__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Vulnerability in Virtual PC for Mac [MS04-005] February 10, 2004 19:00 GMT Number O-076 ______________________________________________________________________________ PROBLEM: A security vulnerability exists in Microsoft Virtual PC for Mac because of the method by which Virtual PC for Mac creates a temporary file when you run Virtual PC for Mac. PLATFORM: Microsoft Virtual PC for Mac Version 6.0 Microsoft Virtual PC for Mac Version 6.01 Microsoft Virtual PC for Mac Version 6.02 Microsoft Virtual PC for Mac Version 6.1 DAMAGE: An attacker could exploit this vulnerability by inserting malicious code into the file which could cause the code to run with system privileges giving the attacker complete control over the system. SOLUTION: Install the security update. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An authorized user could gain root. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-076.shtml ORIGINAL BULLETIN: Microsoft Security Bulletin MS04-005 http://www.microsoft.com/technet/security/bulletin /MS04-005.asp CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0115 ______________________________________________________________________________ [***** Start MS04-005 *****] Microsoft Security Bulletin MS04-005 Vulnerability in Virtual PC for Mac could lead to privilege elevation (835150) Issued: February 10, 2004 Version: 1.0 Summary Who should read this document: Customers who are using Microsoft® Virtual PC for Mac Impact of vulnerability: Elevation of Privilege Maximum Severity Rating: Important Recommendation: Customers should install this security update at the earliest opportunity Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software: * Microsoft Virtual PC for Mac version 6.0 - Download the update * Microsoft Virtual PC for Mac version 6.01 - Download the update * Microsoft Virtual PC for Mac version 6.02 - Download the update * Microsoft Virtual PC for Mac version 6.1 - Download the update Non Affected Software: * None The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Technical Details Technical description: A security vulnerability exists in Microsoft Virtual PC for Mac. The vulnerability exists because of the method by which Virtual PC for Mac creates a temporary file when you run Virtual PC for Mac. An attacker could exploit this vulnerability by inserting malicious code into the file which could cause the code to be run with system privileges. This could give the attacker complete control over the system. To exploit this vulnerability, an attacker would have to already have a valid logon account on the local system, or the attacker would already have to have access to a valid logon account. Mitigating factors: * An attacker must have valid logon credentials to exploit the vulnerability. The vulnerability could not be exploited remotely without a valid user account. * Systems that are secured by using best practices are at reduced risk from this vulnerability. Standard best practices recommend only allowing trusted users to log on to systems interactively. Severity Rating: ********************************************************************************* Microsoft Virtual PC for the Macintosh (all supported versions) Important ********************************************************************************* The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2004-0115 Security Update Information Installation Platforms and Prerequisites: * Virtual PC for the Macintosh (all supported versions) Acknowledgments Microsoft thanks the following for working with us to help protect customers: * George Gal of @stake for reporting the issue in MS04-005. Obtaining other security updates: Updates for other security issues are available from the following locations: * Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Additional Macintosh downloads can be found at the Microsoft Mactopia website * Updates for consumer platforms are available from the WindowsUpdate Web site. Support: * Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. * International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources for Windows: * The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 February 10, 2004: Bulletin published [***** End MS04-005 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-067: Sun Vulnerability with Loading Arbitrary Kernel Modules CIACTech04-001: Remote Detection of the MyDoom.A Worm O-068: Microsoft Internet Explorer Cumulative Patch O-069: Sun kcms_server Daemon Vulnerability O-070: Sun Basic Security Module (BSM) Vulnerability O-071: Debian kernel-patch-2.4.17-mips Interger Overflow O-072: Check Point FireWall-1 HTTP Security Server Vulnerability O-073: Check Point VPN-1 Server and VPN Client Buffer Overflow Vulnerability O-074: Red Hat Cross-site Scripting Vulnerability in Mailman Package O-075: RealPlayer / RealOne Player Buffer Overrun Vulnerabilities