Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - Microsoft December Patches InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft December Patches

Published: 2005-12-14
Last Updated: 2005-12-14 19:17:32 UTC
by Johannes Ullrich (Version: 6)
0 comment(s)
Greetings everyone.  It is Microsoft Patch Tuesday.   Without any further ado.....Here are the Microsoft Security Bulletins. 

Update for SUS 1 Users:
We got this note from our Australian reader Scott A.:
After the latest MS patches were announced I synchronised my SUS server. Now ALL previously approved patches are marked as updated but not approved.
[...]
http://www.wsus.info/forums/index.php?showtopic=7035
claims that:
Atter speaking with a SUS engineer, It has been confirmed that if you have syncronized your SUS server anytime after 5:00A.M PST there is an issue with a corrupt catalog file that will make all of your APPROVED updates show as UPDATED and you will have to manually re-approve everything that was previously approved.

Microsoft is aware of this issue and has published a
Microsoft Knowledge Base Article 912307. It details the workaround if you have performed a synchronization and previously approved software updates have appeared as not approved.

MS05-054: Cumulative Security Update for Internet Explorer (905915)

This appears to be the long awaited IE patch which I had hoped would have come out a couple of weeks ago (see http://www.microsoft.com/technet/security/advisory/911302.mspx ).   This update addresses the following vulnerabilities:

File Download Dialog Box Manipulation Vulnerability - CAN-2005-2829
HTTPS Proxy Vulnerability - CAN-2005-2830
COM Object Instantiation Memory Corruption Vulnerability  - CAN-2005-2831
Mismatched Document Object Model Objects Memory Corruption Vulnerability - CAN-2005-1790

As this update addresses a number of problems, which do aggregate to a critical severity in all operating systems earlier then Windows 2003, the ISC is recommending that you patch this as soon as possible.

As we have been going through the documentation on this bulletin, we note that one there is a kill bit set for the First4Internet XCP uninstallation ActiveX control.  For those that do not remember, First4Internet is the maker of the "Sony rootkit" related to digitial rights management.  In the aftermath of this issue hitting the mainstream, an uninstaller was created using ActiveX controls which also had security vulnerabilities.

MS05-055: Vulnerability in Windows Kernel Could Allow Elevation of Privilege. (908523)

A vulnerability in the Asynchronous Procedure Call queue allows local users to escalate their privileges. A regular user (who has to be logged in first) could use this vulnerability to gain Administrator privileges.
Microsoft rates this vulnerability as "Important" as there is no direct remote vector to exploit this issue. However, coupled with an Internet Explorer vulnerability or similar issues, this could be used to gain Administrator privileges even if a user runs Internet Explorer as a less privileged user.

Note that remote exploit may be possible if user credentials are known.

MS05-011  Bulletin Update involving SMB

Microsoft update this bulletin to make technical staff aware of KB896427.  It would appear that in some cases after patching with MS05-011, you would not be able to view the contents of subfolders on a network share in Windows XP.  This is not necessarily a security issue, but may be critical for your organization.

MS05-050Bulletin Update involving DirectX

Microsoft also updated this bulletin to advise of a revised version of this security update for Windows 2000 SP4, Windows XP SP1 and Windows 2003.  Also, this may not be a super critical issue in general, but you should be aware of this release.

KB905648: Update for Outlook 2003 Junk Email Filter

As usual, Microsoft updated their Junk Email Filter for Outlook 2003 for December.

Malicious Software Removal Tool

Microsoft updated their Malicious Software Removal Tool again this month to include variants of IRCBot, Ryknos, and F4IRootkit.  For more information on this, take a look at  the malware sofware removal tool website.

Thanks Johannes for putting up the initial diary, and the other handlers for helping point out details to go into this extended diary.

Scott Fendley
Handler On Duty


Keywords:
0 comment(s)
Diary Archives