Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

phpBB Update; Potential IE Vulnerability; Update Rollup for Win2k; Updated Package Installer for WinXP

Published: 2005-06-29
Last Updated: 2005-06-29 22:54:14 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
Today's diary describes recent vulnerabilities in phpBB and Internet Explorer, and discusses Windows updates that Microsoft released yesterday.

phpBB 2.0.16 Fixes a Critical Security Issue

If you're using the popular phpBB bulletin board package, it's time to upgrade. Version 2.0.16, released earlier this week, fixes a critical security issue that can lead to the compromise of the vulnerable web server. The problem is with the viewtopic.php script, which, according to the fails to properly validate input when processing the "highlight" parameter. A similar vulnerability was being exploited by the Santy worm to deface web sites about half a year ago, as we reported in the . Please update your copy of phpBB to help prevent another such worm from gaining steam.

For information about the phpBB 2.0.16 release, see the
. You can get the updated package from . (Thanks to ISC reader Ronaldo for discussing the implications of this issue with us.)

Potential Internet Explorer COM Vulnerability

SEC Consult reported a condition in Internet Explorer that may lead to an exploitable vulnerability. The advisory points out that Internet Explorer does not properly handle the instantiation of non-ActiveX COM objects from web pages. According to the write-up, "loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. in one case, we could leverage this bug to overwrite a function pointer in the data segment. it *may* be possible to exploit this issue to execute arbitrary code in the context of IE."

The published proof-of-concept code demonstrates the issue by invoking the javaprxy.dll COM object and crashing Internet Explorer, as tested in Internet Explorer 6 on Windows XP Service Pack 2. Although there are no patches to address the issue, a work-around is to disable ActiveX support in the browser. For more information about this issue, see the

Microsoft Releases Update Rollup for Windows 2000 SP4

Yesterday Microsoft released a package consisting of numerous patches to Windows 2000 Service Pack 4. This Update Rollup package "contains all security updates produced for Windows 2000 between the time SP4 was released and April 30, 2005, the time when the contents of the Update Rollup were locked down." Most importantly, the package "contains additional important fixes in files that have not previously been part of individual security updates." As a result, you should install this package if you are running Windows 2000 after you confirm that it doesn't conflict with your existing applications.

You can download this Update Rollup from Microsoft's Windows Update site. At the moment, the package is not available via Automatic Updates; however Microsoft indicated that it will enable Automatic Updates for the package in a few weeks. There will be no administrative tool for blocking the Update Rollup package, because it is not a formal Service Pack. Microsoft is treating this Update Rollup "like other security or reliability updates, which are normally distributed over Windows Update and via Automatic Updates."

For a listing of post-SP4 issues are addressed in this package, see the long table in
. For general information about this Update Rollup, see . Please note that this package is only applicable to Windows 2000.

This is expected to be the last mainstream update to Windows 2000, although Microsoft has
to the operating system until 2010. This means that the company will continue to offer security hotfixes for free until that date.

Microsoft Updates the Package Installer for Windows XP

Several readers wrote to us with questions about an unexpected notification they received yesterday from Automatic Update, asking them to install update 898461 for Windows XP. According to Microsoft, this update "installs a permanent copy of the Package Installer for Windows version on the computer so that subsequent software updates can have a significantly smaller download size." Before this update, all Package Installer files were downloaded every time you used "the Windows Update site or Automatic Updates to update the computer. This redundant download can be avoided if the installer files are made resident on the computer, because subsequent updates can use the resident files."

ISC reader Jeff pointed out that although this update is currently marked critical, it will shortly become mandatory. As Microsoft states in the Knowledge Base Article, as soon as this update "becomes mandatory, no future updates that are available from the Windows Update Web site or through Automatic Updates will include the Package Installer for Windows."

For more information about this update, see
. Please note that this package is only applicable to Windows XP.

Lenny Zeltser

ISC Handler of the Day
0 comment(s)
Diary Archives