Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe Flash update available

Published: 2006-11-14
Last Updated: 2006-11-14 23:58:33 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
Adobe has relased an update for a vulnerability in their Flash player.

CVE number is CVE-2006-5330, which isn't included in this month's MS06-069 adobe update from Microsoft.

http://www.adobe.com/support/security/bulletins/apsb06-18.html

Yet another thing to patch in the next few days.

Affected versions include 9.x, 8.x and 7.x .

If -after reading the adobe announcement are left wondering what modified HTTP headers of client requests can do to cause HTTP Request Splitting attacks, or what those are to start with, take a look at e.g.:
http://en.wikipedia.org/wiki/HTTP_Response_splitting

--
Swa Frantzen -- Section 66
Keywords: adobe flash
0 comment(s)

SUS: deadline extended - XP SP1 not supported anymore

Published: 2006-11-14
Last Updated: 2006-11-14 23:49:01 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
According to the Microsoft msrc blog, Microsoft has extended the lifetime of SUS till Tuesday July 10th, 2007. So those of you not having completed deploying WSUS to replace their SUS have a few more months time.

That said, please also not that this month the SUS service will be lacking the MS06-071 patch for a little while as it wasn't finished on time.

If you read this month's microsoft security bulletins, do note that Windows XP SP1 is now not supported anymore. That means you do not get security updates and will not be warned of security issues either. So if you use Windows XP, you do not have much choice avoiding the upgrade to SP2.

--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)

Microsoft Black Tuesday Overview

Published: 2006-11-16
Last Updated: 2006-11-16 14:53:36 UTC
by Swa Frantzen (Version: 8)
0 comment(s)

Overview of the November 2006 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS06-066 Netware client services - remote code execution & DoS

CVE-2006-4688
CVE-2006-4689
No known problems

KB 923980
PoC exploits available in for pay program
Important Less Urgent Less Urgent
MS06-067 Internet Explorer - remote code execution

CVE-2006-4446
CVE-2006-4777
CVE-2006-4687
No known problems

KB 922760
Actively exploited on websites in the wild

websense
Critical PATCH NOW Important
MS06-068 Microsoft Agent - remote code execution

CVE-2006-3445
No known problems

KB 920213
No known exploits
Critical Critical Less Urgent
MS06-069 Adobe flash player - remote code execution

CVE-2006-3014
CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
CVE-2006-4640
No known problems

KB 923789
No known exploits
Critical Critical Less Urgent
MS06-070 Workstation service - remote code execution

CVE-2006-4691
No known problems

KB 924270
Vulnerability details are public ;
Exploit publicly available
Critical
Critical
(**)
Critical
(**)
MS06-071 XML Core services

CVE-2006-5745
No known problems

KB 928088
also:
KB 927977
KB 927978
Exploits publicly available
Critical PATCH NOW Important

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**): Of the supported versions of windows this is mainly affecting Windows 2000. The vulnerability exists on Windows XP, to a lesser degree and seems to be absent from Windows 2003.

--
Swa Frantzen -- Section 66

Keywords:
0 comment(s)

WinZip 10.0 build 7245 released

Published: 2006-11-14
Last Updated: 2006-11-14 23:00:04 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Winzip released a security update today.

Winzip urges their customers to upgrade but does not seem to give details about the security vulnerability. So while you reboot those machines for the Microsoft patches, mix in a winzip installer.

http://www.winzip.com/downwz.htm

--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)

MS06-068: Microsoft Agent

Published: 2006-11-14
Last Updated: 2006-11-14 19:36:44 UTC
by Jim Clausing (Version: 3)
0 comment(s)
CVE-2006-3445 

This update fixes a buffer overflow in Microsoft Agent that could allow remote code execution.

Microsoft Agent is a component of the OS that allows (to quote Microsoft) "an enriched form of user interaction that can make using and learning to use a computer easier and more natural."  This includes things like the paperclip that pops up at various times while using Microsoft Office applications.  This feature can apparently be invoked via ActiveX in Internet Explorer  Microsoft states that they are not aware of active exploitation of this vulnerability at this time.

Due to the possibility of remote exploitation, this should be considered critical for user machines, less urgent for servers.

Workarounds


From Microsoft's bulletin, the Microsoft Agent ActiveX controls can be disabled by setting the following kill bits in the registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}]

"Compatibility Flags"=dword:00000400



http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx
Keywords:
0 comment(s)

MS06-066: Netware Client Service Buffer Overflow

Published: 2006-11-14
Last Updated: 2006-11-14 19:35:00 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
CVE-2006-4688 (code execution) and CVE-2006-4689 (DoS)

The Netware Client Service for Windwos (NCSW) is used to allow Windows systems to access Netware file server, directories and printers. It runs as 'system' and this exploit would allow an attacker to execute arbitrary code as 'system'.

This service is not installed by default, and you only need it to access Netware servers. So as long as you don't run Netware, check if you got it running on a system by mistake and turn it off.

If you do run Netware (or even if you don't), make sure that you have all netware related ports blocked at your permiter. This is a critical patch for Netware users, but will only affect the client, not the netware server. Windows servers may act as clients to a Netware server.




Keywords:
0 comment(s)

MS06-069: Adobe Flash Player

Published: 2006-11-14
Last Updated: 2006-11-14 19:34:49 UTC
by Jim Clausing (Version: 2)
0 comment(s)
CVE-2006-3014, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, and CVE-2006-4640

Updates Adobe's Macromedia Flash Player which was inlcuded in XP SP2 and XP Pro x64.  This appears to be the same update that Adobe made available in September (see here).

A buffer overflow exists that could be exploited by a malformed SWF file which could be distributed via web or e-mail.

This patch should be considered critical for user machines and less urgent for servers.  Those who updated Flash Player as a result of the Adobe bulletin should not be at risk.

http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx
http://www.adobe.com/support/security/bulletins/apsb06-11.html
Keywords: adobe flash Microsoft
0 comment(s)

MS06-071: MSXML Core Services

Published: 2006-11-14
Last Updated: 2006-11-14 19:34:19 UTC
by Jim Clausing (Version: 1)
0 comment(s)
CVE-2006-5745

This update patches the MSXML Core Services vulnerabilities that are currently being actively exploited by a number of web sites on the internet.

This patch should be applied immediately on all user machines and should be considered important on servers.  This bulletin appears to supercede MS06-061 which was released in October and updated last week.

http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx
Keywords: Microsoft MSXML
0 comment(s)

MS06-067: Internet Explorer DirectAnimation and HTML Rendering Vulnerability

Published: 2006-11-14
Last Updated: 2006-11-14 19:34:06 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This advisory is a wrapper for 3 different Internet Explorer vulnerabilities:

CVE-2006-4446: DirectAnimation ActiveX Control
CVE-2006-4777: DirectAnimation ActiveX Control (not clear how it is different)
CVE-2006-4687: HTML Rednering Memory Corruption Vulnerability.

First off: All of these are exploited by exposing Internet Explorer to malicious HTML code. The "must have" precaution is to not run IE as "Administrator".

IMPORTANT: An exploit is in use against the DirectAnimation ActiveX Vulnerability!

DirectAnimation is a pre-cursor to what is not DirectX. In order to exploit the vulnerability, another deprecated library, HTML+TIME 1.0, has to be available.

The HTML render vulnerability is in particular tricky as it could be triggered by HTML e-mail.

This is a "Must Patch Now" issue for clients. Servers may want to hold off on this for a bit.
Like with all Internet Explorer patches: Don't forget to test internal critical web based applications. We had it happen in the past where such applications used older ActiveX techniques which where no longer available after a patch was applied.


Keywords:
0 comment(s)

MS06-070: Workstation service

Published: 2006-11-14
Last Updated: 2006-11-14 19:33:56 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
This is a patch to fix a remote vulnerability caused by a unchecked buffer in Workstation Service, a component of Microsoft Windows                 
                                                                                
This service is the one responsible for allow connection to shared file resources or shared print resources on a network.                         
                                                                               
As said above, it will allow remote exploitation of the machine, which would give complete control to the attacker. Most personal firewalls may protect you against this vulnerability, and despite the fact that Microsoft says that there is no public exploit or disclosure of this vulnerability yet, our advice is to test and apply it as soon as possible on your systems.

--
Pedro Bueno
Keywords:
0 comment(s)

Microsoft XP SP2 wireless hotfix

Published: 2006-11-14
Last Updated: 2006-11-14 15:50:16 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Jakob sent in a good find over at Microsoft: http://support.microsoft.com/?kbid=917021 . It's an hotfix update to the wireless system of XP SP2 that claims to do a number of useful things:
  • Allows group policy to control WPA2 settings.
  • Allows networks in the preferred network list to be set as broadcast or non-broadcast. Setting all to broadcast prevents the computers from leaking the list of preferred networks when they do not find one in their list.
  • 'parked' wireless cards are given encryption. Parking a card is according to Microsoft: "Wireless Auto Configuration may create a random wireless network name and put the wireless network adapter in infrastructure mode.  In this situation, the wireless adapter is not connected to any wireless network. However, the wireless adapter continues to scan for preferred wireless networks every 60 seconds".
    They go on with: "Some wireless network adapter drivers may interpret this parking operation as a request to connect to a wireless network. Therefore, these drivers may send probe requests in search of a network that has the random name. Because the parking operation passes no security configuration the driver, the random wireless network might be an open system-authenticated wireless network that uses no encryption. An observer could monitor these probe requests and establish a connection with a parked Windows XP wireless client".
    Now encrypting will surely help, but it does feel funny to let it sit there configured randomly while there is no use for it doing anything.
  • Stop trying to connect to ad-hoc networks in the preferred network list.
Test it well before you deploy it widely, but it does seem a worthwhile hotfix.

See also Microsoft security advisory 917021, it contains more background information.

--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)
Diary Archives