This package contains: CP202SEC004S Version 2 Date : Jan 3/2007 1. PEP Number: CP202SEC004S Version 2 2. Problem Description: ----------------------- This package contains Microsoft hotfixes to be installed on a server that has been installed with, or upgraded to CallPilot 2.02 build 02.01.27. Certain other changes are also made to improve security. This PEP supercedes earlier Security PEPs CP20127G039S, CP20127G046S, CP20127G050S, CP20127G070S, CP202SEC001S, CP202SEC002S and CP202SEC003S. It will remove these earlier PEPs from the DMI viewer. The new PEP CP202SEC004S can be installed whether or not the earlier PEPs have previously been installed. Installation can take up to 70 minutes. Less time is needed if anti-virus software is temporarily disabled during installation. This PEP may be installed remotely using pcAnywhere. NOTE: There is an automatic reboot during this PEP install since MDAC2.8 SP1 needs it before it can be installed. After reboot, system will automatic login and resume PEP installation. 3. List of PRs that are fixed by this PEP: ------------------------------------------- Q01449531 - DMI view update sets CPservices to disabled after installing PEP CP202SEC004S Security Improvements: hotfixes to patch the following Microsoft Bulletins: Microsoft C2 patch Knowledge Base article KB244599 patch for "This Certificate Has an Invalid Digital Signature" issue (KB305929) patch for "Enabling the PIPE_CREATE_INSTANCE flag for non-admin users" issue (KB823492) MS01-056 Windows Media Player .ASF Processor Contains Unchecked Buffer MS01-048 Mar 17/2003 (rev) Malformed Request to RPC EndPoint Mapper can Cause RPC Service to Fail (305399) MS03-001 Unchecked Buffer in Locator Service Could Lead to Code Execution (810833) KB811630 HTML Help Update to Limit Functionality When It Is Invoked with the windows.showHelp() Method MS03-007 Unchecked buffer in Windows component could cause webserver compromise (815021) (revised Apr 23/2003) MS03-008 Flaw in Windows Script Engine Could Allow Code Execution (814078) MS03-011 Flaw in Microsoft VM Could Enable System Compromise (816093) (includes MS02-069) MS03-018 Cumulative Patch for Internet Information Service (811114) (Supercedes MS02-062, MS02-028 and MS02-018) MS03-023 Buffer Overrun In HTML Converter Could Allow Code Execution (823559) MS03-024 Buffer Overrun in Windows Could Lead to Data Corruption (817606) MS03-029 Flaw in Windows Function Could Allow Denial of Service (823803) MS03-030 Unchecked Buffer in DirectX Could Enable System Compromise (819696) MS03-034 Flaw in NetBIOS Could Lead to Information Disclosure (824105) MS03-040 Cumulative Patch for Internet Explorer (828750) MS03-043 Buffer Overrun in Messenger Service Could Allow Code Execution (828035) MS03-044 Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) MDAC 2.5 SP3 MS02-065 Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) MS01-029 Windows Media Player .ASX Process Contains Unchecked Buffer MS04-003 Buffer Overrun in MDAC Function Could Allow Code Execution (832483) MS04-011 Security Update for Microsoft Windows (835732) MS04-012 Cumulative Update for Microsoft RPC/DCOM (828741) MS04-014 Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) KB870669 Disable ADODB.Stream on Internet Explorer MS04-020 Vulnerability in POSIX Could Allow Code Execution (841872) MS04-021 Security Update for IIS 4.0 (841373) MS04-023 Vulnerability in HTML Help Could Allow Code Execution (840315) MS02-008 XMLHTTP Control Can Allow Access to Local Files MS04-025 Cumulative Security Update for Internet Explorer (867801) MS04-029 Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350) MS04-031 Vulnerability in NetDDE Could Allow Remote Code Execution (841533) MS04-032 Security Update for Microsoft Windows (840987) MS04-036 Vulnerability in NNTP Could Allow Remote Code Execution (883935) MS04-037 Vulnerability in Windows Shell Could Allow Remote Code Execution (841356) MS04-041 Vulnerability in WordPad Could Allow Code Execution (885836) MS04-042 Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service (885249) MS04-043 Vulnerability in HyperTerminal Could Allow Code Execution (873339) MS04-044 Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835) MS04-045 Vulnerability in WINS Could Allow Remote Code Execution (870763) MS05-001 Vulnerability in HTML Help Could Allow Code Execution (890175) MS05-002 Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711) MS05-010 Feb 8/2005 Vulnerability in the License Logging Service Could Allow Code Execution (885834) MS05-011 Feb 8/2005 Vulnerability in Server Message Block Could Allow Remote Code Execution (885250) MS05-012 Feb 8/2005 Vulnerabiity in OLE and COM Could Allow Remote Code Execution (873333) MS05-013 Feb 8/2005 Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781) MS05-014 Feb 8/2005 Cumulative Security Update for Internet Explorer (867282) MS05-015 Feb 8/2005 Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113) MS05-016 Apr 12/2005 Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086) MS05-017 Apr 12/2005 Vulnerability in Message Queuing Could Allow Code Execution (892944) MS05-018 Apr 12/2005 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859) MS05-019 Apr 12/2005 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066) MS05-026 Jun 14/2005 Vulnerability in HTML Help Could Allow Remote Code Execution (896358) MS05-027 Jun 14/2005 Vulnerability in Server Message Block Could Allow Remote Code Execution (896422) MS05-031 Jun 14/2005 Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458) MS05-040 Aug 9/2005 Vulnerability in Telephony Service Could Allow Remote Code Execution (893756) MS05-043 Aug 9/2005 Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423) MS05-046 Oct 11/2005 Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) MS05-047 Oct 11/2005 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (905749) MS05-049 Oct 11/2005 Vulnerability in Windows Shell Could Allow Remote Code Execution (900725) MS05-050 Oct 11/2005 Vulnerability in DirectShow Could Allow Remote Code Execution (904706) MS05-053 Nov 08/2005 Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) MS06-001 Jan 05/2005 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919) MS06-014 Apr 11/2005 Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562) MS06-015 Jun 8/2006 Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531) MDAC 2.8 SP1 MS06-018 May 09/2006 Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580) MS06-023 Jun 13/2006 Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344) MS06-025 Jun 13/2006 Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280) Microsoft Security Bulletins are available at URLs like this: http://www.microsoft.com/technet/security/bulletin/MS03-018.mspx A fix to PC Anywhere to fix a security vulnerability: 10.5.2 update to fix Symantec pcAnywhere Service-Mode Help File Elevation of Privilege In addition, the following services are set to disabled in order to reduce the attack surface: Alerter License Logging Service Messenger Computer Browser TCP/IP NetBIOS Helper ClipBook Server Directory Replicator Net Logon Schedule TCP/IP Print Server UPS A registry change is made so that the SLEE monitor support tool will still work correctly A registry change is made to enable logging fo RAS communications Registry changes are made to enable signing by SMB client and server Registry changes are made to disable the os2 and posix subsystems A registry change is made to disable CD autorun A registry change to enable RAS NetBIOS auditing A registry change so that the floppy drive is only available to locally logged on user. Registry changes are made to disable the Macromedia Flash Player ActiveX control in Internet Explorer The RDS component of IIS is disabled. The Exec function of Server Side Includes on IIS is disabled. A newer (V2.5) version of URLSCAN is installed with improved checking The OS2 and Posix subsystems are properly disabled (they were already non-functional) The latest version of the MSI installer is installed. An updated version of the MSXML parser (4.0 SP2) is installed (needed for the new hotfix checker) Some file and folder permissions are tightened. Unneeded web services are deleted or disabled. Significant additional hardening, including registry permissions and auditing based on securws4 profile 4. Pre-installation notes: -------------------------- a. Make sure you are installing this PEP on a server that has been installed with, or upgraded to CallPilot 2.02 (2.01.27). This PEP replaces the following PEPs: ------------------------------------- - CP20127G039S - CP20127G046S - CP20127G050S - CP20127G070S - CP202SEC001S - CP202SEC002S - CP202SEC003S The replaced PEPs will be automatically removed from DMIViewer when CP202SEC004S is installed. b. Make sure the CallPilot server is fully booted before beginning PEP installation. Stop any other applications running on the local console, including all support tools and the CallPilot PEP Maintenance Utility (DMI Viewer). c. Disable any active anti-virus software active on the server prior to installing this PEP. (This makes the PEP install faster.) As a precaution, it's recommended the CLAN connection be disconnected prior to disabling the anti-virus software. d. Ensure the system has sufficient disk-space available to install this PEP. If needed, remove any unnecessary files and folders in the c:\temp or d:\temp folders. If an error occurs while attempting to remove a particular file, ignore the error, but try to remove as many files and folders as possible in the temp folder. It is possible that the file is being used by Windows NT. Note: do not remove the c:\temp and d:\temp, and d:\temp\CP202SEC004S folders. Once you have finished cleaning up, empty the recycle bin. e. Ensure there is a recent backup available prior to installing this PEP. It's always recommended that a backup be performed (or split RAID) just prior to performing any server maintenance activity to ensure the most recent customer data is available should a restore be needed. f. The PEP installation is automatic. When this is complete, a dialog box is displayed with the title "CallPilot OS Security PEP Installation Completed". The system will reboot into service when the OK button is clicked on this dialog. Note: Do not reboot the system until the PEP installation is finished, otherwise the PEP may not be properly registered on the server. 5. Installing the PEP: ---------------------- a. Begin installation by executing CP202SEC004S.exe to extract the files to the D:\TEMP\CP202SEC004S folder. b. Navigate to the D:\TEMP\CP202SEC004S folder and run "RUNME.BAT" to launch the installer. Note that RUNME.BAT MUST be executed from this exact folder or the PEP install will fail. c. Click on OK to start the installation of the PEP. Total time required will be about 70 minutes, plus the time to reboot into service. Note: This PEP automatically installs a number of Microsoft hot fixes. Do not close any windows or click on any buttons while the PEP is being installed or the PEP will not install successfully. d. When the PEP installation is complete, a window will be displayed with the title "CallPilot OS Security PEP Installation Completed". Click on the OK button to reboot the server. e. If anti-virus software was disabled, check to ensure it is now enabled. Note that it must be properly configured to scan "incoming" files only. See the bulletin on configuring anti-virus software for CallPilot. 6. Installation Log ------------------- File "secpep.log" in the root folder of the system drive will contain a log of the actions performed during PEP installation. In addition, a note will be added to the file "osvers.txt", also in the root folder of the system drive. 7. PEP Uninstall ---------------- Due to the nature of the Microsoft hotfixes contained within this PEP, it cannot be uninstalled. Once applied, if removed from DMIViewer, only the reference to PEP CP202SEC004S will actually be removed. 8. PEP ReInstallation --------------------- If required, this PEP may be installed again without any problem. This will reapply hotfixes and other configuration changes. If the PEP is not already in the PEP Utility (DMI Viewer), the PEP entry will be added when the PEP is reinstalled. It is possible that one or more popup windows may appear saying that a particular hotfix is not needed. Just click OK and the reinstallation will continue. If the PEP is already listed in the CallPilot PEP Utility (DMIViewer), it will not be added again to this utility. 9. Supplemental Information - Verifying HotFixes ------------------------------------------------ Microsoft has released a tool called MBSAcli to check a system to ensure that all relevant security hotfixes are present. A version of this tool is provided in the PEP (in the D:\TEMP\CP202SEC004S\HotFixes\Checker folder). The tool makes use of an XML file from Microsoft called "mssecure_0128.xml" telling it which hotfixes are available, when they are needed and how to check for them.The PEP includes a version of this XML file that was current at the time the PEP was created. MBSACLI replaces the previous hfnetchk hotfix checker. The new version does a better job of checking hotfixes for different OS components. "mbsacli /hf" replaces "hfnetchk" To run the hot fix checker: Use Windows NT Explorer to double-click D:\TEMP\CP202SEC004S\HotFixes\Checker\CheckHotFixes.bat Watch for "Patch Not Found" errors which indicate hotfixes that are needed but are not installed. Ignore "Note" messages. These just give some additional information related to a given patch. Note: For this PEP, it is normal for MS04-037 to show "Patch Not Found" and for warnings to be shown related to for patches MS01-041, MS02-055, MS03-024, MS03-044, MS04-011, MS04-012, MS04-023, MS04-032, MS04-044, MS05-002, MS04-004 since CallPilot will have a more recent file version than expected. The Patches are, in fact, installed. Note: The tool may give an error if the CallPilot server is still booting up. If this happens try running the tool again later. To display a list of hotfixes that have been explicitly installed on this server, do the following: Use Windows NT Explorer to double-click D:\TEMP\CP202SEC004S\HotFixes\Checker\ListHotFixes.bat NOTE: the list displayed is incomplete. Some hotfixes that are, in fact, installed will not appear in the list. Use the "CheckHotFixes" command to determine if any needed hotfixes are missing. NOTE: since Microsoft has phased out public support for NT 4, the normal HotFix checker is becoming less useful. A new tool called "UpdateScan" can be used to verify MS05-011, MS05-012, MS05-013 and MS05-015. Microsoft has also phased out support for IE 5.5 SP2 on NT 4. These patches cannot be checked except for manually verifying file versions (e.g. MS05-014). To run UpdateScan, use Windows NT Explorer to go to D:\TEMP\CP202SEC004S\HotFixes\Checker. Install the MS XML Parser 3 by double clicking on msxml3.msi. Then run the batch file UpdateScan.bat by double-clicking on it. A log file called updatescan.txt will be generated -- any errors doing the scan will be logged here. The results of the scan are given in an XML file called results.xml. Double click on this file to open it in Internet Explorer. There is a section for each patch. Look to see if hotfixes are shown with status "Installed". NOTE: For this PEP, IE 6.0 patches (MS05-014, MS05-025, MS05-038, MS05-052 and MS06-013 will show as missing ("Applicable") It is normal for MS05-026, MS06-014 and MS06-025 to show "Applicable", those patches are actually installed. It is normal for MS05-049 to show "Applicable" since CallPilot will have a more recent file version than expected. MS05-053 has updated all the files that MS05-049 placed.