Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-06-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Releases 3 Critical Patches - Hilarity Does Not Ensue; MS Patches Reset Settings in Program Defaults?

Published: 2005-06-14
Last Updated: 2005-06-15 00:31:11 UTC
by John Bambenek (Version: 1)
0 comment(s)

Microsoft Releases 3 Critical Patches - Hilarity Does Not Ensue



Thanks to the other Handlers for their assistance in compiling this summary. All-in-all not a terrible list. -025 will probably lead to another round of e-mail worms with images in them which should be easy to filter (this should only impact end-user machines as one hopes you don't surf the web or check e-mail from your servers). -026 requires either the exploitation of a assumed good site, or tricking people to go to a malicious website; expect it to be used in the spyware/adware coming to a pop-up near you. For -027, that traffic should be filtered at your gateway anyway but may have some worm potential. I really hope you aren't running telnet (-033). -031 is the only real pain of the bunch where you'll have to search for orun32.exe to see if you have Interactive Training installed. It may or may not be in Add/Remove Programs.

Bulletin	Severity		Impact

MS05-025 Critical Remote Code Execution (replaces MS05-020) End-user machines only
MS05-026 Critical Remote Code Execution (replaces MS03-044, MS04-023, MS05-001)
MS05-027 Critical Remote Code Execution (replaces MS02-070, MS03-024)
MS05-028 Important Remote Code Execution
MS05-029 Important Remote Code Execution
MS05-030 Important Remote Code Execution
MS05-031 Important Remote Code Execution
MS05-032 Moderate Spoofing
MS05-033 Moderate Information Disclosure
MS05-034 Moderate Elevation of Privilege


Critical Vulnerabilities




<A href="http://www.microsoft.com/technet/security/bulletin/MS05-025.mspx">Microsoft Security Bulletin MS05-025 - Cumulative Security Update for Internet Explorer (883939) - Critical



This update replaces MS05-020
(<A href="http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx">http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx)


This patch addresses two main issues:



- A vulnerability in the parsing of PNG files. This vulnerability can
be exploited by a visit to a site hosting a malicious graphic file and
allows remote code execution due to an unchecked buffer in the PNG
rendering code.

- An issue in the XML <script> tag handling that can allow a remote
attacker access to read arbitrary XML files, and portions of other files
(by using a URL with the ?src? attribute set to the local file system).



These vulnerabilities affect IE 5.1, 5.5 and 6 on virtually every
Microsoft platform. Also (and this is IMPORTANT) Outlook and Outlook
Express use IE?s HTML rendering engine and are vulnerable to these
issues. The both of these vulnerabilities could be exploited by HTML
email containing a malicious content.



Both of these issues have the potential to be used as part of an email
based virus and could be triggered under Outlook/OE simply by viewing
HTML formatted messages.



It also changes a few other things: Updates the MSIE pop-up blocker,
changes the handling of malformed .GIF and .BMP files, and removes
handling of XBM images from all IE platforms. It also sets the kill bit
for older versions of the Microsoft DigWebX ActiveX control and for all
versions of the Microsoft MsnPUpld ActiveX control. (Why, oh why, must
MS bundle these things together??)



Workarounds:

PNG: Un-register IE?s ability to render PNG files: run ?regsvr32 /u
pngfilt.dll? (This can also be done via registry entries? see the MS
bulletin below).

XML: Setting IE?s ?Internet? zone to ?high security? will limit the
files exposed on the target machine.



Links of interest:

http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx

http://support.microsoft.com/kb/883939

<Br>

<A href="http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx">MS05-026 (KB896358) - Vulnerability in HTML Help Could Allow Remote Code Execution

<Br>
Affects: Essentially all active Windows platforms.



Replaces: MS03-044, MS04-023, MS05-001

<Br>
HTML Help fails to validate input data which could result in the ability
of a remote attacker to execute code on an affected system.

<Br>
An attacker would be required to host malicious content on a website or
via a banner ad. It appears currently that this cannot be exploited
through HTML email.



This may be a possible new avenue for spyware/adware or other bulk
exploiters-for-profit.



Side effects: This security update restricts the use of the InfoTech
protocol (ms-its, its, mk:@msitstore) from processing content that is
served from outside the Local Machine zone. This change may prevent
certain kinds of Web-based applications from functioning correctly.



Workarounds: Un-register the ?InfoTech? protocol from HTML Help by
running ?regsvr32 /u %windir%\system32\itss.dll?

<Br>
Links of interest:

http://www.microsoft.com/technet/security/bulletin/ms05-026.mspx

http://support.microsoft.com/kb/896358


<A href="http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx">MS05-027 (KB896422) - Vulnerability in Server Message Block Could Allow Remote Code Execution. This patch addresses the following vulnerability:



- Server Message Block Vulnerability - A remote code
execution vulnerability exists in Server Message Block (SMB) that could
allow an attacker who successfully exploited this vulnerability to take
complete control of the effected system.



All supported versions of Windows 2000, XP, and Server 2003 appear to have
a severity rating of Critical on this vulnerability. However, XP SP2
systems will be less likely for attack as the affected ports are blocked
from responding by the Windows Firewall by default. Changes to the default
settings will cause the vulnerability to be at the same critical level as
Windows XP SP1.



As has been the standard practice, it is recommended that ports 139 and 445
be blocked at the firewall.

For more information about this vulnerability and the associated patch, see <A href="http://support.microsoft.com/kb/896422">Microsoft Knowledge Base Article 896422.




MS05-027 Update: There have been a few people who have written in expressing confusion on whether there needs to be authentication for this exploit to work. A plain reading of the bulletin by Microsoft indicates that this is a pre-authentication bug and that any anonymous user can theoretically exploit it.
<Br>

Important Vulnerabilities




<A href="http://www.microsoft.com/technet/security/bulletin/MS05-028.mspx">MS05-028 (KB896426) - Vulnerability in Web Client Service. This patch addresses the following vulnerability:



- Web Client Vulnerability - A remote code execution
vulnerability exists in the way that Windows processes Web Client requests
that could allow an attacker who successfully exploited this vulnerability
to take complete control of the affected system. This vulnerability can
not be exploited by anonymous users as the attacker must have valid logon
credentials to allow the remote code execution and privilege elevation.



As has been the standard practice, it is recommended that ports 139 and 445
be blocked at the firewall. Additionally if this service is not required
for WebDAV aware applications, the service can be disabled to limit the
exposure.


For more information about this vulnerability and the associated patch, see <A href="http://support.microsoft.com/kb/896426">Microsoft Knowledge Base Article 896426.



<A href="http://www.microsoft.com/technet/security/bulletin/MS05-029.mspx">MS05-029 (KB895179)- Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks



- Exchange Server Outlook Web Access Vulnerability ()



Vulnerable: Exchange Server 5.5 SP4



This is a cross-site scripting vulnerability. The cross-site scripting
vulnerability could allow an attacker to convince a user to run a
malicious script. If this malicious script is run, it would execute in
the security context of the user. Attempts to exploit this vulnerability
require user interaction. This vulnerability could allow an attacker
access to any data on the Outlook Web Access server that was accessible
to the individual user.
<Br>

Not Vulnerable: Exchange Server 2000 SP3 with post-SP3 Update Rollup,
Exchange Server 2003, Exchange Server 2003 SP1



Software Required for Update:

W2K SP3 - IE 5.01 SP3

W2K SP4 - IE 5.01 SP4

other OSes - IE 6 SP1



For more information about this vulnerability and the associated patch,
see <A href="http://support.microsoft.com/kb/895179">Microsoft Knowledge Base Article 895179
.

<Br>
<A href="http://www.microsoft.com/technet/security/bulletin/MS05-030.mspx">MS05-030 (KB897715)- Cumulative Security Update in Outlook Express

- Outlook Express News Reading Vulnerability (<A href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1213">CAN-2005-1213)

<Br>
A remote code execution vulnerability exists in Outlook Express when it
is used as a newsgroup reader. An attacker could exploit the
vulnerability by constructing a malicious newsgroup server that could
that potentially allow remote code execution if a user queried the
server for news. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.
However, user interaction is required to exploit this vulnerability.

Vulnerable: Win98, Win98SE, WinME, W2K (SP3 and SP4), W2K3, WXP SP1, WXP
64-bit (RTM and SP1)

Not Vulnerable: W2K3 SP1, WXP SP2

Affected Software:

OE 5.5 SP2 on W2K (SP3 and SP4)

OE 6 SP1 on W2K (SP3 and SP4), WXP SP1, WXP 64-bit (RTM and SP1)

OE 6 on W2K3, WXP 64-bit



For more information about this vulnerability and the associated patch,
see .

<Br>
<A href="http://www.microsoft.com/technet/security/bulletin/MS05-031.mspx">MS05-031 (KB898458) - Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution.




This patch addresses a vulnerability in the interactive training software installed by MS Press books and by some OEM computer manufacturers, this software is not installed by default on most systems. The attacker would have to create a malicious bookmark link, deliver it to the victim by email or on a web site, and have it executed. Interactive Training bookmarks use the extensions .CBO, CBL, .CBM. You can disable these extensions by editing the registry, uninstall the software, or apply the patch to mitigate this vulnerability. The presence of orun32.exe indicates that Interactive Training may be installed, versions earlier than 3.5.0.117 are vulnerable.
<Br>

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1212

<Br>
Vulnerable: Windows 2000 SP3 and 4; Windows XP SP1 and 2; Windows XP 64-Bit
Edition SP1 (Itanium); Windows XP 64-Bit Edition Version 2003 (Itanium);
Windows XP Professional x64 Edition; Windows Server 2003 and SP1; Windows
Server 2003 and SP1 for Itanium; Windows Server 2003 x64; Windows 98 and SE;
Windows ME.



For more information about this vulnerability and the associated patch, see
.


Moderate Vulnerabilities




<A href="http://www.microsoft.com/technet/security/bulletin/MS05-032.mspx">MS05-032 (KB890046)- Vulnerability in Microsoft Agent Could Allow Spoofing.
This patch addresses the way Internet Explorer and Microsoft Agent can allow a
hostile web site to spoof trusted web content, take control of your system, and
execute arbitrary code. Assuming you are logged in as an admin. Setting all
Internet Explorer zones to high disabling ActiveX will break IE for some sites,
but also mitigate the vulnerability. What is Microsoft Agent you ask? Check
this web site for information: http://www.microsoft.com/msagent/default.asp
<Br>

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1214



Vulnerable: Windows 2000 SP3 and 4; Windows XP SP1 and 2; Windows XP 64-Bit SP1
(Itanium); Windows XP 64-Bit 2003 (Itanium); Windows XP Professional x64;
Windows Server 2003 and SP1; Windows Server 2003 and SP1 for Itanium; Windows
Server 2003 x64; Windows 98 and SE; Windows ME.



For more information about this vulnerability and the associated patch, see





This patch addresses the following vulnerability:



- Telnet Vulnerability -
: An attacker who successfully exploited this information disclosure vulnerability could remotely read the session variables for users who have open connections to a malicious telnet server.
(You aren't still running telnet... are you?)


Vulnerable: Windows XP SP 1, XP 64-Bit (Pro, SP1, Professional); Windows 2003 Server with SP1, Windows Services for Unix 2.2, 3.0, and 3.5



Not Affected: Windows 2000 SP3 and SP4; Windows 98, 98 SE; Windows ME



For more information about this vulnerability see <A href="http://support.microsoft.com/kb/896428">Microsoft Knowledge Base Article 896428




<A href="http://www.microsoft.com/technet/security/bulletin/ms05-034.mspx">MS05-034 (KB899753) - Cumulitive Security Update for ISA Server 2000. This patch addresses the following vulnerabilities:



- HTTP Content Header Vulnerability - : A vulnerability exists in ISA Server 2000 because of the way that it handles malformed HTTP requests. An attacker could exploit the vulnerability by constructing a malicious HTTP request that could potentially allow an attacker to poison the cache of the affected ISA server. As a result, the attacker could either bypass content restrictions and access content that they would normally not have access to or they could cause users to be directed to unexpected content. Additionally, an attacker could use this in combination with a separate Cross Site Scripting vulnerability to obtain sensitive information such as logon credentials.

- NetBIOS Predefined Filter Vulnerability -
:An elevation of privilege vulnerability exists in ISA Server 2000 that could allow an attacker who successfully exploited this vulnerability to create a NetBIOS connection with an ISA Server by utilizing the NetBIOS (all) predefined packet filter. The attacker would be limited to services that use the NetBIOS protocol running on the affected ISA Server.



Vulnerable: Microsoft ISA Server 2000 SP 2; Microsoft Small Business Server 2000 and 2003 Premium (which include ISA Server)



Not Affected: Microsoft ISA Server 2004 Standard and Enterprise



For more information about this vulnerability see <A href="http://support.microsoft.com/kb/899753">Microsoft Knowledge Base Article 899753
.

Bulletin Updates



- : Bulletin updated to announce the availability of an updated package for .NET Framework 1.0 Service Pack 3 for the following operating system versions: (887998) Windows XP Tablet PC Edition and Windows XP Media Center Edition.



-
: Microsoft updated this bulletin today to advise customers that a revised version of the security update is available. We recommend installing this revised security update even if you have installed the previous version.


-
: Updated technical information in the FAQ with additional details around cluster installation and to advise of an updated KillPwd utility.


MS Patches Reset Settings in Program Defaults?



It appears that when you install patches that the settings in "Set Program Access and Defaults" (underneath Add/Remove Programs) in XP SP2 Professional get reset to the defaults (i.e. Microsoft Products) when patching is performed. For instance, in the "Other" section, I had set my default web browser to Firefox and default media to iTunes, and patching undid that. Has anyone else experienced this?

----------------

John Bambenek

bambenek -at- gmail.com
Keywords:
0 comment(s)
Diary Archives