Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-01-11 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Black Tuesday 4 vulnerabilites, Wins Traffic flow diagrams

Published: 2005-01-11
Last Updated: 2005-01-11 23:42:02 UTC
by donald smith (Version: 1)
0 comment(s)
New Poll.
FireFox vulnerability POC released.
WINS traffic flow diagrams.
Microsoft Tuesday 3 patches & 4 vulnerabilities announced today.

The question for the new poll released today is "When do you think public release of an exploit is useful?" This is your chance to be heard.

WINS update
Several people have noticed that there appears to be a fairly low number of source addresses associated with the WINS scanning. This implies to an autorooter rather then a worm is responsible for the WINS scanning.
The Internet Motion Sensor project has released an analysis of the traffic on TCP port 42 associated with recent WINS exploit activity. This report was written by Evan Cooke of U of Mich, Jose Nazario and Danny McPherson of Arbor Networks.
The report is located here: http://ims.eecs.umich.edu/reports/port42/

One Important and 2 Critical patches were announced today by Microsoft.
http://www.microsoft.com/security/bulletins/200501_windows.mspx

Microsoft Security Bulletin MS05-001 Critical

Vulnerability in HTML Help Could Allow Code Execution (890175)
http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx

Vulnerability:A cross-domain vulnerability exists in HTML Help ActiveX control that could allow information disclosure or remote code execution on an affected system.

Affected Software: Basically every Microsoft OS other then NT Server SP6a and NT terminal server SP6a. NT is affected if they have IE 6.0 sp1 installed.

Mitigation: Set Internet and Local intranet security zone settings to ?High? to prompt before running ActiveX controls and active scripting in the Internet zone and in the Local intranet zone.
This will cause a lot of prompting since many websites use active-x. An alternate mitigation would be to trust some websites but the users has to add each trusted website by hand.
Microsoft Security Bulletin MS05-002 Critical
Cursor and Icon Format Handling Vulnerability - CAN-2004-1049 AND
Windows Kernel Vulnerability - CAN-2004-1305

Vulnerability CAN-2004-1049:
Cursor and Icon Format Handling Vulnerability - CAN-2004-1049:
A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Affected Software: Basically every Microsoft OS other then Microsoft Windows XP Service Pack 2.

Mitigation: Read e-mail messages in plain text format.


Vulnerability - CAN-2004-1305:
The Windows Animated Cursor (ANI) in Windows allows remote attackers to cause a denial of service (kernel crash or resource consumption) via the (1) frame number or (2) rate number set to zero.

Affected Software: Basically every Microsoft OS other then Microsoft Windows XP Service Pack 2.

Mitigation: Read e-mail messages in plain text.
Microsoft Security Bulletin MS05-003 Important

Vulnerability CAN-2004-0897:
A remote code execution vulnerability exists in the Indexing Service because of the way that it handles query validation. An attacker could exploit the vulnerability by constructing a malicious query that could potentially allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. While remote code execution is possible, an attack would most likely result in a denial of service condition.

Affected Software:
Win 2K SP 3
Win 2k SP 4
Win XP SP 1
Win XP 64-Bit SP 1
Win XP 64-Bit 2003
Win Server 2003
Win Server 2003 64-Bit Edition

Mitigation: Block the following ports:
UDP ports 137 and 138 and TCP ports 139 and 445


Microsoft is not doing enough Quality Control on their vulnerability announcements.

From: http://www.microsoft.com/security/bulletins/200501_windows.mspx
In the description of CAN-2004-1305 microsoft states its a DOS. Then they imply a remote user would get the same privledges as the user under mitigation.

According to an eEye release today the ANI vulnerability can lead to remote code execution.
eEye Digital Security has discovered a vulnerability in USER32.DLL's
handling of Windows animated cursor (.ani) files that will allow a
remote attacker to reliably overwrite the stack with arbitrary data and
execute arbitrary code.
A Firefox exploit was released for a vulnerability in Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.

Details:
Using javascript it is possible to spoof the content of security and download dialogs by partly covering them with a popup window. This can fool a user to download and automatically execute a file (if a file extension association exists) or to grant a script local data access (if codebase principals are enabled).

Yesterday's diary discussed printme a "harmless joke application".
This is not related in anyway to www.printme.com which is used by many hotels to allow customers to print documents without installing drivers/software.

Keywords:
0 comment(s)
Diary Archives