MS06-047: Office & Visual Basic for Application
MS06-047 - KB 921645
CRITICAL
Visual Basic for Applications (VBA) is vulnerable to crafted documents that could yiled remote code execution.
This is exploitable though email in Outlook and by visiting website that host such documents. The user could also obtain and open the document in another way (thumb drives, CDs etc.)
This replaces MS03-037.
CVE-2006-3649
--
Swa Frantzen -- section 66
CRITICAL
Visual Basic for Applications (VBA) is vulnerable to crafted documents that could yiled remote code execution.
This is exploitable though email in Outlook and by visiting website that host such documents. The user could also obtain and open the document in another way (thumb drives, CDs etc.)
This replaces MS03-037.
CVE-2006-3649
--
Swa Frantzen -- section 66
Keywords:
0 comment(s)
Microsoft updates - overview
| # | KB | Platform | MSFT rating | ISC client rating |
ISC server rating |
|---|---|---|---|---|---|
| MS06-040 | 921883 | 2000, XP, 2003 | Critical | PATCH NOW |
PATCH NOW |
| MS06-041 | 920683 | 2000, XP, 2003 | Critical | Critical | Critical |
| MS06-042 | 918899 | MSIE | Critical | PATCH NOW |
Important |
| MS06-043 | 920214 | XP, 2003 | Critical | Important | Less urgent |
| MS06-044 | 917008 | 2000 | Critical | Critical | Critical |
| MS06-045 | 921398 | 2000, XP, 2003 | Important | Critical | Less urgent |
| MS06-046 | 922616 | 2000, XP, 2003 | Critical | Critical | Important |
| MS06-047 | 921645 | Office 2000, XP, VBA | Critical | Critical | Less urgent |
| MS06-048 | 922968 | Office 2000, XP, 2003 | Critical | Critical | Less urgent |
| MS06-049 | 920958 | 2000 | Important | Important |
Less urgent |
| MS06-050 | 920670 | 2000, XP, 2003 | Important | Critical | Important |
| MS06-051 | 917422 | 2000, XP, 2003 | Critical | Critical | Critical |
Keywords:
0 comment(s)
Tip of the Day: mount options
Well today might be the day of the 12 Microsoft patches, but to balance that out a little bit, we'll do a unix minded tip of the day.
John wrote in a few days ago and suggested using mount options on different filesystems to tell the operating system not to allow certain kinds of operations or files to be used in that filesystem.
To use options that allow for
This can lead to some tries before you get their size right, but once you can a separate / , /usr, /tmp, /home, /var, ... you can set different options to prevent certain uses of certain filesystems. The trick to get the sizes right is to oversize them deliberately and keep a few 2Gbyte sized spare slices around. After a few years, or even months you'll love the space and flexibility in shuffling things around as they need to be without so much as a reboot.
The tricky part that remains is to find which options you cannot use where, e.g.:
A sample, -but you can always change it to suit your needs- fstab file could be like:
Our next Tip of the Day will be about patching, how do/did you handle the patches coming out from Microsoft today (or how do you handle those form Mozilla, Sun, Oracle, Linux, ...). Let us know your best practices and Mike Poor will summarize them into a tip tomorrow.
Remember, the Tip of the Day is about sharing positive experiences in order to outsmart the bad guys.
--
Swa Frantzen -- Section 66
John wrote in a few days ago and suggested using mount options on different filesystems to tell the operating system not to allow certain kinds of operations or files to be used in that filesystem.
To use options that allow for
- noexec: do not allow executables
- nosuid: do not allow suid executable
- nodev: do not allow devices
- rdonly: do not allow writing to this filesystem
This can lead to some tries before you get their size right, but once you can a separate / , /usr, /tmp, /home, /var, ... you can set different options to prevent certain uses of certain filesystems. The trick to get the sizes right is to oversize them deliberately and keep a few 2Gbyte sized spare slices around. After a few years, or even months you'll love the space and flexibility in shuffling things around as they need to be without so much as a reboot.
The tricky part that remains is to find which options you cannot use where, e.g.:
- the filesystem containing /dev (usally /) needs to allow devices.
- the filesystems containing /bin and /usr/bin need to allow executables and most likely suid programs as well.
- read-only mounting has great advantages, but make sure you can still patch the files and then downgrade the rights again before taking such a system in production.
A sample, -but you can always change it to suit your needs- fstab file could be like:
/dev/sd0a / ffs rw 1 1For those wondering, this comes from an OpenBSD fileserver. Attentive readers might note a mountpoint revceiving far less protection. That's because I consider this server to be physicaslly rather safe and don't use the cdrom drive at all. Manual pages to check on your system would include mount(8) and fstab(5).
/dev/sd0b /tmp mfs rw,nodev,nosuid,noexec,-s=153600 0 0
/dev/sd0d /usr/src ffs rw,nodev,nosuid,softdep 1 2
/dev/sd0e /var ffs rw,nodev,nosuid,softdep 1 2
/dev/sd0f /home ffs rw,nodev,nosuid,softdep 1 2
/dev/cd0a /cdrom cd9660 ro,noauto 0 0
/dev/sd1a /data1 ffs rw,nodev,nosuid,noexec,softdep 1 2
/dev/sd1b none swap sw 0 0
/dev/sd1d /data2 ffs rw,nodev,nosuid,noexec,softdep 1 2
Our next Tip of the Day will be about patching, how do/did you handle the patches coming out from Microsoft today (or how do you handle those form Mozilla, Sun, Oracle, Linux, ...). Let us know your best practices and Mike Poor will summarize them into a tip tomorrow.
Remember, the Tip of the Day is about sharing positive experiences in order to outsmart the bad guys.
--
Swa Frantzen -- Section 66
Keywords: ToD
0 comment(s)
Vista reviewed by Symantec
Fellow handler Lorna tossed me an article written by Symantec analysing the security in Microsoft's upcoming windows release called "Vista".
In the article Tim Newsham and Jim Hoagland, look at the new Vista from a network perspective.
It's interesting to note that Vista supports IPv6 and will be try to build tunnels exposing its interfaces even if you have a IPv4 firewall and/or NAT unless you make sure those IPv6 tunnels cannot get out. (It's IPv6 tunneled in a IPv4 udp stream that can traverse NAT [Teredo] ). So beware of outgoing udp traffic!
--
Swa Frantzen -- Section 66
In the article Tim Newsham and Jim Hoagland, look at the new Vista from a network perspective.
It's interesting to note that Vista supports IPv6 and will be try to build tunnels exposing its interfaces even if you have a IPv4 firewall and/or NAT unless you make sure those IPv6 tunnels cannot get out. (It's IPv6 tunneled in a IPv4 udp stream that can traverse NAT [Teredo] ). So beware of outgoing udp traffic!
--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)
Microsoft Black Tuesday Patches
Microsoft's patches for August have been released today. They include:
It's interesting to note that US-CERT mentions that one of these vulnerabilities is actively being exploited, (before the patches got released).
--
Swa Frantzen --Section 66
- MS06-040 - Server Service
- MS06-041 - DNS
- MS06-042 - Internet Explorer
- MS06-043 - Outlook express
- MS06-044 - Microsoft Managment Console
- MS06-045 - Windows explorer
- MS06-046 - HTML help
- MS06-047 - Office & VBA
- MS06-048 - PowerPoint
- MS06-049 - Windows 2000 kernel
- MS06-050 - Hyperlink object library
- MS06-051 - Windows kernel
- some other updates
It's interesting to note that US-CERT mentions that one of these vulnerabilities is actively being exploited, (before the patches got released).
--
Swa Frantzen --Section 66
Keywords:
0 comment(s)
Other Microsoft Updates Released
Beyond the 12 Security Bulletins released today, Microsoft released a few other updates that should be noted.
Update for InfoPath 2003 - KB920103
This high priority (non-security) update addresses some issues discussed in KB917510 and KB920914. To the best we can tell, this is primarily a post Office 2003 SP2 reliability patch for the InfoPath product.
Malicious Software Removal Tool (MSRT) - KB890830
The MSRT underwent its monthly update to add detection for W32/Banker and W32/Jeefo.
Outlook 2003 Junk E-Mail Filter Update - KB920907
This update provides the Outlook 2003 client a more current definition of which e-mail messages are considered junk e-mail.
MS05-004 ASP.NET Path Validation Vulnerability Re-Release - KB887219
Those users of Microsoft Windows Server 2003 for Itanium-based systems or Windows Server 2003 x64 Edition should pay attention to this re-release bulletin. Microsoft .Net Framework 1.1 Service Pack 1 is at rick for the Information Disclosure and possibly escalation of privileges these operating system environments as well. The ISC recommends that this important update be applied as well. (Thanks Stuart for bringing this re-release to our attention.)
--
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
Update for InfoPath 2003 - KB920103
This high priority (non-security) update addresses some issues discussed in KB917510 and KB920914. To the best we can tell, this is primarily a post Office 2003 SP2 reliability patch for the InfoPath product.
Malicious Software Removal Tool (MSRT) - KB890830
The MSRT underwent its monthly update to add detection for W32/Banker and W32/Jeefo.
Outlook 2003 Junk E-Mail Filter Update - KB920907
This update provides the Outlook 2003 client a more current definition of which e-mail messages are considered junk e-mail.
MS05-004 ASP.NET Path Validation Vulnerability Re-Release - KB887219
Those users of Microsoft Windows Server 2003 for Itanium-based systems or Windows Server 2003 x64 Edition should pay attention to this re-release bulletin. Microsoft .Net Framework 1.1 Service Pack 1 is at rick for the Information Disclosure and possibly escalation of privileges these operating system environments as well. The ISC recommends that this important update be applied as well. (Thanks Stuart for bringing this re-release to our attention.)
--
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
Keywords:
0 comment(s)
MS06-043: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
MS06-043: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
https://www.microsoft.com/technet/security/bulletin/ms06-043.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2766
Affected Software:
? Microsoft Windows XP Service Pack 2
? Microsoft Windows XP Professional x64 Edition
? Microsoft Windows Server 2003 Service Pack 1
? Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
? Microsoft Windows Server 2003 x64 Edition
Impact: Remote Code Execution
Severity: Critical
Description: There is an issue in the way the MHTML protocol is parsed. The MHTML protocol allows for the use of embedded objects such as images. This is another a cross-domain scripting vulnerability in which code is allowed to be run in the wrong security zone (i.e. on the system or local) which is should not be allowed to do. There are MANY ways to exploit this and you should patch immediately!
https://www.microsoft.com/technet/security/bulletin/ms06-043.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2766
Affected Software:
? Microsoft Windows XP Service Pack 2
? Microsoft Windows XP Professional x64 Edition
? Microsoft Windows Server 2003 Service Pack 1
? Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
? Microsoft Windows Server 2003 x64 Edition
Impact: Remote Code Execution
Severity: Critical
Description: There is an issue in the way the MHTML protocol is parsed. The MHTML protocol allows for the use of embedded objects such as images. This is another a cross-domain scripting vulnerability in which code is allowed to be run in the wrong security zone (i.e. on the system or local) which is should not be allowed to do. There are MANY ways to exploit this and you should patch immediately!
Keywords:
0 comment(s)
MS06-050: Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
MS06-050: Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
https://www.microsoft.com/technet/security/bulletin/ms06-050.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3086
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3438
Affected Software:
? Microsoft Windows 2000 Service Pack 4
? Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
? Microsoft Windows XP Professional x64 Edition
? Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
? Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1
for Itanium-based Systems
? Microsoft Windows Server 2003 x64 Edition
Impact: Remote Code Execution
Severity: Important
Replaces: MS05-015
Description: This update actually addresses two separate issues. One is the Hyperlink COM Object Buffer Overflow Vulnerability and the other is the Hyperlink Object Function Vulnerability. Each of these will be addressed seperately below.
Hyperlink COM Object Buffer Overflow Vulnerability: There is a buffer overflow in the Hyperlink Object Library which is used to handle hyperlinks. An attacker who created a malicious hyperlink could take complete control of the system. The attacker only gains the rights as the user logged on the system. Good Admins don't let users run as Administrator!
Hyperlink Object Function Vulnerability: From Microsoft: "This problem exists when the Hyperlink Object Library uses a file containing a malformed function while handling hyperlinks." This is the result of another buffer overflow in the Hyperlink Object Library. Again, the attacker only gains the rights of the user logged on the system.
Even though the severity rating of these are listed as Important, I would venture to say they are under rated and would recommend patching ASAP.
https://www.microsoft.com/technet/security/bulletin/ms06-050.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3086
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3438
Affected Software:
? Microsoft Windows 2000 Service Pack 4
? Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
? Microsoft Windows XP Professional x64 Edition
? Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
? Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1
for Itanium-based Systems
? Microsoft Windows Server 2003 x64 Edition
Impact: Remote Code Execution
Severity: Important
Replaces: MS05-015
Description: This update actually addresses two separate issues. One is the Hyperlink COM Object Buffer Overflow Vulnerability and the other is the Hyperlink Object Function Vulnerability. Each of these will be addressed seperately below.
Hyperlink COM Object Buffer Overflow Vulnerability: There is a buffer overflow in the Hyperlink Object Library which is used to handle hyperlinks. An attacker who created a malicious hyperlink could take complete control of the system. The attacker only gains the rights as the user logged on the system. Good Admins don't let users run as Administrator!
Hyperlink Object Function Vulnerability: From Microsoft: "This problem exists when the Hyperlink Object Library uses a file containing a malformed function while handling hyperlinks." This is the result of another buffer overflow in the Hyperlink Object Library. Again, the attacker only gains the rights of the user logged on the system.
Even though the severity rating of these are listed as Important, I would venture to say they are under rated and would recommend patching ASAP.
Keywords:
0 comment(s)
MS06-051: Vulnerability in Windows Kernel
Vulnerability in Windows Kernel Could Result in Remote Code Execution
MS06-051 - KB917422
This update focus on two main vulnerabilities.
- CVE-2006-3443: The User Profile Elevation of Privilege - LOCAL
- CVE-2006-3648: The Unhandled Exception - REMOTE
If any of them is successfully exploited, the attacker can gain complete control of the affected system.
The advisory focus on W2k systems. For the Elevation of Privilege vulnerability: "...If a specially crafted DLL is placed in the user directory, it is possible for WinLogon to execute the code of the DLL resulting in an elevation of the user's privileges.".
For the Unhandled Exception vulnerability, looks like a simple spam with a link would lead the user to a specially crafted website which would exploit it.
Worthless to say that it is REALLY important to patch your systems against these vulnerabilities! Test and Patch!!
-------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org)
MS06-051 - KB917422
This update focus on two main vulnerabilities.
- CVE-2006-3443: The User Profile Elevation of Privilege - LOCAL
- CVE-2006-3648: The Unhandled Exception - REMOTE
If any of them is successfully exploited, the attacker can gain complete control of the affected system.
The advisory focus on W2k systems. For the Elevation of Privilege vulnerability: "...If a specially crafted DLL is placed in the user directory, it is possible for WinLogon to execute the code of the DLL resulting in an elevation of the user's privileges.".
For the Unhandled Exception vulnerability, looks like a simple spam with a link would lead the user to a specially crafted website which would exploit it.
Worthless to say that it is REALLY important to patch your systems against these vulnerabilities! Test and Patch!!
-------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org)
Keywords:
0 comment(s)
MS06-048: Microsoft Office Remote Code Execution Vulnerabilities
Vulnerabilities in Microsoft Office Allow Remote Code Execution
MS06-048 - KB922968 (CVE-2006-3590 CVE-2006-3449)
Severity: Critical for PowerPoint 2000, and Important to all others.
Replaces: MS06-038 for PowerPoint 2000, XP, 2003, 2004 for Mac and v.X for Mac
Affected Software:
Microsoft Office 2000 SP3
Microsoft Office XP SP3
Microsoft Office 2003 SP1 or SP2
Microsoft Office 2004 for Mac
Microsoft Office v.X for Mac
Description:
This update addresses 2 different remote code execution vulnerabilities that exists in Microsoft Office. These vulnerabilities specifically affect PowerPoint, though the binary is shared by several Office products. To exploit either vulnerability, an end user will have to received a specially crafted PowerPoint via email, from a website or similar mechanism. The end user would then have to open the file with a vulnerable product.
An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. Those users with limited access would be less impacted.
One of the 2 vulnerabilities has been publicly disclosed and is being actively exploited. So, it is recommended that this patch be applied immediately.
--
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
MS06-048 - KB922968 (CVE-2006-3590 CVE-2006-3449)
Severity: Critical for PowerPoint 2000, and Important to all others.
Replaces: MS06-038 for PowerPoint 2000, XP, 2003, 2004 for Mac and v.X for Mac
Affected Software:
Microsoft Office 2000 SP3
Microsoft Office XP SP3
Microsoft Office 2003 SP1 or SP2
Microsoft Office 2004 for Mac
Microsoft Office v.X for Mac
Description:
This update addresses 2 different remote code execution vulnerabilities that exists in Microsoft Office. These vulnerabilities specifically affect PowerPoint, though the binary is shared by several Office products. To exploit either vulnerability, an end user will have to received a specially crafted PowerPoint via email, from a website or similar mechanism. The end user would then have to open the file with a vulnerable product.
An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. Those users with limited access would be less impacted.
One of the 2 vulnerabilities has been publicly disclosed and is being actively exploited. So, it is recommended that this patch be applied immediately.
--
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
Keywords:
0 comment(s)
MS06-045: Windows Explorer Remote Code Excution Vulnerability
Vulnerability in Windows Explorer Could Allow Remote Code Execution
MS06-045 - KB921398 (CVE-2006-3281)
Severity: Important
Replaces: MS05-016 for Windows 2000, XP SP1, XP SP2, and Server 2003
Affected Software:
Windows 2000 SP4
Windows XP SP1 and SP2
Windows Server 2003 and 2003 SP1
Windows XP Pro and Server 2003 x64
Windows Server 2003 Itanium Based Systems
Description:
A flaw in the handling of Drag and Drop events of Windows Explorer could allow attackers to take complete control of a computer. User interaction is required for this attack to be successful. The attacker will only have the privileges of the logged in user. So, users with reduced account privileges will be less at risk then those logged on with administrator or power-user.
Disabling the Web Client service manually or through group policy can help block known attack vectors until the patch can be applied.
As this vulnerability has been publicly disclosed, it is recommended that this patch be applied immediately.
--
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
MS06-045 - KB921398 (CVE-2006-3281)
Severity: Important
Replaces: MS05-016 for Windows 2000, XP SP1, XP SP2, and Server 2003
Affected Software:
Windows 2000 SP4
Windows XP SP1 and SP2
Windows Server 2003 and 2003 SP1
Windows XP Pro and Server 2003 x64
Windows Server 2003 Itanium Based Systems
Description:
A flaw in the handling of Drag and Drop events of Windows Explorer could allow attackers to take complete control of a computer. User interaction is required for this attack to be successful. The attacker will only have the privileges of the logged in user. So, users with reduced account privileges will be less at risk then those logged on with administrator or power-user.
Disabling the Web Client service manually or through group policy can help block known attack vectors until the patch can be applied.
As this vulnerability has been publicly disclosed, it is recommended that this patch be applied immediately.
--
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
Keywords:
0 comment(s)
MS06-046: HTML Help Remote Code Execution
Vulnerability in HTML Help Could Allow Remote Code Execution
MS06-046 - KB922616 (CVE-2006-3357)
Severity: Critical (except on Server 2003)
Replaces: MS05-001 for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1
Affected Software:
Windows 2000 SP4
Windows XP SP1 and SP2
Windows Server 2003 and 2003 SP1
Windows XP Pro and Server 2003 x64
Windows Server 2003 Itanium Based Systems
Description:
A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page. Those users with reduced privileges would be less impacted.
Microsoft has offered the following workarounds until this update can be applied. Each workaround has a set of known issues related to them.
* Disable the HTML Help ActiveX control from running within IE6 for XP SP2.
* Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones.
* Restrict Web sites to only your trusted Web sites.
* Temporarily disable the HTML Help ActiveX control from running in Internet Explorer
As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately.
--
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
MS06-046 - KB922616 (CVE-2006-3357)
Severity: Critical (except on Server 2003)
Replaces: MS05-001 for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1
Affected Software:
Windows 2000 SP4
Windows XP SP1 and SP2
Windows Server 2003 and 2003 SP1
Windows XP Pro and Server 2003 x64
Windows Server 2003 Itanium Based Systems
Description:
A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page. Those users with reduced privileges would be less impacted.
Microsoft has offered the following workarounds until this update can be applied. Each workaround has a set of known issues related to them.
* Disable the HTML Help ActiveX control from running within IE6 for XP SP2.
* Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones.
* Restrict Web sites to only your trusted Web sites.
* Temporarily disable the HTML Help ActiveX control from running in Internet Explorer
As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately.
--
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
Keywords:
0 comment(s)
MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
MS06-041 - KB 920683 - CVE-2006-3440 - CVE-2006-3441
Marcus H. Sachs
SRI International
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Apply the update immediately
Affected Software:
Windows 2000 SP4
Windows XP SP1 and SP2
Windows XP for x64
Windows Server 2003 (including SP1)
Windows Server 2003 for Itanium (including SP1)
Windows Server 2003 for x64
There are two vulnerabilities covered in this bulletin:
Winsock Hostname Vulnerability - CVE-2006-3440:
There is a remote code execution vulnerability in Winsock that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. For an attack to be successful the attacker would have to force the user to open a file or visit a website that is specially crafted to call the affected Winsock API.
DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:
There is a remote code execution vulnerability in the DNS Client service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
Marcus H. Sachs
SRI International
Keywords:
0 comment(s)
MS06-044: Microsoft Management Console Cross Site Scripting.
MS06-044
CRITICAL (remote code execution)
A cross site scripting attack against the Microsoft Managment Console (MMC) could be used to inject hostile code on a system used to access the MCC. Only Windows 2000 SP4 appears to be vulnerable, and the exploit is not trivial.
The advisory is a bit vague on how an exploit exactly works. But it appears that the remote site would offer a link. Clicking on the link would open MMC and include the malicious code. It is likely possible to redirect a user to the link via javascript without user interaction.
Urgency:
Clients: HIGH for Windows 2000 SP4. Patch now.
Servers: LOW. Carefully test patch first.
CRITICAL (remote code execution)
A cross site scripting attack against the Microsoft Managment Console (MMC) could be used to inject hostile code on a system used to access the MCC. Only Windows 2000 SP4 appears to be vulnerable, and the exploit is not trivial.
The advisory is a bit vague on how an exploit exactly works. But it appears that the remote site would offer a link. Clicking on the link would open MMC and include the malicious code. It is likely possible to redirect a user to the link via javascript without user interaction.
Urgency:
Clients: HIGH for Windows 2000 SP4. Patch now.
Servers: LOW. Carefully test patch first.
Keywords:
0 comment(s)
MS06-040: Server Service
MS06-040 - KB921883
CRITICAL
This fixes a buffer overrun in the server service in Windows that allows for remote code execution.
The suggested workaround is to block port 139/tcp and 445/tcp with a firewall.
This sounds like it could be developed into a worm or used as a second stage once it's behind a corporate fireewall.
CVE-2006-3439
--
Swa Frantzen -- section 66
CRITICAL
This fixes a buffer overrun in the server service in Windows that allows for remote code execution.
The suggested workaround is to block port 139/tcp and 445/tcp with a firewall.
This sounds like it could be developed into a worm or used as a second stage once it's behind a corporate fireewall.
CVE-2006-3439
--
Swa Frantzen -- section 66
Keywords:
0 comment(s)
MS06-049: W2k Kernel Bug
MS06-049
This is another privilege elevation vulnerability.
By exploiting this vulnerability, on MS own words: "...An attacker could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To attempt to exploit the vulnerability, an attacker must be able to log on locally to the system and run a program."
According to the advisory this occurs due an unchecked buffer bug that affects the Windows 2000 kernel.
Althought this vulnerability can only be exploited locally, we recommend you to test it and apply as soon as possible. As this vulnerability is already known for a while and by reading the advisory it really doenst look so hard to exploit it, so if you have systems running 2k, patch it!
---------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )
This is another privilege elevation vulnerability.
By exploiting this vulnerability, on MS own words: "...An attacker could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To attempt to exploit the vulnerability, an attacker must be able to log on locally to the system and run a program."
According to the advisory this occurs due an unchecked buffer bug that affects the Windows 2000 kernel.
Althought this vulnerability can only be exploited locally, we recommend you to test it and apply as soon as possible. As this vulnerability is already known for a while and by reading the advisory it really doenst look so hard to exploit it, so if you have systems running 2k, patch it!
---------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )
Keywords:
0 comment(s)
MS06-042: Internet Explorer Rollup Patch
MS06-042 (CRITICAL)
The usual monthly set of fixes for recently discovered Internet Explorer vulnerabilities. Exposing Internet Explorer to malicious HTML code could allow an attack to execute arbitrary code. Vulnerabilities like this are freuntly used by "drive by downloads" to install spyware, adware and bots.
Three of the vulnerabilities have been disclosed publically:
- CVE-2006-3280 (Redirect Cross-Domain Information Disclosure).
- CVE-2006-3637 (HTML Rendering Memory Corruption Vulnerability)
- CVE-2004-1166 (FTP Server Command Injection Vulnerability).
In particular note the date (2004!) of the FTP server command injection vulnerablity. Exploiting this vulnerability is rather easy and exploits have been available back in December of 2004. The attacker would have to include an 'ftp://' URL which includes a URL encoded newline character (Newline=%0a). It is also important to note that the KDE web brower (konqueror) had the same issue.
A well crafted exploit for the FTP vulnerability would not require any user interaction beyond exposing the browser to malicious code. A compromissed web server, banner ads or image tags in public web sites could be used to trigger this vulnerability.
Urgency:
Client: HIGH! Apply patch after expedited testing.
Server: Low. Apply patch after exhaustive testing.
The usual monthly set of fixes for recently discovered Internet Explorer vulnerabilities. Exposing Internet Explorer to malicious HTML code could allow an attack to execute arbitrary code. Vulnerabilities like this are freuntly used by "drive by downloads" to install spyware, adware and bots.
Three of the vulnerabilities have been disclosed publically:
- CVE-2006-3280 (Redirect Cross-Domain Information Disclosure).
- CVE-2006-3637 (HTML Rendering Memory Corruption Vulnerability)
- CVE-2004-1166 (FTP Server Command Injection Vulnerability).
In particular note the date (2004!) of the FTP server command injection vulnerablity. Exploiting this vulnerability is rather easy and exploits have been available back in December of 2004. The attacker would have to include an 'ftp://' URL which includes a URL encoded newline character (Newline=%0a). It is also important to note that the KDE web brower (konqueror) had the same issue.
A well crafted exploit for the FTP vulnerability would not require any user interaction beyond exposing the browser to malicious code. A compromissed web server, banner ads or image tags in public web sites could be used to trigger this vulnerability.
Urgency:
Client: HIGH! Apply patch after expedited testing.
Server: Low. Apply patch after exhaustive testing.
Keywords:
0 comment(s)
AOL: the Good, the Bad and the Ugly
The Good
http://www.activevirusshield.com/AOL is giving away free Anti Virus software powered by Kaspersky. It's called Active Virus Shield. There are already some free offerings, but more cannot be a bad thing and over the years I've personally grown to like the speed and quality of signature releases of Kaspersky, so I'm happy to see a free offering using this.
The Bad
Well, you have seen it move from blogs to more mainstream media by now, but AOL leaked some search logs.Interesting to note that many people seem to be outraged by such a leak and feel their privacy violated, yet those same people don't bother/ask to encrypt the connection to search engines. Somehow there seems a lack of balance to me.
Worse, once you searched for something and click on the search results, the referer header will reveal the search terms you used to the website you are heading to.
The Ugly
AOL also announced a few days ago another free service. They intend to offer free storage of 5Gbyte. The warez dudes will love this: more than a DVD full of illegal copies. I'm happy to say I'm not the one who'll have to play "whack-a-mole" on this project. I do hope they build in loads of measures to prevent this before they go public with this.--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 
Comments