Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-02-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Problems with MS patch KB913446 (for the IGMP issue, MS06-007)

Published: 2006-02-14
Last Updated: 2006-02-15 15:05:55 UTC
by Jim Clausing (Version: 3)
0 comment(s)
A number of our readers have written in (and some of the handlers have duplicated the issue) to report that when using Microsoft Update or autoupdate the patch (KB913446) downloads, but fails to install with Error Code: 0x80242006.  The version located here, however, does not appear to have this issue.  Until Microsoft fixes the former, you may want to install that one patch manually.  Our summary of all of the bulletins will be posted shortly.

Update: 03:49 UTC - The folks from Microsoft have confirmed that the problem is actually with the underlying mechanism used by Automatic Updates, Microsoft Updates, WSUS and SMS 2003.  They are working on a fix and I'm sure you'll here it from us as well as Microsoft when it is fixed.  Below is a quote from their blog:

   
Our folks are investigating this and have determined that MS06-007 isn't successfully installing when users try to install it    through Automatic Updates, Windows Update, and Windows Server Update Services and through Systems Management Server 2003 when using the ITMU.

You can read the entire blog entry here.

Update: 05:00 UTC  - It appears that the Windows update distribution mechanism has been fixed for this patch.  Expect confirmation in the blog above that this issue is indeed fixed for all of the distribution mechanisms at some point during the late night hours in America. 

Update: 15:00 UTC - The blog entry from Microsoft confirming the issue has been fixed is here.

Keywords:
0 comment(s)

Happy Valentines Day and Black Tuesday

Published: 2006-02-14
Last Updated: 2006-02-15 10:07:11 UTC
by Deborah Hale (Version: 3)
0 comment(s)
MS06-004 - Cumulative Security Update for Internet Explorer (910620)

http://www.microsoft.com/technet/security/bulletin/ms06-004.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0020

This patch fixes a WMF image parsing memory corruption vulnerability in Internet Explorer (CVE-2006-0020) in which a specially constructed WMF image can be used to execute code on an affected system with the
privileges of the user running IE.  The image can be on a web page or, because other programs (ie. Outlook and Outlook Express) use IE?s HTML rendering code, it could be embedded in an email.

Officially, Microsoft says that this issue only affects Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4, however, since older versions of Win2K and WinNT are now out of support,
these may be (or probably are) vulnerable as well.  It also appears that IE 5.5 SP2 on WindowsME is vulnerable and, again, out of support.  MS suggests moving to IE 6.0 on ME.

Because the installed base of the "currently supported" affected platforms is small, Microsoft isn't viewing this as a critical issue. If, however, you happen to be running an older system that is vulnerable to this issue then patching workstations (in the case of Win2K SP4) or upgrading (in the case of other non-supported versions) is critical.
Server patching isn't as critical because you shouldn't be performing the high-risk tasks (surfing and reading mail) on a server. There are no known "non-patch or upgrade" workarounds for this issue and, as was the
case in the WMF issue patched by MS06-001, you cannot block WMF images at the border by extension, because IE does not rely on the extension when parsing the file.

This patch also contains all hotfixes that have been released since MS04-004 and MS04-025, but these will only be installed on systems that require them.  If you have installed any hotfixes since MS04-004 and MS04-025 that you received directly from MS, it is important that you review the release bulletin.

MS06-005:  Vulnerability in Windows Media Player Could Allow Remote
Code Execution (911565)


http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0006
http://www.eeye.com/html/company/press/PR20060214.html

Affected Software:
? Windows Media Player for XP on Microsoft Windows XP Service Pack 1
? Windows Media Player 9 on Microsoft Windows XP Service Pack 2
? Windows Media Player 9 on Microsoft Windows Server 2003
? Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Affected Components:
? Microsoft Windows Media Player 7.1 when installed on Windows 2000 Service Pack 4
? Microsoft Windows Media Player 9 when installed on Windows 2000 Service Pack 4 or Windows XP Service Pack 1
? Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2


eEye Digital Security is discovered this states:
"This flaw affects Media Player versions 7.1 through 10 that run on the following Windows operating systems: Windows NT, Windows 2000 SP4, Windows XP SP1 and 2, and Windows 2003"

Impact:  Remote Code Execution
Severity:  Critical, patch immediately

Description:  Windows Media player has a unchecked buffer that will allow for remote code execution if users view or open a specially crafted .bmp file.  Keep in mind there are many ways for this to be exploited and .bmp files are not the only way.  Microsoft states:  "An attacker could also attempt to exploit this vulnerability by embedding a specially crafted Windows Media Player (.wmp) image within another file, such as a Word document and convince a user to open this document."

Workarounds:  Microsoft has listed workarounds, however patching is the recommended approach.

MS06-006: Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (KB911564)

Affected Software:
Windows 2000 SP 4
Windows XP SP 1 and SP 2
Windows Server 2003 and 2003 SP 1
Windows XP Pro x64
Windows Server 2003 x64

Non-Affected Software:

Server 2003 for Itanium-based Systems
Windows 98, 98 SE, ME

Microsoft Severity Rating - Important - apply update at the earliest opportunity http://www.microsoft.com/technet/security/bulletin/ms06-006.mspx

Secunia Advisory - Highly Critical
http://secunia.com/advisories/18852

Vulnerability Details
A remote code execution vulnerability exists in the Windows Media Player plug-in for non-Microsoft Internet browsers because of the way the Windows Media Player plug-in handles a malformed EMBED element. An attacker could exploit the vulnerability by constructing a malicious EMBED element that could potenially allow remote code execution if a user visited a malicious web site. An attacker who successflly exploited this vulnerability could take complkere control of an affected system.

Mitigation
Use Internet Explorer  (until next month when a new IE vulnerability is announced).

Workaround
Microsoft does offer a workaround.  You can modify the Access Control List on the npdsplay.dll file.  However, in Microsoft's own words:

Impact of Workaround: Web sites that attempt to play multimedia content using the non-standard EMBED element may fail to display properly in non-Microsoft Internet browsers. Sites that use the OBJECT element to display content are unaffected by this workaround.

In other words - they break the other browsers with their workaround. 

One of the things that I find quite interesting about this writeup is the number of times that the sentence "Users whose accounts are configured to have fewer rights on the system COULD BE less impacted than other users who operate with administrative user rights." is used.  I am confused by this statement.  I wish Microsoft would clarify this for us. Under which circumstances does the "COULD BE" apply.

It appears the best bet for this is to apply the patch. Not when you get an opportunity but now. It appears that Secunia does agree that this is not just important - but highly critical.  Several places Microsoft indicates that "It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems."  Therefore just about any web site that displays banner ads is a potential infection point. 

Conclusion - patch now.

MS06-007: Vulnerability in TCP/IP Could Allow Denial of Service (913446)

http://www.microsoft.com/technet/security/bulletin/ms06-007.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0021

NOTE:  For those that download via Windows Update or Microsoft Update,  this patch will fail to install.  However, if you manually install this patch downloaded from the bulletin above, it will apply correctly.   Hopefully, Microsoft should fix this issue shortly.  You can call 1-866-PCSAFETY for support on this issue in the meantime..

A new vulnerability exists in Windows XP and 2003 Server computers in regard to its handling of IGMP v3 packets.  An attacker who creates a specially crafted IGMP packet can cause the destination host to stop responding.  Microsoft notes that this vulnerability does not appear to leave an opening for the attacker to raise user privileges or otherwise execute code remotely.

As a workaround, those networks that do not use multicast should be blocking the IGMP and other multicast protocols at your border.  These firewall best practices should protect exploitation of this vulnerability. For those, especially in Higher Education, who make use of multicast then the best choice would be to distribute this patch to those vulnerable areas or modify the registry key located in this bulletin.

Windows 2000 SP4 systems are not apparently vulnerable to this security flaw.  This patch replaces MS05-019 on Windows XP SP1 or SP2, Windows Server 2003 OEM or SP1


MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)

http://www.microsoft.com/technet/security/bulletin/ms06-008.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0013

Windows versions listed as affected
Windows XP SP1
Windows XP SP2,
Windows 2003 server
Windows 2003 server SP1
        Includes 64 bit editions

Web client service is enabled by default on Windows XP
Web client service is disabled by default on Windows 2003 server

Windows versions  listed as not affected:
Windows 2000 SP4
Windows 98 (all versions)
Windows ME

Impact: Remote execution

Replaces previous update MS05-028

Mitigation: Disable Web Client service on all workstations and servers that do not need it. The Web Client service is used by WebDAV applications.

Description: Sending specific crafted messages over the network after authenticating leads to an attacker having the ability to take complete control of the targeted system. This is a likely avenue for an inside attack by a malicious employee or contractor or targeting home systems without a firewall. The attacker must authenticate to the system to exploit this vulnerability. Use of passwords on all systems will help mitigate this vulnerability.

Kostya Kortchinsky of EADS/CRC www.eads.net discovered this vulnerability

MS06-009: Vulnerability in Korean Input Method Editor. (KB 901190)

http://www.microsoft.com/technet/security/Bulletin/ms06-009.mspx

In order to be vulnerable, you have to install the Korean Input Method Editor. It is only installed by default if you run the Korean version of Windows. For Asian versions, it may be installed but not enabled.

The vulnerability does require either physical access to the system, or access via RDP. In addition, the attacker has to log in using valid credentials. Only if all these prerequisites are met, then the attacker may be able to gain administrator privileges.

Overall not a very severe vulnerability given the limited distribution and mitigating factors. Take this as a good opportunity to check if any unneeded input method editors are installed on your systems (e.g. Chinese). Foreign input method editors are required if a character set uses more characters then available on a standard keyboard. They will allow the building of characters using multiple keystrokes.

If you require the Korean Input Method editor, in particular in public environments like Kiosks and such: Please refer to the details lined out in the Microsoft advisory, and follow standard hardening guides for systems like that. However, it is probably still not the most important advisory from this set.

MS06-010:  Vulnerability in PowerPoint 2000 Could Allow Information Disclosure (889167)

http://www.microsoft.com/technet/security/bulletin/ms06-010.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0004

Affected Software:
Microsoft Office 2000 Service Pack 3
PowerPoint 2000   

Impact:  Information Disclosure
Severity:  Important

Description:  A vulnerability occurs when PowerPoint and Internet Explorer interact and when PowerPoint attempts to render HTML data. If a user opens a PowerPoint presentation on a website, remote access can be gained to the Temporary Internet Files Folder (TIFF) on the user's local system.  This information can/probably will be used to further attempt to compromise the system.


What the patch does: Microsoft states:  "The update modifies PowerPoint such that, when the user clicks on a PowerPoint presentation on a Web site, PowerPoint warns the user that the presentation about to be opened may be unsafe. In such a case, the user may then cancel opening the presentation." Think twice before you say "yes" to opening that document and read the"what the patch does" description again above very carefully.

Summary of Bulletins

Bulletin KB Number Supercedes Severity Impact
MS06-004 910620 MS05-054 Critical Remote Code Execution
MS06-005 911565 MS05-009 Critical Remote Code Execution
MS06-006 911564 N/A Important Remote Code Execution
MS06-007 913446 MS05-019 Important Denial of Service
MS06-008 911927 MS05-028 Important Remote Code Execution
MS06-009 901190 (MS06-003) Important Elevation of Privilege (Korean version)
MS06-010 889167 MS05-030 Important Information Disclosure



Many thanks to all of the Handlers that helped out with the compilation of the information from the bulletins.  Once again the Handlers proved that there is always strength in numbers.

Happy Valentines Day to all of you.




Keywords:
0 comment(s)
Diary Archives