Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-08-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Black Tuesday Patch Roundup, Panic and/or Mayhem ensues

Published: 2005-08-09
Last Updated: 2005-08-10 00:32:59 UTC
by Cory Altheide (Version: 1)
0 comment(s)

Microsoft Security Bulletins for August



Happy Black Tuesday, kids! We've got six bulletins for your patching pleasure, so let's get right to it. We'll be updating this throughout the day as we have more time to intepret the bulletins and analyze the patches, but here's a quick overview to stave off the impending flood of "August MS Patches are ONLINE" emails. ;)



Update: We've got writeups on each patch below - expect more details to emerge over the next few days.



Bulletin Severity Impact

MS05-038 Critical Elevation of Privilege
MS05-039 Critical Remote Code Execution and
Elevation of Privilege
MS05-040 Important Remote Code Execution
MS05-041 Moderate Denial of Service
MS05-042 Moderate Denial of Service,
Information Disclosure,
and Spoofing
MS05-043 Critical Remote Code Execution




MS05-038: Arbitrary code execution vulnerabilities in Internet Explorer





Severity: Critical



CVE:



Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms

* 98, 98SE, and ME



Affected Components:

* Internet Explorer 5.01 SP4 -> 6 Service Pack 1 on various Windows platforms



Supercedes:

* MS05-025

* MS05-037



fixes multiple vulnerabilities in Internet Explorer which can be exploited to run arbitrary code. Some of the fixed vulnerabilities have already been disclosed publicly.



Handler chatter:

The handlers are of the opinion that of the bulletins released today, this is the avenue most likely to be explored (or the avenue currently being explored) by purveyors of malware. While image rendering vulnerabilites have led to cacophonous cries of "The worms are coming! The worms are coming!" in the past, we believe that there is a far greater likelihood of these flaws being exploited to drop relatively immobile malcode: spyware, bots, and other decidedly non-viral badness.



Update: Minutes prior to posting this, proof of concept code for the latter of the three vulnerabilites covered under the 038 banner went public. Hope you're patched, or using something other than IE. ;)



MS05-039: Arbitrary code execution vulnerability in Plug and Play





Severity: Critical



CVE:




Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms



fixes a vulnerability in Plug and Play which can be exploited to run arbitrary code. The risk presented by this vulnerability varies across different versions of Windows.



* On XP Service Pack 2 and 2003 Server systems, the vulnerability is ONLY exposed to an attacker logged on to the system locally.

* On XP Service Pack 1, the vulnerability is ALSO exposed to remote users with valid logon credentials.

* On Windows 2000 SP4 systems, this vulnerability can ALSO be exploited by anonymous attackers. A valid login is not required.



Handler chatter:

Users shouldn't face too much external exposure, as the exploitation vector in this case is the old Microsoft standard (TCP 139 & 445), but internal networks could be at risk. Based on the language in the bulletin and the
, this vulnerability is a standard stack-based buffer overflow. Exploitation is described in the X-Force alert as "trivial."



MS05-040: Arbitrary code execution vulnerability in Windows Telephony Service





Severity: Important



CVE:




Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms



fixes a vulnerability in Windows Telephony Service which can be remotely exploited to run arbitrary code. On 2000 Professional and XP (i.e. Microsoft's 'non-server' systems) this vulnerability is limited to a local privilege escalation. On Microsoft's server operating systems that are not actively running this service, this vulnerability is limited to a local privilege escalation. On Server 2003 the vulnerability is only exposed to authenticated users. This leaves 2000 Server as the most exposed in this case.



Handler chatter:

Since this vulnerability occurs in the Telephony Application Programming Interface (TAPI), many third party applications may be making use of this service without the user's or administrator's explicit knowledge. The service can be started by a non-privileged user. According to the bulletin, TAPI is used for any number of voice, data, and video communications, including but not limited to teleconferencing, caller-id features, voice mail, and more. Anyone using Windows-based software to perform any of these functions should probably place this one higher on the priority stack.



MS05-041: Denial of Service Vulnerability in Remote Desktop/Remote Assistance





Severity: Moderate



CVE:




Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms



This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability in the Remote Desktop Protocol (RDP) exists that could allow an attacker to cause a system to stop responding. The vulnerability is documented in the ?Vulnerability Details? section of this bulletin.



Handler chatter:

MS labels this as moderate because remote desktop service (rdp or termina services) are not enabled by default. However many admins enable RDP for administration on and remote assistance requests expose this service until the request expires making the application of this patch essential for most environments. Additionally, there are circumstances where RDP is enabled by default; for example, in Media Center Editions of XP.



There was
on this back in early July when this was released at the time the POC code was not public, it is public now though. There was some chatter on the indicating that this could possibly be leveraged into an exploit, but the nuances of Windows kernel exploitation are out of the reach of all but the Most High Hackers. eEye came out several weeks ago and nothing more. Who's right? Who knows. If it's not just a DoS it wouldn't be the first time an unexploitable DoS had been exploited.



MS05-042: Kerberos vulnerabilities





Severity: Moderate



CVE:




Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms



Kerberos hitchhikes onto all windows active domains, it's not something optionally installed.



Microsoft dubbed the answer to all security bulletin '

Vulnerabilities in Kerberos could allow denial of service, Information disclosure and spoofing'.



This is actually a two vulnerabilities into one package deal:
and .



CAN-2005-1981



Microsoft rates it as medium and states the worst thing that could happen is that the Active Domain would stop authenticating users. It seems to involve a well aimed packet at the domain controller, causing it to reboot after a one minute countdown.



Valid user credentials are required and windows 2000 and 2003 servers are affected.



Now we don't want the earth to get leveled but neither do we what the users whining about not being able to log in, do we? Add to that that rebooting servers are a real pain as well.



Shielding TCP and UDP port 88 from hostile networks might help 'till you get your towel and apply the patch.



CAN-2005-1982



If you use smart cards in your domain, it would mean you value security enough to deploy a two factor authentication. As such you're unlikely to really appreciate some monkey in the middle type attack that can happen if you have enabled smart card technology the
way.



The impact can be very broad as the attacker (who needs a valid account with smart card) gains rights of others users.



Hence this really is for you if you use smart cards to authenticate your users on your windows domain.



Note: The Vogons point out there are no workarounds known to them, we'll take their word for it.



MS05-043: Vulnerability in Print Spooler Service Could Allow Remote Code Execution





Severity: Critical



CVE:



Affected Systems:

* 2000 SP 4

* XP SP1 & 2 (32-bit)

* Server 2003 & Server 2003 (Itanium) w/o service packs.



Vulnerability:

This patch addresses a buffer overflow in the print spooler service, which is spoolsv.exe. For Windows 2000 and Windows XP SP1, any anonymous user could attempt to exploit this vulnerability. For Windows XP SP2 and Windows Server 2003, the user would need to be authenticated.

Thanks to helpful handlers!



The diary is usually a collaborative effort, but on MS Patch Day, the collaboration reaches a new level. I'd like to thank all of the handlers for their assistance today - I'd rattle off a litany of names, but you know who you are. Thanks!



Opportunites squandered



Astute readers may have noticed my absence from diary duties of late. I've been traveling and training all over the damn place for what seems like forever, and I had planned on doing a write-up on my most recently attended event, the week-long blur known as BlackHat/DEFCON, but I mistakenly volunteered to take the hotseat on the second Tuesday of the month. My thrilling tales will have to wait for another day, interpid fans, but rest assured, thrilling tales they be!



Until that day, happy patching!



===============

Cory Altheide

caltheide@isc.sans.org

Handler On Duty

===============

Mistook their nods for an approval

Just ignore the smoke and smile



* Just so you don't miss it, make sure to check out Handler William Salusky's
.
Keywords:
0 comment(s)
Diary Archives