Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More MS06-042 woes
The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code. In particular, note that MSFT's advisory essentially tells you how to exploit the issue. Exploits will likely follow very soon (days?).

At this point, we recommend:
  • Keep MS06-042 applied if you can. It fixes more bugs than it creates.
  • If you are having problems with internal web sites that can no longer be used: Restrict MSIE to be used internally only.
  • Use Firefox/Opera or other browsers for now.
  • "SandboxIE" can be used to protect your system from damage caused via MSIE.
  • If you establish a "No MSIE" policy, you can use the snort rule below to detect accidental policy violations.
Snort Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(content: "|0D 0A|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0";)
Links: (updated patch matrix) (EEye Alert regarding the code execution) (MSRC blog article regarding MS06-042 issue, dated Aug. 16th). (latest MSRC blog)

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022


4346 Posts
ISC Handler
Aug 22nd 2006

Sign Up for Free or Log In to start participating in the conversation!