Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS06-047: Office & Visual Basic for Application

Published: 2006-08-08
Last Updated: 2006-08-10 07:49:45 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-047 - KB 921645

CRITICAL

Visual Basic for Applications (VBA) is vulnerable to crafted documents that could yiled remote code execution.

This is exploitable though email in Outlook and by visiting website that host such documents. The user could also  obtain and open the document in another way (thumb drives, CDs etc.)

This replaces MS03-037.

CVE-2006-3649

--
Swa Frantzen -- section 66


Keywords:
0 comment(s)

Microsoft updates - overview

Published: 2006-08-08
Last Updated: 2006-08-09 00:49:40 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
# KB Platform MSFT rating ISC
client rating
ISC
server rating
MS06-040 921883 2000, XP, 2003 Critical PATCH NOW
PATCH NOW
MS06-041 920683 2000, XP, 2003 Critical Critical Critical
MS06-042 918899 MSIE Critical PATCH NOW
Important
MS06-043 920214 XP, 2003 Critical Important Less urgent
MS06-044 917008 2000 Critical Critical Critical
MS06-045 921398 2000, XP, 2003 Important Critical Less urgent
MS06-046 922616 2000, XP, 2003 Critical Critical Important
MS06-047 921645 Office 2000, XP, VBA Critical Critical Less urgent
MS06-048 922968 Office 2000, XP, 2003 Critical Critical Less urgent
MS06-049 920958 2000 Important Important
Less urgent
MS06-050 920670 2000, XP, 2003 Important Critical Important
MS06-051 917422 2000, XP, 2003 Critical Critical Critical
Keywords:
0 comment(s)

Tip of the Day: mount options

Published: 2006-08-08
Last Updated: 2006-08-08 22:45:48 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Well today might be the day of the 12 Microsoft patches, but to balance that out a little bit, we'll do a unix minded tip of the day.

John wrote in a few days ago and suggested using mount options on different filesystems to tell the operating system not to allow certain kinds of operations or files to be used in that filesystem.

To use options that allow for
  • noexec: do not allow executables
  • nosuid: do not allow suid executable
  • nodev: do not allow devices
  • rdonly: do not allow writing to this filesystem
you need to create sufficient slices to start with.

This can lead to some tries before you get their size right, but once you can a separate / , /usr, /tmp, /home, /var, ... you can set different options to prevent certain uses of certain filesystems. The trick to get the sizes right is to oversize them deliberately and keep a few 2Gbyte sized spare slices around. After a few years, or even months you'll love the space and flexibility in shuffling things around as they need to be without so much as a reboot.

The tricky part that remains is to find which options you cannot use where, e.g.:
  • the filesystem containing /dev (usally /) needs to allow devices.
  • the filesystems containing /bin and /usr/bin need to allow executables and most likely suid programs as well.
  • read-only mounting has great advantages, but make sure you can still patch the files and then downgrade the rights again before taking such a system in production.
While on the subject, it's smart to create a partition for the target of a chroot jail.  You might need to allow some devices inside the chroot environment's /dev. It's also harder to break out of the hail if the new root is also the root of filesystem.

A sample, -but you can always change it to suit your needs- fstab file could be like:
/dev/sd0a / ffs rw 1 1
/dev/sd0b /tmp mfs rw,nodev,nosuid,noexec,-s=153600 0 0
/dev/sd0d /usr/src ffs rw,nodev,nosuid,softdep 1 2
/dev/sd0e /var ffs rw,nodev,nosuid,softdep 1 2
/dev/sd0f /home ffs rw,nodev,nosuid,softdep 1 2
/dev/cd0a /cdrom cd9660 ro,noauto 0 0
/dev/sd1a /data1 ffs rw,nodev,nosuid,noexec,softdep 1 2
/dev/sd1b none swap sw 0 0
/dev/sd1d /data2 ffs rw,nodev,nosuid,noexec,softdep 1 2

For those wondering, this comes from an OpenBSD fileserver. Attentive readers might note a mountpoint revceiving far less protection. That's because I consider this server to be physicaslly rather safe and don't use the cdrom drive at all. Manual pages to check on your system would include mount(8) and fstab(5).


Our next Tip of the Day will be about patching, how do/did you handle the patches coming out from Microsoft today (or how do you handle those form Mozilla, Sun, Oracle, Linux, ...). Let us know your best practices and Mike Poor will summarize them into a tip tomorrow.
Remember, the Tip of the Day is about sharing positive experiences in order to outsmart the bad guys.

--
Swa Frantzen -- Section 66

Keywords: ToD
0 comment(s)

Vista reviewed by Symantec

Published: 2006-08-08
Last Updated: 2006-08-08 22:04:56 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Fellow handler Lorna tossed me an article written by Symantec analysing the security in Microsoft's upcoming windows release called "Vista".

In the article Tim Newsham and Jim Hoagland, look at the new Vista from a network perspective.

It's interesting to note that Vista supports IPv6 and will be try to build tunnels exposing its interfaces even if you have a IPv4 firewall and/or NAT unless you make sure those IPv6 tunnels cannot get out. (It's IPv6 tunneled in a IPv4 udp stream that can traverse NAT [Teredo] ). So beware of outgoing udp traffic!

--
Swa Frantzen -- Section 66



Keywords:
0 comment(s)

Microsoft Black Tuesday Patches

Published: 2006-08-08
Last Updated: 2006-08-08 21:59:24 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
Microsoft's patches for August have been released today. They include:
See our overview rating for clients and servers.

It's interesting to note that US-CERT mentions that one of these vulnerabilities is actively being exploited, (before the patches got released).

--
Swa Frantzen --Section 66
Keywords:
0 comment(s)

Other Microsoft Updates Released

Published: 2006-08-09
Last Updated: 2006-08-09 11:56:44 UTC
by Scott Fendley (Version: 2)
0 comment(s)
Beyond the 12 Security Bulletins released today,  Microsoft released a few other updates that should be noted.

Update for InfoPath 2003 - KB920103
This high priority (non-security) update addresses some issues discussed in KB917510 and KB920914.  To the best we can tell, this is primarily a post Office 2003 SP2 reliability patch for the InfoPath product.

Malicious Software Removal Tool (MSRT) - KB890830
The MSRT underwent its monthly update to add detection for W32/Banker and W32/Jeefo.

Outlook 2003 Junk E-Mail Filter Update - KB920907
This update provides the Outlook 2003 client a more current definition of which e-mail messages are considered junk e-mail.

MS05-004 ASP.NET Path Validation Vulnerability Re-Release - KB887219
Those users of Microsoft Windows Server 2003 for Itanium-based systems or Windows Server 2003 x64 Edition should pay attention to this re-release bulletin.  Microsoft .Net Framework 1.1 Service Pack 1 is at rick for the Information Disclosure and possibly escalation of privileges these operating system environments as well.  The ISC recommends that this important update be applied as well.  (Thanks Stuart for bringing this re-release to our attention.)




--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas
Keywords:
0 comment(s)

MS06-043: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)

Published: 2006-08-08
Last Updated: 2006-08-08 19:38:22 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
MS06-043:  Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)

https://www.microsoft.com/technet/security/bulletin/ms06-043.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2766

Affected Software:
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
 
Impact:  Remote Code Execution
Severity:  Critical


Description:  There is an issue in the way the MHTML protocol is parsed.  The MHTML protocol allows for the use of embedded objects such as images.  This is another a cross-domain scripting vulnerability in which code is allowed to be run in the wrong security zone (i.e. on the system or local) which is should not be allowed to do.  There are MANY ways to exploit this and you should patch immediately!
 
Keywords:
0 comment(s)

MS06-050: Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

Published: 2006-08-08
Last Updated: 2006-08-08 19:36:36 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
MS06-050:  Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

https://www.microsoft.com/technet/security/bulletin/ms06-050.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3086
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3438

Affected Software:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1
   for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
 
Impact:  Remote Code Execution
Severity:  Important
Replaces:  MS05-015


Description:  This update actually addresses two separate issues.  One is the Hyperlink COM Object Buffer Overflow Vulnerability and the other is the Hyperlink Object Function Vulnerability.  Each of these will be addressed seperately below.

Hyperlink COM Object Buffer Overflow Vulnerability:  There is a buffer overflow in the Hyperlink Object Library which is used to handle hyperlinks.  An attacker who created a malicious hyperlink could take complete control of the system.  The attacker only gains the rights as the user logged on the system.  Good Admins don't let users run as Administrator!

Hyperlink Object Function Vulnerability:  From Microsoft:  "This problem exists when the Hyperlink Object Library uses a file containing a malformed function while handling hyperlinks."  This is the result of another buffer overflow in the Hyperlink Object Library.  Again, the attacker only gains the rights of the user logged on the system. 

Even though the severity rating of these are listed as Important, I would venture to say they are under rated and would recommend patching ASAP. 

 
Keywords:
0 comment(s)

MS06-051: Vulnerability in Windows Kernel

Published: 2006-08-08
Last Updated: 2006-08-08 19:32:52 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Vulnerability in Windows Kernel Could Result in Remote Code Execution
MS06-051 - KB917422

This update focus on two main vulnerabilities.
    - CVE-2006-3443: The User Profile Elevation of Privilege - LOCAL
    - CVE-2006-3648: The Unhandled Exception - REMOTE

If any of them is successfully exploited, the attacker can gain complete control of the affected system.

The advisory focus on W2k systems. For the Elevation of Privilege vulnerability: "...If a specially crafted DLL is placed in the user directory, it is possible for WinLogon to execute the code of the DLL resulting in an elevation of the user's privileges.".

For the Unhandled Exception vulnerability, looks like a simple spam with a link would lead the user to a specially crafted website which would exploit it.

Worthless to say that it is REALLY important to patch your systems against these vulnerabilities! Test and Patch!!

-------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org)

Keywords:
0 comment(s)

MS06-048: Microsoft Office Remote Code Execution Vulnerabilities

Published: 2006-08-08
Last Updated: 2006-08-08 19:27:35 UTC
by Scott Fendley (Version: 1)
0 comment(s)
Vulnerabilities in Microsoft Office Allow Remote Code Execution
MS06-048 - KB922968  (CVE-2006-3590 CVE-2006-3449)

Severity:   Critical for PowerPoint 2000, and Important to all others.
Replaces:    MS06-038   for PowerPoint 2000, XP, 2003, 2004 for Mac and v.X for Mac
Affected Software:
       Microsoft Office 2000 SP3
       Microsoft Office XP SP3
       Microsoft Office 2003 SP1 or SP2
       Microsoft Office 2004 for Mac
       Microsoft Office v.X for Mac

Description:

This update addresses 2 different remote code execution vulnerabilities that exists in Microsoft Office.  These vulnerabilities specifically affect  PowerPoint, though the binary is shared by several Office products.  To exploit either vulnerability, an end user will have to received a specially crafted PowerPoint via email, from a website or similar mechanism.  The end user would then have to open the file with a vulnerable product.

An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. Those users with limited access would be less impacted.

One of the 2 vulnerabilities has been publicly disclosed and is being actively exploited.  So, it is recommended that this patch be applied immediately.


--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas
Keywords:
0 comment(s)

MS06-045: Windows Explorer Remote Code Excution Vulnerability

Published: 2006-08-08
Last Updated: 2006-08-08 19:27:21 UTC
by Scott Fendley (Version: 1)
0 comment(s)
Vulnerability in Windows Explorer Could Allow Remote Code Execution
MS06-045 - KB921398  (CVE-2006-3281)

Severity:    Important
Replaces:    MS05-016   for Windows 2000, XP SP1, XP SP2, and Server 2003

Affected Software:
       Windows 2000 SP4
       Windows XP SP1 and SP2
       Windows Server 2003 and 2003 SP1
       Windows XP Pro and  Server 2003 x64
       Windows Server 2003 Itanium Based Systems

Description:

A flaw in the handling of Drag and Drop events of Windows Explorer could allow attackers to take complete control of a computer.  User interaction is required for this attack to be successful.  The attacker will only have the privileges of the logged in user.  So, users with reduced account privileges will be less at risk then those logged on with administrator or power-user. 

Disabling the Web Client service manually or through group policy can help block known attack vectors until the patch can be applied. 

As this vulnerability has been publicly disclosed, it is recommended that this patch be applied immediately.

--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas
Keywords:
0 comment(s)

MS06-046: HTML Help Remote Code Execution

Published: 2006-08-08
Last Updated: 2006-08-08 19:27:08 UTC
by Scott Fendley (Version: 2)
0 comment(s)
Vulnerability in HTML Help Could Allow Remote Code Execution
MS06-046 - KB922616  (CVE-2006-3357)

Severity:  Critical (except on Server 2003)
Replaces:   MS05-001   for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1

Affected Software:

       Windows 2000 SP4
       Windows XP SP1 and SP2
       Windows Server 2003 and 2003 SP1
       Windows XP Pro and  Server 2003 x64
       Windows Server 2003 Itanium Based Systems

Description:

A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page.  Those users with reduced privileges would be less impacted.

Microsoft has offered the following workarounds until this update can be applied.  Each workaround has a set of known issues related to them. 

    * Disable the HTML Help ActiveX control from running within IE6 for XP SP2.
    * Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones.
    * Restrict Web sites to only your trusted Web sites.
    * Temporarily disable the HTML Help ActiveX control from running in Internet Explorer

As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately.

--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas
Keywords:
0 comment(s)

MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)

Published: 2006-08-08
Last Updated: 2006-08-08 18:51:12 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
MS06-041 - KB 920683 - CVE-2006-3440 - CVE-2006-3441

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Apply the update immediately

Affected Software:

Windows 2000 SP4
Windows XP SP1 and SP2
Windows XP for x64
Windows Server 2003 (including SP1)
Windows Server 2003 for Itanium (including SP1)
Windows Server 2003 for x64

There are two vulnerabilities covered in this bulletin:

Winsock Hostname Vulnerability - CVE-2006-3440:

There is a remote code execution vulnerability in Winsock that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. For an attack to be successful the attacker would have to force the user to open a file or visit a website that is specially crafted to call the affected Winsock API.

DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:

There is a remote code execution vulnerability in the DNS Client service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.


Marcus H. Sachs
SRI International

Keywords:
0 comment(s)

MS06-044: Microsoft Management Console Cross Site Scripting.

Published: 2006-08-08
Last Updated: 2006-08-08 18:20:47 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
MS06-044

CRITICAL (remote code execution)

A cross site scripting attack against the Microsoft Managment Console (MMC) could be used to inject hostile code on a system used to access the MCC. Only Windows 2000 SP4 appears to be vulnerable, and the exploit is not trivial.

The advisory is a bit vague on how an exploit exactly works. But it appears that the remote site would offer a link. Clicking on the link would open MMC and include the malicious code. It is likely possible to redirect a user to the link via javascript without user interaction.

Urgency:
Clients: HIGH for Windows 2000 SP4. Patch now.
Servers: LOW. Carefully test patch first.



Keywords:
0 comment(s)

MS06-040: Server Service

Published: 2006-08-08
Last Updated: 2006-08-08 18:19:57 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-040 - KB921883

CRITICAL

This fixes a buffer overrun in the server service in Windows that allows for remote code execution.

The suggested workaround is to block port 139/tcp and 445/tcp with a firewall.

This sounds like it could be developed into a worm or used as a second stage once it's behind a corporate fireewall.

CVE-2006-3439

--
Swa Frantzen -- section 66


Keywords:
0 comment(s)

MS06-049: W2k Kernel Bug

Published: 2006-08-08
Last Updated: 2006-08-08 17:40:19 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
MS06-049

This is another privilege elevation vulnerability.

By exploiting this vulnerability, on MS own words: "...An attacker could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To attempt to exploit the vulnerability, an attacker must be able to log on locally to the system and run a program."

According to the advisory this occurs due an unchecked buffer bug that affects the Windows 2000 kernel.

Althought this vulnerability can only be exploited locally, we recommend you to test it and apply as soon as possible. As this vulnerability is already known for a while and by reading the advisory it really doenst look so hard to exploit it, so if you have systems running 2k, patch it!

---------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )
Keywords:
0 comment(s)

MS06-042: Internet Explorer Rollup Patch

Published: 2006-08-08
Last Updated: 2006-08-08 17:36:12 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
MS06-042  (CRITICAL)

The usual monthly set of fixes for recently discovered Internet Explorer vulnerabilities. Exposing Internet Explorer to malicious HTML code could allow an attack to execute arbitrary code. Vulnerabilities like this are freuntly used by "drive by downloads" to install spyware, adware and bots.

Three of the vulnerabilities have been disclosed publically:
- CVE-2006-3280 (Redirect Cross-Domain Information Disclosure).
- CVE-2006-3637 (HTML Rendering Memory Corruption Vulnerability)
- CVE-2004-1166 (FTP Server Command Injection Vulnerability).

In particular note the date (2004!) of the FTP server command injection vulnerablity. Exploiting this vulnerability is rather easy and exploits have been available back in December of 2004. The attacker would have to include an 'ftp://' URL which includes a URL encoded newline character (Newline=%0a). It is also important to note that the KDE web brower (konqueror) had the same issue.

A well crafted exploit for the FTP vulnerability would not require any user interaction beyond exposing the browser to malicious code. A compromissed web server, banner ads or image tags in public web sites could be used to trigger this vulnerability.

Urgency:
Client: HIGH! Apply patch after expedited testing.
Server: Low. Apply patch after exhaustive testing.








Keywords:
0 comment(s)

AOL: the Good, the Bad and the Ugly

Published: 2006-08-08
Last Updated: 2006-08-08 12:23:56 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

The Good

http://www.activevirusshield.com/

AOL is giving away free Anti Virus software powered by Kaspersky. It's called Active Virus Shield. There are already some free offerings, but more cannot be a bad thing and over the years I've personally grown to like the speed and quality of signature releases of Kaspersky, so I'm happy to see a free offering using this.

The Bad

Well, you have seen it move from blogs to more mainstream media by now, but AOL leaked some search logs.

Interesting to note that many people seem to be outraged by such a leak and feel their privacy violated, yet those same people don't bother/ask to encrypt the connection to search engines. Somehow there seems a lack of balance to me.
Worse, once you searched for something and click on the search results, the referer header will reveal the search terms you used to the website you are heading to.

The Ugly

AOL also announced a few days ago another free service. They intend to offer free storage of 5Gbyte. The warez dudes will love this: more than a DVD full of illegal copies. I'm happy to say I'm not the one who'll have to play "whack-a-mole" on this project. I do hope they build in loads of measures to prevent this before they go public with this.

--
Swa Frantzen -- Section 66

Keywords:
0 comment(s)
Diary Archives