Another 0-Day Exploit - CVE-2006-4777
We have received word that FrSIRT has issued another advisory on a 0-Day Exploit. This vulnerability has CVE ID 2006-4777 and appears to be related to Microsoft Internet Explorer and causes a memory corruption and consequential browser crash. FrSIRT has successfully exploited this vulnerability on a fully patched Windows XP SP2 system.
FrSIRT Advisory for CVE-2006-4777
CVE Advisory
cisco vtp vulnerabilities
I should have pointed out these are only exploitable from a local segement.
FX reported three vulnerabilities for cisco vtp.
http://www.securityfocus.com/archive/1/445896/30/0/threaded
Cisco responded with this public response.
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
VTP passwords mitigate this one somewhat as long as the passwords are not easily guessable or well known.
VTP passwords do not mitigate this vulnerability as this takes place before the vtp password would be used.
This one appears to be a cosmetic issue not a DOS.
Cisco was unable to recreate a DOS condition one in their testing.
If not set to transparent mode the vtp could be vulnerable depending on code level.
"Products affected by these vulnerabilities:
Switches running affected versions of Cisco IOS® software that have VTP Operating Mode as either "server" or "client" are affected by all three vulnerabilities
Switches running affected versions of Cisco CatOS that have VTP Operating Mode as either "server" or "client" are only affected by the "Integer Wrap in VTP revision" vulnerability
Products not affected by these vulnerabilities:
Switches configured with VTP operating mode as "transparent"
Switches running CatOS with VTP Operating Mode as either "server" or "client" are not affected by the "Buffer Overflow in VTP VLAN name" or "VTP Version field DoS" vulnerabilities"
Microsoft security patches for September 2006
| # | Affected | Known Problems |
Known Exploits | Microsoft rating | ISC rating (*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| re-released MS06-040 | Server Service CVE-2006-3439 |
Re-released to fix known problems KB921883 |
Multiple botnets actively exploiting this. | Critical |
PATCH NOW |
PATCH NOW |
| re-released MS06-042 | Internet Explorer (MSIE) CVE-2006-3280 CVE-2006-3450 CVE-2006-3451 CVE-2006-3637 CVE-2006-3638 CVE-2006-3639 CVE-2006-3640 CVE-2004-1166 CVE-2006-3869 new: CVE-2006-3873 |
Re-released to fix the known problems with MSIE6SP1 KB918899 |
Well known vulnerabilities |
Critical |
PATCH NOW |
Important |
| MS06-052 | Microsoft Queue System (MSQS) - Pragmatic General Multicast (PGM) CVE-2006-3442 |
No reported problems KB919007 |
No known exploits yet |
Important |
Critical | Critical (**) |
| MS06-053 | Indexing Service CVE-2006-0032 |
No reported problems KB920685 |
No known exploits yet | Moderate |
Less urgent |
Important |
| MS06-054 | Publisher CVE-2006-0001 |
No reported problems KB910729 |
No known exploits yet | Critical |
Critical | Less urgent |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
The key is that the separation between server and client is how you use the machine, we rated the MSIE issues in MS06-042 lower due to most administrators being smart enough never to surf the web on a server. Still, if you installed a windows server license on your laptop and surf the web with it, it is at high risk even if it is a "server" licensed version of the OS.
--
Swa Frantzen -- Section 66
CSO Online E-Crime Survey Results
CSO Online E-Crime Survey Results
The survey results are in and the findings are quite intriguing (at least to me). As a Security Administrator for a smaller company I realize what a task it is to implement any kind of security with a very small budget. It is often difficult to impress on top management the importance of data protection, network protection and getting them to allocate funds for software/hardware to protect the data.
As I reviewed the information in the survey one of the items that jumped out at me, that really caused me to pause and think was the insider breaches that ended in lost revenue/damage. The different ways that the breaches occurred were all very logical and I guess not so surprising. When I looked at the reasons that were given for why legal action was not taken I at first was surprised at the high percentage that said "Lack of evidence". As I began to think about it, began to really think about whether or not we would have enough evidence, I am beginning to rethink my response. Perhaps I need to really look at my ability to provide evidence in the event that an insider breach does occur.
I have to say, this is an outstanding survey and I think an outstanding tool for Security/System Administrators to begin to ask themselves the very important question, "How safe is your data?"
I for one am going to use this as a tool for doing a self evaluation.
I want to thank Karen Fogerty at CSO Online for giving me permission to post a link to the survey in today's diary. Hopefully everyone will take a look at the results of the survey and use it to analyze their own security or lack thereof and the impact that a breach may have on their system.
Comments