Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-07-12 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft patches are out; Port 80 spike; Mail bag; Firefox 1.0.5 released; Oracle and Apple too!

Published: 2005-07-12
Last Updated: 2005-07-13 04:17:35 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Happy Patch Day!

Microsoft has rated all three updates as critical.

Font Parsing Vulnerability in Word - Vulnerability CAN-2005-0564

A stack buffer overflow in the font processing process that is
part of Microsoft Word.


Affected software:

- Office 2000 and Office XP (2002)

- Microsoft Works 2000, 2001, 2002, 2003 and 2004


- Random code execution with rights of logged in user.

- Exploitable via email attachments (user interaction needed)

which results in worm potential.

Work arounds:

- Do not open Word attachments.

- Stop attachments at the perimeter.

- Install MS05-35 (which updates MS05-23)

Best practice:

To prevent future problems of this kind in a layered approach, it is
suggested to:

- Use minimal rights (not administrator) when logging in on any
windows machine.

- Teach all users never to open unexpected attachments, no matter how
tempting the message surrounding it is.

- Filter office attachments coming from the internet in a perimeter,
and keep them in quarantine until it is determined they are really
needed and safe.

- Not use Microsoft word as an editor for email messages

- Considering using less widely used software as a way not to get
caught in massive exploits. This will not work well
against directed attacks.

Microsoft Security Bulletin MS05-036 -- Vulnerability in Microsoft Color
Management Module Could Allow Remote Code Execution (901214) CAN-2005-1219

Affected: Win2K, XPSP1, XPSP2, Server 2003 and Server 2003SP1
(Critical); Win98, 98SE, and ME (Important).

A flaw in validating the format tags within an image once again requires
Windows be patched. Like MS04-028 (JPEGS) and MS05-009 (PNGS), MS05-036
patches a flaw in the way that an image format is parsed which could cause an
exploitable buffer overflow. This time, the affected component is the
Microsoft Color Management Module, which is used by Windows to provide
consistent color mappings between different devices and applications and
to transform colors from one color space to another (for example, RGB to

Images which contain bogus ICC (International Color Consortium -- which
actually sounds like a bunch of interior decorators that meet down at
their local Starbuck's) profile format tags can cause the Color
Management Module to overflow a buffer in a way that could result in
execution of code, giving full control to an attacker.

Malicious images could be hosted on a website or sent as attachments to
email messages. It appears that HTML-email messages containing
malicious images could also be a vector.

Win2K, XP, and 2003 Server require patching. There are currently no
workarounds listed.

Win98, 98SE, and ME, while still vulnerable to the buffer overflow, do
not currently appear to be exploitable.

Note: According to MS, this vulnerability is *CURRENTLY* being exploited

MS05-037 (KB903235) - Vulnerability in JView Profiler Could Allow
Remote Code Execution

JView Profiler Vulnerability (CAN-200502987) - A newly-discovered,
public vulnerability in the JView Profiler (javaprxy.dll) which can
be instantiated in Internet Explorer contains a remote code execution
vulnerability. Microsoft reports that this COM object was not
designed to be accessed through Internet Explorer. As such this fix
will set the kill bit for the JView Profiler COM object.

This vulnerability affects Windows 98, Windows 98 SE, Windows
Millennium Edition, XP, 2000, and 2003. However, the Microsoft Java
Virtual Machine, where the JView Profiler originates, is not included
by default with Windows XP SP 1a, and SP2 , or Windows Server 2003
and Windows Server 2003 SP1 systems.

As Microsoft has received reports of this vulnerability being
exploited, the Internet Storm Center recommends that this fix be
applied quickly.

Affected software:

Windows 2000 SP4, Windows XP SP1 and 2, Windows Server 2003 and SP1,
Windows 98 and SE, Windows ME.

JView Profiler, Internet Explorer 5.01 SP4, Internet Explorer 6 and SP1,
Internet Explorer 5.5 SP2.

MS05-033 was also updated today.

The Microsoft Malicious Software Removal Tool has been updated
as well.

Port 80 spike

Dshield is showing the beginning of what looks like a large spike in
probes to port 80. The cause is unknown at this time, but could be attributable
to any number of new vulnerabilities being exploited, a new skiddie toy, or
new worm variants.

Mail bag

Paul Jarvis wrote in to warn of probes to his web server.
"I've noticed over the last few days a number of access attempts to
/cacti/graph_image.php on my servers from a variety of addresses - most
of which track back to other webservers. I checked Packetstorm and there
were a number of exploits released this/last month for Cacti using that php file."

Another reader wrote in to warn of continued Rbot activity he had noticed.
"So far, we're up to 300 of these and climbing, coming from all over, Denmark,
Vietnam, Germany, Spain, etc..

GET / HTTP/1.0

Host: YourWebServerIP

Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4

Gonna be a fun day!"

George Bakos noted this activity in his diary June 3rd.

Mozilla Firefox 1.0.5 released.

The list of security fixes does not appear to have been updated yet.

"Firefox 1.0.5 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all users upgrade to this latest version."

[We finally found a listing of what this release fixes:

MFSA 2005-56 Code execution through shared function objects

MFSA 2005-55 XHTML node spoofing

MFSA 2005-54 Javascript prompt origin spoofing

MFSA 2005-53 Standalone applications can run arbitrary code through the browser

MFSA 2005-52 Same origin violation: frame calling top.focus()

MFSA 2005-51 The return of frame-injection spoofing

MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()

MFSA 2005-49 Script injection from Firefox sidebar panel using data:

MFSA 2005-48 Same-origin violation with InstallTrigger callback

MFSA 2005-47 Code execution via "Set as Wallpaper"

MFSA 2005-46 XBL scripts ran even when Javascript disabled

MFSA 2005-45 Content-generated event vulnerabilities

...thanks Scott! -TL]

Oracle patches

Oracle has released a collection of patches that address security

Apple patches

Mac OS X Update 10.4.2 has been released.
"The 10.4.2 Update delivers overall improved reliability and compatibility for Mac OS X v10.4 and is recommended for all users."

Thanks team!

Additional help on this diary from Scott, Tom, Erik, Swa, Kevin,

and the rest of the amazing Handler team. Thanks also to our readers and

Today gives new meaning to Black Patch Tuesday!!


Adrien de Beaupré,

Handler of the day.

0 comment(s)
Diary Archives