRC can be contacted at: 
        Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/