Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Bulletin Summary for April, 2006

Published: 2006-04-11
Last Updated: 2006-04-11 23:50:25 UTC
by Deborah Hale (Version: 2)
0 comment(s)

As you can see the gang at the Internet Storm Center have been very busy little beavers.  They have helped me put together this great Diary update for you.  Thanks to Johannes, Marcus, Scott and Pedro for all of their hardwork. So below is the "low down" on Microsoft Patch Tuesday.  Happy reading.

Cumulative Security Update for Internet Explorer (912812)

MS06-013, KB912812, CVE-2006-1359, 1388, 1185, 1186, 1188, 1189, 1190

This patch should be applied as fast as possible, but due to a change in ActiveX functionality requires extra careful testing. Microsoft bundled all but one of this months Internet Explorer updates  in this "Cumulative update". This particular update patches no less then 8 remote code execution issues. In addition one information disclosure problem and an address bar spoofing vulnerability are fixed. Note that there are exploits public for at least one (CVE-2006-1245) and possibly two (CVE-2006-1388) of the advisories. While the exploits known to us only trigger a DoS condition, it is very much possible that more sinister exploits are already in use. Microsoft states that they are not aware of any exploits in the wild, which likely refers to remote execution exploits, not DoS exploit.

As far as mitigation steps go: Disabling Active Scripting may help with some of the vulnerabilities, but others (e.g. CVE-2006-1185 and CVE-2006-1188) can be triggered without Active Scripting. Of course, running Internet Explorer with reduced rights will limit your exposure.

So this is a "must apply fast" patch. However, be careful. This patch includes the "Eolas Patent Patch", a change in functionality Microsoft had to issue in order to avoid paying for certain patent right.
Read this http://support.microsoft.com/kb/912812 carefully (in particular if you are using Siebel 7)

(Thanks Johannes for the write-up)

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)

MS06-014, KB911562, CVE-2006-2003

This update resolves a newly-discovered, privately-reported vulnerability.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Software:

  • Microsoft Windows XP Service Pack 1 running Microsoft Data Access Components 2.7 Service Pack 1
  • Microsoft Windows XP Service Pack 2 running Microsoft Data Access Components 2.8 Service Pack 1
  • Microsoft Windows XP Professional x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2 . Microsoft Windows Server 2003 running Microsoft Data Access Components 2.8
  • Microsoft Windows Server 2003 Service Pack 1 running Microsoft Data Access Components 2.8 Service Pack 2. Microsoft Windows Server 2003 for Itanium-based Systems running Microsoft Data Access Components 2.8 . Microsoft Windows Server 2003 with SP1 for Itanium-based Systems running Microsoft Data Access Components 2.8 Service Pack 2
  • Microsoft Windows Server 2003 x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2 . Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Affected Components:
  • Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.5 Service Pack 3 installed . Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.7 Service Pack 1 installed . Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 installed
  • Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 Service Pack 1 installed . Windows XP Service Pack 1 with Microsoft Data Access Components 2.8 installed
This vulnerability can result in remote code execution, and is deemed as CRITICAL for Win9x, Win2k SP4, and WinXP SP1 and 2.  It is labeled as MODERATE for Windows Server 2003 including SP1.

This is not "wormable" in that the vulnerability depends on the failure of an ActiveX control rather than a process listening on an open port. However, an attacker could successfully inject malicious code on a victim's machine via HTML-enabled email or a web site.

Thanks Marcus for this write-up

Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)

MS06-015; KB908531; CVE-2006-0012

Yes, time for patching again...and regarding this one, the Windows Shell vulnerability, I would HIGHLY recommend you to test and then apply on your machines affected by this one.

This time, our fellow COM Objects can be used to execute arbitrary code...

The O.S. affected are:

  •  Microsoft Windows 2000 Service Pack 4
  •  Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
About the vulnerability:
The vulnerability itself is a critical one and will allow remote code to be executed in your machine. Did you get the word "REMOTE"?

According the original advisory:
"A remote code execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. An attacker would need to convince a user to visit a Web site that could force a connection to a remote file server. This remote file server could then cause Windows Explorer to fail in a way that could allow code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

So, while speaking in workarounds, if you can't apply the patch right away, MS recommends:

  • Disable the Web Client service
  • Use the Group Policy settings to disable the WebClient service on all affected systems that do not require this feature.
  • Block TCP ports 139 and 445 at the firewall
Right...:) but before someone asks why one of MS workaround is to block port 139 and 445, I will answer, YES, these ports can be used to exploit the vulnerability...But, you already block these ports, right?:)

One special note for Windows 98/98SE/ME. They ARE affected by this vulnerability, but the patch is not available yet. According MS it will be soon after this release.

(Thanks to Pedro for this write-up.)

1 Important

Cumulative Security Update for Outlook Express (911567)

MS06-016; KB911567; CVE-2006-0014

A remote code execution vulnerability exists within Outlook Express involving its handling of Windows Address Book (.wab) files. Attackers can craft a suitable version of the .wab file and then convince the end user to open the file through either direct email, or through opening a link on a web site. The attacker would gain the
same administrative rights as the end user.  As a workaround to this update, you can change or remove the file associate to the .wab format.

This update replaces 2 prior security updates (MS04-018 and MS05-030) in most supported operating systems.  The exceptions are Outlook Express 6 for Windows XP SP2 and for Windows Server 2003 SP1 (32 and
64 bit).  Prior versions of Outlook Express on lesser Service Pack levels should be aware of this replacement.

Windows 98/98SE and ME are also impacted but not critically enough for Microsoft to release updates for these systems.

(Thanks Scott for the write-up.

1 Moderate

Vulnerability in Microsoft Front Page Server Extensions Could Allow Cross Site Scripting (917627)

MS06-017
KB917627
CVE-2006-0017

A remote code execution exists in  FrontPage Server Extensions (FPSE) or Sharepoint Team Services (STS) which could allow an attacker to run client-side scripts on behalf of an FPSE user. If the user has administrative rights, the attacker would gain complete access of the server.  Otherwise, it will be limited to the administrative rights granted to the end user.  As there is a list of mitigating circumstances, and the default install of Windows Server, Microsoft is releasing this as a moderate issue.  However, pay attention that this is a remote code execution problem and could be more critical in your particular circumstances.

So for those that have IIS installed on your workstations or servers, or have FPSE or Sharepoint on your network,  please be aware of this bulletin and its corresponding knowledge base article (KB917627)
as there are known issues with deploying the update.

Also, users of FrontPage 2002 may be offered the security patch through Office Update site and/or MBSA.  This update is recommended though it is not believed to be vulnerable to this exploit at this time.

MS03-051 is replaced for those using FrontPage Server Extensions 2002 which was downloaded and installed on Windows XP or  Server 2000 SP4 machines.  MS05-006 is replaced for those using Microsoft SharePoint Team Services 2002.

Thanks Scott for this write-up.

Update for Outlook 2003 Junk Email Filter (KB914454)

Microsoft released an update to the Junk E-mail Filter in Microsoft
Office Outlook 2003.  This update provides a more current definition
of which e-mail messages should be considered junk e-mail.

Windows Malicious Software Removal Tool - April 2006 (KB890830)

Microsoft released the monthly update to the Malicious Software Removal Tool (MSRT).  The newest version supports 3 new specific and prevalent malicious software which may be on infected computers.  For more information on the new additions, please see http://www.microsoft.com/security/malwareremove/default.mspx  for details.  As a reminder this tool is not supposed to be a replacement or your corporate or individual owned antivirus and spyware protection.

Keywords:
0 comment(s)

Update from Microsoft Not Included in April 2006 Bulletin

Published: 2006-04-11
Last Updated: 2006-04-11 22:58:40 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Microsoft also updated MS06-005 but it was not included in the bulletin today.

According to Microsoft:  Updates are available for Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2, listed in the "Affected Components" section. For more information, see on "What are the known issues that customers may experience when they install this security update?" Additional clarity under "How could an attacker exploit the vulnerability?" in the "FAQ for Windows Media Player Vulnerability" section.


For more information see the complete bulletin.
Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
Keywords:
0 comment(s)

IE Changes Due: What You Can Expect

Published: 2006-04-11
Last Updated: 2006-04-11 20:46:02 UTC
by Deborah Hale (Version: 1)
0 comment(s)
We received a link to an interesting article today from one of our readers. (Wishes not to be identified.) If the information in this article is true, this could be an interesting time for the novice home users. The article says that some sites that rely on popular ActiveX controls such as QuickTime, RealPlayer and Flash and Acrobat are likely to give users fits. It will be interesting to see what happens in the next few days. Again Stay Tuned.

IE Changes Due: What You Can Expect

Adobe Active Content Development Center
Keywords:
0 comment(s)

Report Child Porn

Published: 2006-04-11
Last Updated: 2006-04-11 16:41:11 UTC
by Deborah Hale (Version: 1)
0 comment(s)
As an addition to Williams terrific diary from yesterday, I would like to add a comment.

In the US the FBI and other law enforcement agencies have designated the National Center for Missing and Exploited Children as there reporting center for reporting Child pornography and other criminal issues dealing with children.  For more information see there web site.

http://www.ncmec.org/
Keywords:
0 comment(s)

Domain Hi-jacking Nightmare

Published: 2006-04-11
Last Updated: 2006-04-11 15:49:03 UTC
by Deborah Hale (Version: 1)
0 comment(s)
Yesterday afternoon I got a phone call from a local non profit organization. A plea for help really.

A year ago they were going through a change in leadership, board, etc. at the same time as their web site URL was set to expire. They were unaware that they were on the verge of disaster until they received a phone call from a local citizen who had made a gruesome discovery, the web site now contained Porn.  They have learned a very hard lesson.

It has been a year and they are still getting calls from people saying  "do you realize your website contains porn?".  They have to explain to the caller that their web site has changed to the new url and that they are trying to get all of the search links straightened out. (When I google for this organization I came up with close to 1000 entries. On the first google page there were 3 occurrences of the old web address being linked the organization.)  

This organization is popular with both adults and children.  So now we have the potential of children happening on to the site.  

To add fuel to the flame this site attempts to hijack your web browser as well. Once hijacked you get the pleasure of pornography every time you open your browser. For most people this will mean a bill to pay someone to "fix" their computer.

When discussing this with local FBI they indicated that what had happened was not illegal, it happens all the time.

I have to ask myself "how can this be legal"?  How can someone take a website that was owned by someone else and grab it for their dirty deeds?  How can they create a web site that causes "damage" to someone else's computer?  How can they cause potential damage to children by displaying this type of material?  Why is none of
this illegal? (It isn't illegal, perhaps unethical and immoral,  but NOT ILLEGAL).

It has been a year and this small non profit organization has spent time, money and resources trying to undo what has been done. They will probably never get all of the occurrences of these removed from the search engines.  And if someone looking for their web site types in  .com instead of  .org they will be greeted with porn.

I urge all of you to check your web registration and make sure that you know when it is due to be renewed and renew early.  Don't take any chances. These folks are laying in wait, waiting for your web site to expire so that they can snap it up and display their dirty merchandise.

I am interested in hearing from others that have had this happen, if and how they resolved it.

Keywords:
0 comment(s)

Losses Claimed By Online Fraud Hit $182 Million

Published: 2006-04-11
Last Updated: 2006-04-11 15:32:13 UTC
by Deborah Hale (Version: 1)
0 comment(s)
According to Investor's Business Daily online fraud is still on the rise.  And unbelievably the Nigerian Scams still top the list for losses. 

In case you don't know what the Nigerian Scam is:
" In this scam, victims are guaranteed millions if they help the fraudsters by giving them an upfront loan in order to transfer a ton of money out of Nigeria. This scam dates back to at least 1996."

http://www.investors.com/editorial/IBDArticles.asp?artsec=17&artnum=1&issue=20060406

Folks - You can NOT get rich this way. As a matter of fact you can get real poor this way.    When will people realize that if it seems too good to be true it probably is.



Keywords:
0 comment(s)
Diary Archives