Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-02-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* Microsoft Releases 8 Critical Security Patches, etc.

Published: 2005-02-08
Last Updated: 2005-02-08 22:36:33 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

Microsoft Releases Security Patches



True to its word, Microsoft released several security patches today. Eight of the patches are marked "critical." You can find information about today's patches at the following URLs:

http://www.microsoft.com/security/bulletins/200502_windows.mspx

http://www.microsoft.com/technet/security/bulletin/ms05-feb.mspx



Our team compiled the following technical summary of today's patch cluster. This was written by several people working in parallel, so please excuse the differences in style across the segments.


Bulletin	Severity	Impact			Supersedes
MS05-004 Important Information Disclosure, N/A
Elevation of Privilege
MS05-005 Critical Remote Code Execution MS04-028
MS05-006 Moderate Remote Code Execution N/A
MS05-007 Important Information Disclosure N/A
MS05-008 Important Remote Code Execution N/A
MS05-009 Critical Remote Code Execution MS03-021, MS04-010
MS05-010 Critical Remote Code Execution N/A
MS05-011 Critical Remote Code Execution N/A
MS05-012 Critical Remote Code Execution MS03-010, MS03-026, MS03-039
MS05-013 Critical Remote Code Execution N/A
MS05-014 Critical Remote Code Execution MS04-038, MS04-040
MS05-015 Critical Remote Code Execution N/A


Our handlers prioritized today's patches in the following order:



Priority #1:

Make sure that all machines have standard Microsoft networking ports blocked from access by unknown parties.



Priority #2:

To protect from automated attacks (in priority order):

MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)

MS05-010: Vulnerability in the License Logging Service Could Allow Code Execution (885834)

MS05-004: ASP.NET Path Validation Vulnerability (887219)



Priority #3:

To protect from attacks by malicious websites or email (in priority order):

MS05-013: Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)

MS05-014: Cumulative Security Update for Internet Explorer (867282)

MS05-015: Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113)

MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)

MS05-005: Vulnerability in Microsoft Office XP could allow Remote Code Execution (873352)

MS05-012: Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)



Priority #4:

To protect other issues (non-prioritized):

MS05-008: Vulnerability in Windows Shell Could Allow Remote Code Execution (890047)

MS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302)

MS05-006: Vulnerability in SharePoint Could Allow Cross-Site Scripting and Spoofing Attacks (887981)

"Critical" Vulnerabilities



MS05-005: Vulnerability in Microsoft Office XP could allow Remote Code Execution (873352)

http://www.microsoft.com/technet/security/bulletin/ms05-005.mspx



A buffer overrun in exists in office XP activated by a special URL which could be hosted on a web site. When the user follows the link to the malicious link the malware is auto executed by the browser using components of Office XP to gain access to the system.



Impacted systems are Office XP, Project and Visio 2002, and MS Works. This patch is available at officeupdate.microsoft.com.


Microsoft offers the following workaround:

Enable prompting for office documents. By default, Internet Explorer will prompt the user to Open/Save As the document. Note: If this functionally has been turned off the documents will automatically be opened. To re-enable this functionality, follow these steps:

1. Double-click on the My Computer icon on your desktop or in the start menu right-click My Computer and select Explore.

2. From the Tools menu, select Folder Options.

3. On the File Types tab, for each Office file type, highlight and click Advanced.

4. In the dialog box that is displayed, verify that the Confirm open after download setting is checked. Also, uncheck Browse in same window if it is checked.



The workaround causes Internet Explorer to prompt the use to Open or save the file. Picking Open will still cause the file to be executed.



Related CVE ID: CAN-2004-0848:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0848




MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)

http://www.microsoft.com/technet/security/bulletin/ms05-009.mspx


Successful exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code when the victim views a maliciously-crafted PNG image. One of the two vulnerabilities that this patch corrects is CAN-2004-0597, which was announced earlier this year in connection with a buffer overflow bug in libpng 1.2.5. At the time, the vulnerability was only discussed in the context of UNIX systems; apparently Windows platforms are vulnerable to this as well.



The CAN-2004-1244 vulnerability affects Media Player 9. The other vulnerability that this patch addresses, CAN-2004-0597, affects Windows Messenger and MSN Messenger 6.1 and 6.2. See Microsoft's bulletin for detailed information on which versions are affected on which operating systems.



Microsoft's bulletin provides several suggestions for mitigating the risk associated with these vulnerabilities.



This set of vulnerabilities, and the associated threats, is reminiscent of the MS04-028 announcement, made in the fall of 2004, which affected the processing of JPG/JPEG files.



Related CVE IDs: CAN-2004-1244 and CAN-2004-0597:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1244

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597




MS05-010: Vulnerability in the License Logging Service Could Allow Code Execution (885834)

http://www.microsoft.com/technet/security/bulletin/MS05-010.mspx



Remote code execution vulnerability in License Logging Service. This (understandably) only affects Windows server offerings.

Affected Software: NT Server 4.0 & 4.0 Terminal Server, SP6a

2000 Server SP 3 & 4

Server 2003, x86 & Itanium



Not Affected:

2000 Pro, XP, 98 & ME



The impact is listed as Critical for NT 4 & 2000 Server SP3, Important for 2000 Server SP4, and Moderate for Server 2003. This is likely due to the fact that the License Logging Server is not enabled by default on Server 2003, and only authenticated users can connect to the License
Logging Service on 2000 SP4 and Server 2K3. Microsoft believes this vulnerability is limited to a denial of service on Server 2003.



Additionally, on Small Business Server 2000/2003 this service *is* enabled by default. SBS 2003 limits access to this service to the local network. From my interpretation of this bulletin, users of SBS are at the most risk from this vulnerability, as they are the most likely to be utilizing the License Logging service.



Workarounds include disabling of the License Logging service (if you haven't already), limiting access to ports 139/445 via a
firewall (if you haven't already), and preventing unauthenticated users from accessing the License Logging Service by removing the 'Llsrpc' value from the 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes' registry key.



MS Gives shouts 'n' greets to Kostya Kortchinsky from CERT RENATER for reporting this issue.



Related CVE ID: CAN-2005-0050:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0050




MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)

http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx



The Server Message Block (SMB) protocol is used by Windows to share files, printers, serial ports, and also to communicate between computers. There is a problem with the way affected operating systems validate certain SMB packets.



From MSFT's vague description of the issues, it appears that the vulnerability lies in the handling of broadcast SMB packets, which mitigates the possibility of this being used for an automated remote attack (i.e., a worm), because broadcast SMB packets should not be routed. However, according to the documents available, this may be exploitable by other means (clicking on a specifically crafted URL) and so there is a possibility of having malicious code exploiting this vulnerability dropped into a local network.



Affected Software: Win2K (SP3 & 4), WinXP (SP1 & 2), WinXP64-bit (SP1), WinXP64-bit (2003), WinServer2003 and WinServer2003 for Itanium. Folks on Win98, Win98SE and WinME are in the clear. Win95 is probably also OK, but is currently not supported.


Does this finally clear up eEye?s outstanding advisory???

http://www.eeye.com/html/research/upcoming/index.html




MS05-012: Vulnerability in OLE and COM Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/bulletin/ms05-012.mspx



This bulletin contains two vulnerabilities one of which allow for remote code execution (OLE) and the other is privilege escalation(COM). This bulletin replaces MS03-010, MS03-26 and MS03-39. It affects basically every Microsoft Operating System and Office product. Check the bulletin to be sure if you are affected.

It is important to note that Microsoft classifies these as critical on systems with Exchange Server running on them. According to Microsoft, "Exchange Servers are primarily at risk because an attacker could try to exploit this vulnerability without any required user interaction, and because Exchange Servers typically run with elevated user rights."



OLE: The first is an "unchecked buffer in how OLE validates data" (sounds like buffer overflow). If exploited the attacker gains the same privileges as the logged on user. OLE provides the ability to link and embedded (think layered) items within a document. Microsoft has also
used it to allow "in-place" editing. This allows for the current window to be modified when a new application is launched instead of opening a new window.



COM: This vulnerability exists "affected operating systems and programs access memory when they process COM structured storage files or objects." COM allows for a file to contain a structure to the objects contained within its self. The vulnerability definition isn't real clear, but it appears that the vulnerability is allowing COM files or objects to access areas of memory they shouldn't. The threat lies in a allowing a special program to be run that would lead to complete take over of the system.




MS05-013: Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)

http://www.microsoft.com/technet/security/bulletin/ms05-013.mspx



A vulnerability exists in the DHTML Editing Component ActiveX Control. This vulnerability could allow information disclosure or remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.



Affected Software:

Windows 2000 SP3 and SP4

XP SP1 and SP2

XP 64-Bit Edition Service Pack 1 (Itanium)

XP 64-Bit Edition Version 2003 (Itanium)

Windows Server 2003

Server 2003 for Itanium-based Systems

Windows 98, Windows 98 Second Edition, and Windows Millennium Edition



Mitigation: Ensure HTML e-mail is opened in the Restricted sites zone if using Outlook Express 6, Outlook 2000, Outlook 2002, and Outlook 2003. Run IE with the Enhanced Security Configuration enabled on Server 2003 systems XPsp2 Systems should ensure that IE is operating in the Local Machine Lockdown Zone. For details see:

http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/locallockdown.aspx



Related CVE ID: CAN-2004-1319:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1319




MS05-014: Cumulative Security Update for Internet Explorer (867282)

http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx



Vulnerability:
This is an aggregate patch to deal with the following vulnerabilities that could allow remote code execution: Drag and Drop Vulnerability - CAN-2005-0053, URL Decoding Zone Spoofing Vulnerability - CAN-2005-0054, DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055, Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056.



Affected Software: Every combination of Windows 98/2000/XP/2003, with IE 5, 5.5, and 6 is vulnerable to at least one of the vulnerabilities that this cumulative patch addresses.



Drag and Drop Vulnerability - CAN-2005-0053: A privilege elevation vulnerability exists in Internet Explorer because of the way that Internet Explorer handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow an attacker to save a file on the user's system if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.



Decoding Zone Spoofing Vulnerability - CAN-2005-0054: A remote code execution vulnerability exists in Internet Explorer because of the way that it handles certain encoded URLs. An attacker could exploit the vulnerability by constructing a malicious URL. This malicious URL could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. The URL could be made to look like a link to another Web site in an attempt to trick a user into clicking it. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability.



DHTML Method Heap Memory Corruption Vulnerability - CAN-2005-0055: A remote code execution vulnerability exists in Internet Explorer because of the way that it handles certain DHTML methods. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.



Channel Definition Format (CDF) Cross Domain Vulnerability - CAN-2005-0056: A cross-domain vulnerability exists in Internet Explorer that could allow information disclosure or remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web page. The malicious Web page could potentially allow remote code execution if viewed by a user. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability




MS05-015: Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113)

http://www.microsoft.com/technet/security/bulletin/ms05-015.mspx



An attacker can execute arbitrary code, by having the victim click on a specially crafted URL. The vulnerability takes advantage of an unchecked buffer in the "Hyperlink Object Library," and it can be triggered by clicking a hyperlink in various programs like e-mail clients and web browsers.



To mitigate the vulnerability, Microsoft recommends disabling HTML email and only using plain text email. Further, for the web-based vector, a proxy server may be able to intercept the malicious link.



All versions of Microsoft Windows are vulnerable. The use of an alternative browser may not protect you from this vulnerability.



MS05-005 fixes the same problem for users of Microsoft Office, which includes a copy of this library.


"Important" Vulnerabilities



MS05-004: ASP.NET Path Validation

http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx



If you are running an ASP.NET website, an attacker can access parts of your site that are secured via passwords. In order to gain access to these parts of your site, the attacker will have to replace a '/' in the URL path with %5C or a backslash.



This vulnerability has been widely known since Sept. 2004. As a workaround, other authentication methods can be used, or additional filters like URLScan can be used to normalize and filter requests before they are interpreted by the web server.



Related CVE ID: CAN-2004-0847

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0847



Prior diary about this topic:

http://isc.sans.org/diary.php?date=2004-10-06




MS05-007: Information Disclosure Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx



Only Windows XP (including SP2) is vulnerable. A successful exploit will allow an attacker to read usernames of users connected to a given resource. The vulnerability can only be exploited if the "computer browser service" is enabled. The service is enabled if you enabled file or printer sharing. You can disable the computer browser service on the work station directly, or via group policies. But note that you need to reboot the system to make the change affective. Windows 2000 and XP networks can replace the computer browser service with active directory.



The vulnerability can be mitigated by blocking port 139 and 445. However, these ports should already be closed. IPSec policies can be used as a "make shift" (but effective) firewall.



Details about computer browser service:

http://support.microsoft.com/kb/188001



Using IPSec policies on Win2k (applies to XP as well)

http://support.microsoft.com/kb/313190

http://support.microsoft.com/kb/813878



Related CVE ID: CAN-2005-0051:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0051




MS05-008: Vulnerability in Windows Shell Could Allow Remote Code Execution (890047)

http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx



The update for the "Drag-and-Drop Vulnerability" (CAN-2005-0053) comes in two parts. It is addressed in part in this security bulletin. This security bulletin, together with security bulletin MS05-014, makes up the update for CAN-2005-0053. These updates do not have to be installed in any particular order. However, we recommend that you install both updates.



Drag-and-Drop Vulnerability - CAN-2005-0053: A privilege elevation vulnerability exists in Windows because of the way that Windows handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow an attacker to save a file on the user's system if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0053


"Moderate" Vulnerabilities



MS05-006: Vulnerability in SharePoint Could Allow Cross-Site Scripting and Spoofing Attacks (887981)

http://www.microsoft.com/technet/security/bulletin/ms05-006.mspx



This is a cross-site scripting and spoofing vulnerability. The cross-site scripting vulnerability could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user allowing the attacker access to the any data on the affected system. Attempts to exploit this vulnerability require user interaction, though it may also be possible for an attacker to exploit this vulnerability to modify Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.



As this does allow for remote code execution with the intervention of the end user, Microsoft classified this as a Moderate severity. However, it should be considered critical as with any remote code execution vulnerability.



Thanks to all the handlers who contributed to this write-up! The period at the end of this sentence marks the end of our overview of today's Microsoft Security Bulletin.

The IDN Browser Problems Follow-Up



This note is a follow up to yesterday's diary post regarding the International Domain Names (IDN) problem announced by Shmoo. Though some would not classify this as a "vulnerability," the it does affect non-Internet Explorer browsers, and can aid in phising attacks. If you want to check whether you're vulnerable, you can go to the following URLs:

http://www.shmoo.com/idn/

http://secunia.com/multiple_browsers_idn_spoofing_test/



Note that a workaround for this issue in Mozilla-based browsers, mentioned in Shmoo's advisory, is to disable IDN support by setting "network.enableIDN" to false via "about:config". However, as Mark Stingley reported to us, making the change via "about:config" in Firefox doesn't actually prevent the exploit from working in all instances. Mark directed us to the following blog, which explains how to make the change slightly more permanent by editing the compreg.dat file:

http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for-shmoo-group-exploit.html



Some reports suggest that changes to the compreg.dat file may end up being overwritten when you install a Firefox extension.



Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com
Keywords:
0 comment(s)
Diary Archives