Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple Quicktime 7.1.3 released

Published: 2006-09-12
Last Updated: 2006-09-13 00:00:39 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
Apple released today Quicktime 7.1.3. It fixes 7 vulnerabilities, all leading to arbitrary code execution. Clearly our worries from insufficient validated content in media files are not over yet.

So one more item to install on reboot wednesday if you want to wait that long.

And Mac OS X users also have to patch so there is some equality after all.

CVE-2006-4381
CVE-2006-4386
CVE-2006-4382
CVE-2006-4384
CVE-2006-4388
CVE-2006-4389
CVE-2006-4385


--
Swa Frantzen --Section 66
Keywords: apple quicktime
0 comment(s)

Adobe Flash player upgrade time

Published: 2006-09-13
Last Updated: 2006-09-13 12:52:21 UTC
by Swa Frantzen (Version: 4)
0 comment(s)
Adobe released its APSB06-11 advisory on some patched versions of it's flash player today. These upgrades address multiple vulnerabilites in relation to input validation. They lead to arbitrary code execution.

Upgrading to the latest greatest version: 9.0.16.0 is highly recommended.

Apple Mac OS X users as well as Windows users are urged to upgrade. It's important as content vectors are something the dark sides likes to embrace.

CVE-2006-3014
CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
CVE-2006-4640

A reader pointed us to the knowledge base article for more information on how to deploy it using e.g. a msi.

Another reader pointed us to Linux (and actually Solaris as well) users also need to upgrade their flash players. [They need to stay with the version 7 player, but have an upgrade waiting nevertheless].

--
Swa Frantzen -- Section 66
Keywords: adobe flash upgrade
0 comment(s)

Microsoft security patches for September 2006

Published: 2006-09-14
Last Updated: 2006-09-14 17:37:15 UTC
by Swa Frantzen (Version: 5)
0 comment(s)
Overview of the September 2006 Microsoft patches.

# Affected Known Problems
Known Exploits Microsoft rating ISC rating (*)
clients servers
re-released MS06-040 Server Service

CVE-2006-3439
Re-released to fix known problems

KB921883
Multiple botnets actively exploiting this. Critical
PATCH NOW
PATCH NOW
re-released MS06-042 Internet Explorer (MSIE)

CVE-2006-3280
CVE-2006-3450
CVE-2006-3451
CVE-2006-3637
CVE-2006-3638
CVE-2006-3639
CVE-2006-3640
CVE-2004-1166
CVE-2006-3869
new:

CVE-2006-3873
Re-released to fix  the known problems with MSIE6SP1

KB918899
Well known vulnerabilities
Critical
PATCH NOW
Important
MS06-052 Microsoft Queue System (MSQS) -
Pragmatic General Multicast (PGM)

CVE-2006-3442
No reported problems

KB919007
No known exploits yet
Important
Critical Critical
(**)
MS06-053 Indexing Service

CVE-2006-0032
No reported problems

KB920685
No known exploits yet Moderate
Less urgent
Important
MS06-054 Publisher

CVE-2006-0001
No reported problems

KB910729
No known exploits yet Critical
Critical Less urgent

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems.  There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**):  Please note that in accordance with the above this rating assumes your machine used in a typical server role is affected. This has nothing to do with Microsoft's marketing names or product lines. Server applies to the use of the machine. The rating assumes the machine is affected. So yes we consider it a critical problem if you use a MSQS enhanced XP as a server. Please resolv any licensing issues directly with Microsoft, we do not condone violating copyright or licencing agreements.
The key is that the separation between server and client is how you use the machine, we rated the MSIE issues in MS06-042 lower due to most administrators being smart enough never to surf the web on a server. Still, if you installed a windows server license on your laptop and surf the web with it, it is at high risk even if it is a "server" licensed version of the OS.


--
Swa Frantzen -- Section 66
0 comment(s)

Microsoft Security Bulletin MS06-054

Published: 2006-09-13
Last Updated: 2006-09-13 01:36:20 UTC
by Michael Haisley (Version: 2)
0 comment(s)

A remote code execution vulnerability exists in Publisher. An attacker could exploit this vulnerability when Publisher parses a file with a malformed string.

If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Mitigating Factors:
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Publisher file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.

By default, Publisher is only installed on the Professional Suites of Office.

Recommendation: If you use publisher, patch now, consider limiting user rights for day-to-day use, even for those that need administrative access.
Keywords: microsoft
0 comment(s)

Microsoft Security Bulletin MS06-052

Published: 2006-09-12
Last Updated: 2006-09-12 19:37:04 UTC
by Michael Haisley (Version: 1)
0 comment(s)
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Systems: Windows XP with Microsoft Message Queuing Services (MSMQ) installed.

Recommendation: Patch Immediatly if you are running MSMQ.

Keywords: microsoft
0 comment(s)

Microsoft Security Bulletin MS06-053

Published: 2006-09-12
Last Updated: 2006-09-12 19:29:06 UTC
by Michael Haisley (Version: 1)
0 comment(s)
There is an information disclosure vulnerability in the Indexing Service because of the way that it handles query validation. The vulnerability could allow an attacker to run client-side script on behalf of a user. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site.

Mitigating Factors:
By default, Internet Information Services (IIS) is not installed on Windows XP or on Windows Server 2003.

On Windows Server 2003, the Indexing Service is not enabled by default.

On Windows Server 2003, even when the Indexing Service is installed, by default it is not accessible from IIS. Manual steps are required to enable IIS to become a Web-based interface for the Indexing Service. By default the Indexing Service is used only to perform local and remote file system queries.

Recommendations: Evaluate urgency based on your installation, and apply the patch.
Keywords:
0 comment(s)
Diary Archives