The missing Microsoft patches
Vulnerabilities that are widely known and/or actively exploited are of great interest to our readers, here we try to keep an overview of them
| Affected | Known Exploits | Impact | Known since |
ISC rating(*) | |
|---|---|---|---|---|---|
| clients | servers | ||||
| Microsoft DNS CVE-2007-1748 |
Exploit used in the wild Exploit code public |
Remote code execution with SYSTEM privileges |
April 4th, 2007 |
Less Urgent | Critical |
| Microsoft DNS offers RPC for remote management that is vulnerable to a stack overflow. See SA935964 for more mitigating information, KB935964 and VU#555920 and MSRC blog. |
|||||
| MSIE CVE-2007-1692 |
Exploit publicly discussed. | Malicious proxy insertion by insiders | Mar 25th, 2007 | Less Urgent | Less Urgent |
| Some mitigating steps are in KB934864: Setup wpad TXT records in all DNS domains and have the "wpad" and "wpad." names reserved on all WINS servers |
|||||
| Windows Vista - Windows Mail CVE-2007-1658 |
Exploit publicly available. | Execute programs through crafted URL | Mar 23th, 2007 | Less Urgent | Less Urgent |
| IE 7 CVE-2007-1499 |
Exploit publicly available. | XSS against local resource |
Mar 14th, 2007 | Less Urgent | Less Urgent |
| OLE object can crash windows explorer CVE-2007-1347 US-CERT VU#194944 |
Exploit publicly available. |
DoS (Memory corruption might lead to more) |
Mar 6th, 2007 |
Less Urgent |
Less Urgent |
| IE7 browser entrapment using onUnload() CVE-2007-1091 |
PoC publicly discussed. |
onUnload() and transitions can be used to fake a user backing out of a bad website while still interacting with it |
Feb 23th, 2007 variation of onUnload() trouble from Aug 2005 |
Less Urgent |
Less Urgent |
| IE7 browser involuntary file upload |
PoC publicly discussed. |
Focus can still be captured using javascript to capture keystrokes and use them to upload a file to a malicious website. |
Feb 12th, 2007 Variant of exploits dating back to Jun 2006. |
Important |
Less Urgent |
| Word 2000/XP unspecified problems CVE-2007-0870 |
Used in targeted attacks. |
Remote code execution, (originally only DoS) |
Feb 9th, 2007 |
Critical |
Important |
| Internet Explorer msxml3 concurrency problems CVE-2007-0099 |
Publicly posted exploit | DoS / code execution considered too difficult to control |
Jan 4th, 2007 |
Less Urgent |
Less Urgent |
| Patch unlikely, expect a fix in a SP or next version | |||||
| Workstation Service NetrWkstaUserEnum() memory allocation exhaustion in XP and 2000 CVE-2006-6723 |
Publicly posted exploit | DoS |
Dec 25th, 2006 |
Less Urgent |
Less Urgent |
| Patch unlikely, expect a fix in a SP Likely related to CVE-2006-6296 and CVE-2006-3644 see below |
|||||
| Microsoft Windows NAT Helper Components CVE-2006-5614 |
Publicly available exploit. |
DoS |
Oct 28th, 2006 |
Less Urgent |
Important |
| Patch unlikely, expect a fix in a SP | |||||
| PowerPoint 2003 CVE-2006-5296 |
MSRC blog #1 MSRC blog #2 Publicly available exploit. |
DoS |
Oct 20th, 2006 |
Less Urgent |
Less Urgent |
| Patch unlikely, Microsoft doesn't consider it a security problem anymore | |||||
| RPC memory allocation exhaustion in Windows 2000 SP4 via UPnP, SPOOLSS CVE-2006-6296 CVE-2006-3644 |
Multiple publicly available exploits. |
DoS |
Nov 16th, 2005 |
Less Urgent |
Important |
| Patch unlikely, expect a fix in a SP (if any) | |||||
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
--
Swa Frantzen -- Section 66
Offline Microsoft Patching
Heise brings us "Offline Update 3.0" to do offline installations of Microsoft patches.
Read more about it at: http://www.heise-security.co.uk/articles/80682
Now this is a great concept. You can actually make a DVD to install the patches before you connect a PC (that's out of date on patches) to the Internet. If you think you can safely do that without this tool, take a second and think it through knowing that some of your friends needing a house call might have a USB connected DSL or cable modem and therefore not be using NAT, next take a look at the survival time and think how long it takes to get a windows system from original media to a fully patched status.
So, if you're going to visit parents, family or friends over the holidays, start your preparation now and make that disk today to take along. It'll improve the obligatory "Could you take a look at our computer while you're here?" response time dramatically and gives you a safe way to reinstall systems without a hardware based firewall.
If you have networks that you do not want to connect to the Internet cause the risks involved of doing that are just too big for the sensitivity of the involved data this might also become a way to patch those off-line machines.
Update: Simon wrote in mentioning AutoPatcher as an alternative solution.
Update: "Mads" reminded us Microsoft makes available ISO images with some of the patches on a monthly basis.
--
Swa Frantzen -- Section 66
Microsoft Office 2004 (Mac OS X) update was an accident.
Microsoft accidentally released an updated named 11.3.1 for Office 2004 (the Apple Mac version) today.
It did contain an unspecified security fix and stability improvements. After asking what it fixed we got the reply it was actually a pre-release that was made available through auto-update.
http://www.microsoft.com/mac/autoupdate/description/AUOffice20041131EN.htm
The wasn't intended to be released and hence has been pulled. See the MSRC blog for more details.
Microsoft is also recommending to uninstall the patches, although to be honest I've no idea how to actually do that.
A reader wrote in pointing out the standalone download .dmg image did contain in its instructions:
"This update does not include an uninstall feature. To restore your application to its original state, delete it from your hard disk, reinstall it from your original installation disk, and then install the updates you want."
So I guess we'll be dragging Office to the waste basket, search for the DVD and start having to register the software all over and then download a bunch of patches.
Swa Frantzen -- Section 66
SAV botnet revival ?
It seems like there is a revival going on of the botnet exploiting the Symantec Anti-Virus vulnerability. It was originally reported on by Joel on Nov 27th.
But the traffic scanning for port 2967 is back. It seems new Command and Control centers are active for it as well.
--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)
MS06-077: Remote Installation Service (RIS) remote exploit
This vulnerability only affects Windows 2000 Server, Service Pack 4 that has RIS installed that allow anonymous access to the system that serves the installation items. If there is anonymous access, a remote user could view, change, delete data or create accounts including having malware installed on systems installed by RIS. It is possible to exploit this vulnerability over the internet if the network permissions were set that poorly to allow anonymous access to everyone. A simple firewall would prevent this vector. The patch removes the vulnerability by not allowing anonymous TFTP users write access on the file structure.
This vulnerability has not been disclosed publicly and Microsoft reports no indication of active exploitation of this vulnerability.
Microsoft ranks this update as important, however the very specific OS version needed and other mitigating technologies make this an unimportant patch for all but a few users.
Bulletin: MS06-077
--
John Bambenek
bambenek /at/ gmail /dot/ com
This vulnerability has not been disclosed publicly and Microsoft reports no indication of active exploitation of this vulnerability.
Microsoft ranks this update as important, however the very specific OS version needed and other mitigating technologies make this an unimportant patch for all but a few users.
Bulletin: MS06-077
--
John Bambenek
bambenek /at/ gmail /dot/ com
Keywords:
0 comment(s)
Microsoft Black Tuesday - December 2006 overview
Overview of the December 2006 Microsoft patches and their status.
| # | Affected | Contra Indications | Known Exploits | Microsoft rating | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS06-072 | Internet Explorer - remote code execution CVE-2006-5579 CVE-2006-5581 CVE-2006-5578 CVE-2006-5577 |
No known problems KB 925454 |
No known exploits |
Critical | Critical | Important |
| MS06-073 | Visual Studio 2005 - remote code execution CVE-2006-4704 |
No known problems KB 925674 |
Exploit publicly available |
Critical | PATCH NOW | Important |
| MS06-074 | SNMP - remote code execution - buffer overflow CVE-2006-5583 |
No known problems KB 926247 We are aware of a problem with a link in the advisory for Win2000 SP4 pointing to the MS06-078 fix. |
Exploit available in for pay program |
Important | Critical | Critical |
| MS06-075 | csrss - privilege escalation CVE-2006-5585 |
No known problems KB 926255 |
No known exploits |
Important | Important | Important |
| MS06-076 | Outlook express - remote code execution CVE-2006-2386 |
No known problems KB 923694 |
No known exploits | Important |
Important |
Less Urgent |
| MS06-077 | RIS - remote code execution CVE-2006-5584 |
No known problems KB 926121 |
No known exploits | Important | Important | Important |
| MS06-078 | Windows Media player - remote code execution CVE-2006-4702 CVE-2006-6134 |
No known problems KB 923689 KB 925398 |
Exploits available for the .asx vulnerability |
Critical | PATCH NOW | Important |
| Re-release MS06-059 |
Excel CVE-2006-2387 CVE-2006-3431 CVE-2006-3867 CVE-2006-3875 |
No known problems KB 924164 Fixes installation failures in Excel 2002 |
Exploits are publicly available |
Critical | Critical | Less Urgent |
We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
Swa Frantzen -- Section 66
MS06-074: SNMP Buffer Overflow (CVE2006-5583)
The Simple Network Manamgenet Protocol (SNMP) service is vulnerable to a buffer overflow. This service is typically used to manage network devices. Home users are not likely to have this service installed. However, many larger networks will use SNMP to controlle and monitor networked workstations and servers.
Accoridng to a note from Dave Aitel, Immunity released an exploit for this vulnerabilty to its customers.
In order to disable this service, or to check if it is running, use the "services" tab in your control pannel and make sure the 'SNMP Service' is not running. You will not see an entry for SNMP service if it is not installed.
This patch is a "patch now" for all networks that use SNMP. It runs as "system" and a succesfull exploit would provide an attacker with full access. The Microsoft bulletin only talks about port 161 UDP for this vulnerability. So one can assume that SNMP trap messages are not affected.
Common sense SNMP security (regardless of the vulnerability):
KB926247
CVE2006-5583
Accoridng to a note from Dave Aitel, Immunity released an exploit for this vulnerabilty to its customers.
In order to disable this service, or to check if it is running, use the "services" tab in your control pannel and make sure the 'SNMP Service' is not running. You will not see an entry for SNMP service if it is not installed.
This patch is a "patch now" for all networks that use SNMP. It runs as "system" and a succesfull exploit would provide an attacker with full access. The Microsoft bulletin only talks about port 161 UDP for this vulnerability. So one can assume that SNMP trap messages are not affected.
Common sense SNMP security (regardless of the vulnerability):
- block port 161/udp and 162/udp at your permiter (snmpv3 may use tcp).
- use a hard to guess community string (anything but "public").
- disable snmp listeners if you do not need them.
KB926247
CVE2006-5583
Keywords:
0 comment(s)
MS06-072: Cumulative Security Update for Internet Explorer (925454)
This bulletin addresses four vulnerabilities for Internet Explorer. Two allow for remote code execution and two allow for information disclosure. According to Microsoft, this does not affect Internet Explorer version 7. Since many organizations are still running version 6, it is very critical that you patch this ASAP if you haven't upgraded yet. This bulletin replaces MS06-067. There is also a link provided by Microsoft on possible issues that may arise as a result of this patch: http://support.microsoft.com/kb/925454
Script Error Handling Memory Corruption Vulnerability - CVE-2006-5579
Previously freed memory space is accessed when encountering certain script errors which may cause the system's memory to become corrupt and allow for code execution.
DHTML Script Function Memory Corruption Vulnerability - CVE-2006-5581
When Internet Explorer interprets certain DHTML script function calls to incorrectly created elements it may corrupt system memory in such a way that an attacker could execute arbitrary code.
TIF Folder Information Disclosure Vulnerability - CVE-2006-5578
The issue lies in how Internet Explorer handles drag and drop operations and would allow for files to be accessed on the user's system in the Temporary Internet Files Folder.
TIF Folder Information Disclosure Vulnerability - CVE-2006-5577
This one is similar to the previous vulnerability discussed, however the vulnerability reveals the path to the Temporary Internet Files Folder and allows it to be accessed and files to be retrieved. According to Microsoft, this requires actions on the user's part for this to occur.
Script Error Handling Memory Corruption Vulnerability - CVE-2006-5579
Previously freed memory space is accessed when encountering certain script errors which may cause the system's memory to become corrupt and allow for code execution.
DHTML Script Function Memory Corruption Vulnerability - CVE-2006-5581
When Internet Explorer interprets certain DHTML script function calls to incorrectly created elements it may corrupt system memory in such a way that an attacker could execute arbitrary code.
TIF Folder Information Disclosure Vulnerability - CVE-2006-5578
The issue lies in how Internet Explorer handles drag and drop operations and would allow for files to be accessed on the user's system in the Temporary Internet Files Folder.
TIF Folder Information Disclosure Vulnerability - CVE-2006-5577
This one is similar to the previous vulnerability discussed, however the vulnerability reveals the path to the Temporary Internet Files Folder and allows it to be accessed and files to be retrieved. According to Microsoft, this requires actions on the user's part for this to occur.
Keywords: Microsoft
0 comment(s)
MS06-078: 2 Windows Media Format Vulnerabilities (CVE-2006-4702, CVE-2006-6134)
This advisory addresses 2 vulnerabilites in the Windows "Media Format Runtime" which is utilized by applications using Windows Media Content.
The unchecked buffer and URL parsing vulnerabilities could result in full system compromise if exploited.
An attacker would create a malicious Advanced Streaming Format (.ASF) file or a malicious Advanced Stream Redirector (.ASX) file and present it to a vulnerable client through a malicious URL, an email attachment or perhaps through a malicious IFRAME or redirect.
These vulnerabilities poses the most risk to systems which are used for web surfing or for checking email. Especially if the user is logged in as Administrator or if an unrestricted or lower than High zone Internet Explorer browser is being used. MS Outlook default restrictions might shield a user, but clicking on a URL within an email launches a browser outside of those restrictions.
Note: Known exploits have been circulating for CVE-2006-6134 (ASX).
Note that it may take several patches to update a system. Windows Media Player 6.4 is patched differently than the Media Format Runtime. It may be a challenge to assess the posture of any given system in regards to these two vulnerabilities short of utilizing the Microsoft tools.
Affected:
Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions:
Microsoft Windows 2000 Service Pack 4 - Download the update (KB923689)
Microsoft Windows XP Service Pack 2 - Download the update (KB923689)
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1 - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions:
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Player 6.4
Windows 2000 Service Pack 4 - Download the update (KB925398)
Microsoft Windows XP Service Pack 2 - Download the update (KB925398)
Microsoft Windows XP Professional x64 Edition ? Download the update (KB925398)
Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 ? Download the update (KB925398)
Microsoft Windows Server 2003 x64 Edition ? Download the update (KB925398)
Reference URLs:
http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
http://support.microsoft.com/kb/923689
http://support.microsoft.com/kb/925398
Windows Media Format ASF Parsing Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4702
Windows Media Format ASX Parsing Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-6134
http://research.eeye.com/html/alerts/zeroday/20061122.html
http://blogs.technet.com/msrc/archive/2006/12/07/public-proof-of-concept-code-for-asx-file-format-isssue.aspx
0 comment(s)
The unchecked buffer and URL parsing vulnerabilities could result in full system compromise if exploited.
An attacker would create a malicious Advanced Streaming Format (.ASF) file or a malicious Advanced Stream Redirector (.ASX) file and present it to a vulnerable client through a malicious URL, an email attachment or perhaps through a malicious IFRAME or redirect.
These vulnerabilities poses the most risk to systems which are used for web surfing or for checking email. Especially if the user is logged in as Administrator or if an unrestricted or lower than High zone Internet Explorer browser is being used. MS Outlook default restrictions might shield a user, but clicking on a URL within an email launches a browser outside of those restrictions.
Note: Known exploits have been circulating for CVE-2006-6134 (ASX).
Note that it may take several patches to update a system. Windows Media Player 6.4 is patched differently than the Media Format Runtime. It may be a challenge to assess the posture of any given system in regards to these two vulnerabilities short of utilizing the Microsoft tools.
Affected:
Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions:
Microsoft Windows 2000 Service Pack 4 - Download the update (KB923689)
Microsoft Windows XP Service Pack 2 - Download the update (KB923689)
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1 - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions:
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Player 6.4
Windows 2000 Service Pack 4 - Download the update (KB925398)
Microsoft Windows XP Service Pack 2 - Download the update (KB925398)
Microsoft Windows XP Professional x64 Edition ? Download the update (KB925398)
Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 ? Download the update (KB925398)
Microsoft Windows Server 2003 x64 Edition ? Download the update (KB925398)
Reference URLs:
http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
http://support.microsoft.com/kb/923689
http://support.microsoft.com/kb/925398
Windows Media Format ASF Parsing Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4702
Windows Media Format ASX Parsing Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-6134
http://research.eeye.com/html/alerts/zeroday/20061122.html
http://blogs.technet.com/msrc/archive/2006/12/07/public-proof-of-concept-code-for-asx-file-format-isssue.aspx
MS06-075: csrss local privilege escalation (CVE-2006-5585)
Microsoft has release bulletin MS06-075 which addresses a local privilege escalation vulnerability affecting Windows XP SP2 and Windows Server 2003 in the client/server run-time subsystem (csrss) which is a required component of Windows (in other words, it is always running on all Windows machines). Note, Vista and Windows Server 2003 SP1 are claimed not to be affected at this time, as is Windows 2000 SP4.
We rate this one as important. If someone can get access to the system via other means (cracked password, etc.) this vulnerability allows that person to elevate their privileges to become administrator by running a specially crafted executable.
References:
KB926255
CVE-2006-5585
0 comment(s)
We rate this one as important. If someone can get access to the system via other means (cracked password, etc.) this vulnerability allows that person to elevate their privileges to become administrator by running a specially crafted executable.
References:
KB926255
CVE-2006-5585
MS06-076: Windows Address Book Contact Record flaw (CVE-2006-2386)
MS06-076: Windows Address Book Contact Record flaw (CVE-2006-2386)
References: KB923694
Severity: Highly Important to Workstations, lesser for servers
This update is a cumulative update for Outlook Express versions 5.5 and 6. It addresses a remote code execution problem involving Windows Address Book (or .wab files). The vulnerability exists in a component of Outlook Express which could allow an attacker who sends a specially crafted address book file to an unpatched system to take control of that system. The vulnerability does not contain any privlige escalation capabilities. If the attacker successfully exploits this vulnerability, he or she would gain the same access rights as the logged in user. So please remember to configure end user accounts with as few of privlidges as possible.
I would recommend that this update or the registry change workaround to any client workstations as soon as possible.
This update replaces MS06-016 and MS06-043 as it is a cumulative update.
References: KB923694
Severity: Highly Important to Workstations, lesser for servers
This update is a cumulative update for Outlook Express versions 5.5 and 6. It addresses a remote code execution problem involving Windows Address Book (or .wab files). The vulnerability exists in a component of Outlook Express which could allow an attacker who sends a specially crafted address book file to an unpatched system to take control of that system. The vulnerability does not contain any privlige escalation capabilities. If the attacker successfully exploits this vulnerability, he or she would gain the same access rights as the logged in user. So please remember to configure end user accounts with as few of privlidges as possible.
I would recommend that this update or the registry change workaround to any client workstations as soon as possible.
This update replaces MS06-016 and MS06-043 as it is a cumulative update.
Keywords:
0 comment(s)
MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704)
This one is "highly critical". A working exploit is already available for Metasploit.
The WMI Object Broker is a special ActiveX control which is used by Vsiaul Studio 2005. An attacker would use a malicious web page to exploit it. You have to have Visual Studio 2005 installed in order to be vulnerable. The vulnerable file is WmiScriptUtils.dll.
As with other ActiveX features, Internet Explorer 7 will mitigate them somewhat as you have to "opt-in" to individual ActiveX controlls in order to use them. The restricted mode in Windows 2003 will turn off ActiveX as well, limiting exposure.
What you should do:
- On a client with Visual Studio 2005 installed: Patch now.
- On a client without Visual Studio 2005: you should not have this control.
- On a server: Check if you are using the "Enhanced Security Configuration" for MSIE. The patch is unlikely to apply.
I do recommend upgrading to Internet Explorer 7 if you are regularly using Internet Explorer.
References:
KB927709
MS06-073
CVE-2006-4704
eEye Advisory
The WMI Object Broker is a special ActiveX control which is used by Vsiaul Studio 2005. An attacker would use a malicious web page to exploit it. You have to have Visual Studio 2005 installed in order to be vulnerable. The vulnerable file is WmiScriptUtils.dll.
As with other ActiveX features, Internet Explorer 7 will mitigate them somewhat as you have to "opt-in" to individual ActiveX controlls in order to use them. The restricted mode in Windows 2003 will turn off ActiveX as well, limiting exposure.
What you should do:
- On a client with Visual Studio 2005 installed: Patch now.
- On a client without Visual Studio 2005: you should not have this control.
- On a server: Check if you are using the "Enhanced Security Configuration" for MSIE. The patch is unlikely to apply.
I do recommend upgrading to Internet Explorer 7 if you are regularly using Internet Explorer.
References:
KB927709
MS06-073
CVE-2006-4704
eEye Advisory
Keywords:
0 comment(s)
ICMP - call for packets ?
One of our readers is reporting a fairly recent increase in ICMP packets hitting his firewall. If you're seeing the same we'd like some data:
- on the importance and timeframe of the increase;
- the type of ICMP packets you're receiving;
- some idea of how it correlates (sweeping your address range, just hitting one IP, coming from all over, coming from specific hosts, ...);
- if possible a small sample of some out of the ordinary packet captures.
--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)
PHP security: the scene might change
Will drew our attention to an interesting read in Stefan Esser's blog. It's about his resignation from the PHP Security Response Team. It's interesting to note that he both discovered and reported about PHP vulnerabilities in the past.
It seems the bottom line will be that we can expect some changes in how vulnerabilities in PHP are going to be handled in the future. It might include advisories about vulnerabilities without there being patches available. It might also mean an increase in the number of reported vulnerabilities.
Anyway it'll be worth it to add his PHP security blog to your routine if you need to know about PHP vulnerabilities.
Announcements about security vulnerabilities in widely deployed open source software without the matching patch is a very dangerous situation, so we hope this doesn't escalate too far.
--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 
Comments