* Windows NT Workstation 4.0 Service Pack 6a
* Windows NT Server 4.0 SP 6a
* Windows NT Server 4.0 TSE SP 6
* Windows 2000 SP 2, SP 3, and SP 4
* Windows XP and Windows XP SP 1
* Windows XP 64-Bit Edition SP 1
* Windows XP 64-Bit Edition Version 2003
* Windows Server 2003
* Windows Server 2003 64-Bit
* Windows 98, Windows 98 SE, and Windows Me

This affects the same operating systems as MS04-011.

This affects the same operating systems as MS04-011 and the following versions of Outlook Express:

* Outlook Express 5.5 SP2
* Outlook Express 6
* Outlook Express 6 SP1
* Outlook Express 6 SP1 64-bit Edition
* Outlook Express 6 on Windows Server 2003
* Outlook Express 6 on Windows Server 2003 64-bit edition

Best online Microsoft MCTS Training, Microsoft MCITP Certification at

This vulnerability only applies to the Microsoft Jet Database component for the same OS versions as MS04-011. It could have been installed at a later time on some Windows NT systems, so if you aren’t certain that it is installed, Microsoft recommends that you scan for Msjet40.dll and if you find it, then apply the patch in the MS04-014 Security Bulletin.

Risk level – Moderate to Critical
The highest rated threats are “Critical.” For Windows 98 versions and Me, many of these threats do not apply and the highest rated threat is not critical. For all the other vulnerable operating systems, there is a complex chart in the MS04-011 Security Bulletin showing exactly what level of threat each of the vulnerabilities poses to various systems.

The highest rated threats are “Critical.” For Windows 98 and Windows NT, these threats either don’t apply or are low risk. For Windows 2000, Windows XP, and Windows Server 2003 some of these threats rate critical.

This is a “Critical” threat because this vulnerability allows remote execution of arbitrary code; note that this applies only to Outlook Express, but not to the full version of Outlook, so many businesses may not need to apply this patch.

The highest rated threat is “Important.” This can allow remote code execution. For Windows 98 and Windows Me, this is rated “Not Critical.” For Windows NT this threat is rated “Moderate.” For Windows 2000, Windows XP, and Windows Server 2003 the threat is rated “Important.”

Mitigating factors

* LDAP Vulnerability (CAN-2003-0663) – Firewall best practices would block the attack and other mitigating factors exist.
* PCT Vulnerability (CAN-2003-0719) – This only affects systems with SSL enabled; firewall best practices would also help block the attack.
* Winlogon Vulnerability (CAN-2003-0806) – Windows Server 2003 is not vulnerable.
* Help and Support Vulnerability (CAN-2003-0907) – Users must visit a malicious Web site or open a malicious e-mail.
* Utility Manager Vulnerability (CAN-2003-0908) – This requires a valid local logon.
* Windows Management Vulnerability (CAN-2003-0909) – This requires a valid local logon.
* Negotiate SSP Vulnerability (CAN-2004-0119) – In most instances the attack would only result in a DoS event and wouldn’t allow an attacker to take over the system.
* SSL Vulnerability (CAN-2004-0120) – This only affects systems that use SSL and even those should be protected by applying best practices to firewall configurations.
* ASN.1 “Double Free” Vulnerability (CAN-2004-0123) – This would be difficult to exploit.
* LSASS Vulnerability (CAN-2003-0533) – Firewall best practices would help block this attack.
* Metafile Vulnerability (CAN-2003-0906) – Users would have to be persuaded to open a malicious file.
* H.323 Vulnerability (CAN-2004-0117) – Most users aren’t vulnerable unless NetMeeting is running; those using ICF and no applications which use H.323 aren’t vulnerable.
* Local Descriptor Table Vulnerability (CAN-2003-0910) – This requires a valid local logon.
* Virtual DOS Machine Vulnerability (CAN-2004-0118) – This requires a valid local logon.

Firewall best practices will provide good protection against all of these vulnerabilities except CAN-2003-0807, for which the default installation would not be vulnerable anyway.

The threat covered by MS04-013 is mitigated somewhat if the cumulative patch in Microsoft Security Bulletin MS03-040 has already been applied.

If the application using Jet uses strong input validation then the vulnerability should be greatly reduced or completely eliminated.

Patches are provided for all these threats. You can find links in the appropriate bulletins. For MS04-013, there are several rather weak workarounds, including the most basic one of opening e-mail in text rather than HTML display mode. There are no workarounds for MS04-014.

For details on any of the workarounds for MS04-011 or MS04-012 that are listed below, see the appropriate Security Bulletin.

Workarounds for MS04-011 (provided by Microsoft)

* LDAP Vulnerability (CAN-2003-0663) – Block LDAP TCP ports 389, 636, 3268, and 3269.
* PCT Vulnerability (CAN-2003-0719) – Disable PCT in the Registry.
* Winlogon Vulnerability (CAN-2003-0806) – Reduce the number of administrator accounts.
* Help and Support Vulnerability (CAN-2003-0907) – Unregister the HCP Protocol; install Outlook E-mail security updates on Outlook SP1 or earlier systems; open e-mail in plain text.
* Utility Manager Vulnerability (CAN-2003-0908) – Disable Utility Manager.
* Windows Management Vulnerability (CAN-2003-0909) – Delete the Windows Management Interface Provider.
* Negotiate SSP Vulnerability (CAN-2004-0119) – Disable Integrated Windows Application; disable negotiate ssp.
* SSL Vulnerability (CAN-2004-0120) – Disable SSL and LDAPS access by blocking Ports 443 and 636.
* ASN.1 “Double Free” Vulnerability (CAN-2004-0123) – There’s no workaround.
* LSASS Vulnerability (CAN-2003-0533) – Enable ICF and block a variety of ports; see the bulletin for details.
* H.323 Vulnerability (CAN-2004-0117) – Block TCP Ports 1720 and 1503 in both directions.
* Metafile Vulnerability (CAN-2003-0906) – Open e-mails in plain text.
* Local Descriptor Table Vulnerability (CAN-2003-0910) – There’s no workaround.
* Virtual DOS Machine Vulnerability (CAN-2004-0118) – There’s no workaround.

Workarounds for MS04-012 (provided by Microsoft)
For CAN-2004-0124 and CAN-2003-0813 only, activate ICF (the Internet Connection Firewall) and block:

* UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593.
* Unsolicited inbound packets on ports higher than 1024.
* COM Internet Services (CIS) or RPC over HTTP (Ports 80 and 443).
* Use IPSec to block ports where practical.
* Enable advanced TCP/IP filtering where available.

For CAN-2003-0813, disable DCOM on all systems. For CAN-2003-0807, do not enable the affected components, which are not enabled by default.

Final word
I’m of two minds about this massive patch release. On the one hand, it certainly saves a lot of time to be able to download and apply these patches in one fell swoop rather than piecemeal. For instance, MS04-011 contains at least 11 separate fixes rolled into a single set of patches. If these had been released as soon as available, then the same software would have been patched multiple times in any shop that applies critical patches on a timely basis.

On the other hand, Microsoft has apparently been sitting on a lot of these patches for some time because they were working on other patches and wanted to combine them all in one big release. That, of course, left machines vulnerable to holes that Microsoft knew about and had already produced a fix for, but hadn’t yet distributed the patch.

I would much prefer seeing more timely patches with a simple note that administrators should expect a later patch for the same software and might wish to consider applying workarounds temporarily.
Also watch for…

* By now everyone who cares to look at their inbox knows that CANSpam, last year’s SPAM legislation from the U.S. federal government, has had little of the claimed effect of actually reducing the volume of Spam, which has led many to label it a pro-SPAM bill. Fortunately, ZDNet reports that some states are stepping up to give it some real teeth. AOL helped Maryland draft new antispam laws that could put spammers in jail for 10 years if they hijack other computers to spread their messages, something the federal legislation didn’t include. Other states are following suit.
* Re-released Microsoft Security Bulletins MS00-082, MS01-041, MS02-011, and MS03-046 were all updated to note the availability of an update for Exchange Server 5.0. MS02-011 also notes an update for Windows NT Server 4.0.