Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The missing Microsoft patches

Published: 2007-01-05
Last Updated: 2007-04-14 16:19:27 UTC
by Swa Frantzen (Version: 41)
0 comment(s)

Vulnerabilities that are widely known and/or actively exploited are of great interest to our readers, here we try to keep an overview of them

Affected Known Exploits Impact Known since
ISC rating(*)
clients servers
Microsoft DNS

CVE-2007-1748
Exploit used in the wild
Exploit code public
Remote code execution with SYSTEM privileges
April 4th, 2007
Less Urgent Critical
Microsoft DNS offers RPC for remote management that is vulnerable to a stack overflow. See SA935964 for more mitigating information, KB935964 and VU#555920 and MSRC blog.
MSIE

CVE-2007-1692
Exploit publicly discussed. Malicious proxy insertion by insiders Mar 25th, 2007 Less Urgent Less Urgent
Some mitigating steps are in KB934864: Setup wpad TXT records in all DNS domains and have the "wpad" and "wpad." names reserved on all WINS servers
Windows Vista - Windows Mail

CVE-2007-1658
Exploit publicly available. Execute programs through crafted URL Mar 23th, 2007 Less Urgent Less Urgent
IE 7

CVE-2007-1499
Exploit publicly available. XSS against local resource
Mar 14th, 2007 Less Urgent Less Urgent
OLE object can crash windows explorer

CVE-2007-1347
US-CERT VU#194944

Exploit publicly available.

DoS (Memory corruption might lead to more)
Mar 6th, 2007

Less Urgent

Less Urgent
IE7 browser entrapment using onUnload()

CVE-2007-1091

PoC publicly discussed.

onUnload() and transitions can be used to fake a user backing out of a bad website while still interacting with it
Feb 23th, 2007

variation of onUnload() trouble from Aug 2005

Less Urgent

Less Urgent
IE7 browser involuntary file upload

PoC publicly discussed.

Focus can still be captured using javascript to capture keystrokes and use them to upload a file to a malicious website.
Feb 12th, 2007
Variant of exploits dating back to Jun 2006.

Important

Less Urgent
Word 2000/XP unspecified problems

CVE-2007-0870

Used in targeted attacks.

Advisory #933052
MSRC blog

Remote code execution, (originally only DoS)
Feb 9th, 2007

Critical

Important
Internet Explorer msxml3 concurrency problems

CVE-2007-0099
Publicly posted exploit DoS / code execution considered too difficult to control
Jan 4th, 2007
Less Urgent
Less Urgent
Patch unlikely, expect a fix in a SP or next version
Workstation Service NetrWkstaUserEnum() memory allocation exhaustion in XP and 2000

CVE-2006-6723
Publicly posted exploit DoS
Dec 25th, 2006
Less Urgent
Less Urgent
Patch unlikely, expect a fix in a SP
Likely related to CVE-2006-6296 and CVE-2006-3644 see below
Microsoft Windows NAT Helper Components

CVE-2006-5614
Publicly available exploit.
DoS
Oct 28th, 2006
Less Urgent
Important
Patch unlikely, expect a fix in a SP
PowerPoint 2003

CVE-2006-5296
MSRC blog #1
MSRC blog #2

Publicly available exploit.
DoS
Oct 20th, 2006
Less Urgent
Less Urgent
Patch unlikely, Microsoft doesn't consider it a security problem anymore
RPC memory allocation exhaustion in Windows 2000 SP4 via UPnP, SPOOLSS

CVE-2006-6296
CVE-2006-3644
Multiple publicly available exploits.
DoS
Nov 16th, 2005
Less Urgent
Important
Patch unlikely, expect a fix in a SP (if any)

We will update issues on this page as they evolve.
We appreciate updates

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

--
Swa Frantzen -- Section 66

Keywords: Microsoft patches
0 comment(s)

Offline Microsoft Patching

Published: 2006-12-14
Last Updated: 2006-12-14 05:20:42 UTC
by Swa Frantzen (Version: 3)
0 comment(s)

Heise brings us "Offline Update 3.0" to do offline installations of Microsoft patches.

Read more about it at: http://www.heise-security.co.uk/articles/80682

Now this is a great concept. You can actually make a DVD to install the patches before you connect a PC (that's out of date on patches) to the Internet. If you think you can safely do that without this tool, take a second and think it through knowing that some of your friends needing a house call might have a USB connected DSL or cable modem and therefore not be using NAT, next take a look at the survival time and think how long it takes to get a windows system from original media to a fully patched status.

So, if you're going to visit parents, family or friends over the holidays, start your preparation now and make that disk today to take along. It'll improve the obligatory "Could you take a look at our computer while you're here?" response time dramatically and gives you a safe way to reinstall systems without a hardware based firewall.

If you have networks that you do not want to connect to the Internet cause the risks involved of doing that are just too big for the sensitivity of the involved data this might also become a way to patch those off-line machines.

Update: Simon wrote in mentioning AutoPatcher as an alternative solution.

Update: "Mads" reminded us Microsoft makes available ISO images with some of the patches on a monthly basis.

--
Swa Frantzen -- Section 66

0 comment(s)

Microsoft Office 2004 (Mac OS X) update was an accident.

Published: 2006-12-13
Last Updated: 2006-12-13 18:00:21 UTC
by Swa Frantzen (Version: 5)
0 comment(s)

Microsoft accidentally released an updated named 11.3.1 for Office 2004 (the Apple Mac version) today.

It did contain an unspecified security fix and stability improvements. After asking what it fixed we got the reply it was actually a pre-release that was made available through auto-update.

http://www.microsoft.com/mac/autoupdate/description/AUOffice20041131EN.htm

The wasn't intended to be released and hence has been pulled. See the MSRC blog for more details.

Microsoft is also recommending to uninstall the patches, although to be honest I've no idea how to actually do that.

A reader wrote in pointing out the standalone download .dmg image did contain in its instructions:

"This update does not include an uninstall feature. To restore your application to its original state, delete it from your hard disk, reinstall it from your original installation disk, and then install the updates you want."

So I guess we'll be dragging Office to the waste basket, search for the DVD and start having to register the software all over and then download a bunch of patches.

--
Swa Frantzen -- Section 66
Keywords: mac Microsoft
0 comment(s)

SAV botnet revival ?

Published: 2006-12-12
Last Updated: 2006-12-12 21:20:49 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
It seems like there is a revival going on of the botnet exploiting the Symantec Anti-Virus vulnerability. It was originally reported on by Joel on Nov 27th.

But the traffic scanning for port 2967 is back. It seems new Command and Control centers are active for it as well.



--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)

MS06-077: Remote Installation Service (RIS) remote exploit

Published: 2006-12-12
Last Updated: 2006-12-12 20:58:36 UTC
by John Bambenek (Version: 1)
0 comment(s)
This vulnerability only affects Windows 2000 Server, Service Pack 4 that has RIS installed that allow anonymous access to the system that serves the installation items. If there is anonymous access, a remote user could view, change, delete data or create accounts including having malware installed on systems installed by RIS. It is possible to exploit this vulnerability over the internet if the network permissions were set that poorly to allow anonymous access to everyone. A simple firewall would prevent this vector. The patch removes the vulnerability by not allowing anonymous TFTP users write access on the file structure.

This vulnerability has not been disclosed publicly and Microsoft reports no indication of active exploitation of this vulnerability.

Microsoft ranks this update as important, however the very specific OS version needed and other mitigating technologies make this an unimportant patch for all but a few users.

Bulletin: MS06-077

--
John Bambenek
bambenek /at/ gmail /dot/ com


Keywords:
0 comment(s)

Microsoft Black Tuesday - December 2006 overview

Published: 2006-12-13
Last Updated: 2006-12-14 00:18:30 UTC
by Swa Frantzen (Version: 3)
0 comment(s)

Overview of the December 2006 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS06-072 Internet Explorer - remote code execution

CVE-2006-5579
CVE-2006-5581
CVE-2006-5578
CVE-2006-5577
No known problems

KB 925454
No known exploits
Critical Critical Important
MS06-073 Visual Studio 2005 - remote code execution

CVE-2006-4704
No known problems

KB 925674
Exploit publicly available
Critical PATCH NOW Important
MS06-074 SNMP - remote code execution - buffer overflow

CVE-2006-5583
No known problems

KB 926247

We are aware of a problem with a link in the advisory for Win2000 SP4 pointing to the MS06-078 fix.
Exploit available in for pay program
Important Critical Critical
MS06-075 csrss - privilege escalation

CVE-2006-5585
No known problems

KB 926255
No known exploits
Important Important Important
MS06-076 Outlook express - remote code execution

CVE-2006-2386
No known problems

KB 923694
No known exploits Important
Important
Less Urgent
MS06-077 RIS - remote code execution

CVE-2006-5584
No known problems

KB 926121
No known exploits Important Important Important
MS06-078 Windows Media player - remote code execution

CVE-2006-4702
CVE-2006-6134
No known problems

KB 923689
KB 925398
Exploits available for the .asx vulnerability
Critical PATCH NOW Important
Re-release
MS06-059
Excel

CVE-2006-2387
CVE-2006-3431
CVE-2006-3867
CVE-2006-3875
No known problems

KB 924164

Fixes installation failures in Excel 2002
Exploits are publicly available
Critical Critical Less Urgent

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Section 66

0 comment(s)

MS06-074: SNMP Buffer Overflow (CVE2006-5583)

Published: 2006-12-12
Last Updated: 2006-12-12 19:48:39 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
The Simple Network Manamgenet Protocol (SNMP) service  is vulnerable to a buffer overflow. This service is typically used to manage network devices. Home users are not likely to have this service installed. However, many larger networks will use SNMP to controlle and monitor networked workstations and servers.

Accoridng to a note from Dave Aitel, Immunity released an exploit for this vulnerabilty to its customers.

In order to disable this service, or to check if it is running, use the "services" tab in your control pannel and make sure the 'SNMP Service' is not running. You will not see an entry for SNMP service if it is not installed.

This patch is a "patch now" for all networks that use SNMP. It runs as "system" and a succesfull exploit would provide an attacker with full access. The Microsoft bulletin only talks about port 161 UDP for this vulnerability. So one can assume that SNMP trap messages are not affected.

Common sense SNMP security (regardless of the vulnerability):
  • block port 161/udp and 162/udp at your permiter (snmpv3 may use tcp).
  • use a hard to guess community string (anything but "public").
  • disable snmp listeners if you do not need them.
References:
KB926247
CVE2006-5583






Keywords:
0 comment(s)

MS06-072: Cumulative Security Update for Internet Explorer (925454)

Published: 2006-12-12
Last Updated: 2006-12-12 19:08:00 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
This bulletin addresses four vulnerabilities for Internet Explorer.   Two allow for remote code execution and two allow for information disclosure.  According to Microsoft, this does not affect Internet Explorer version 7.  Since many organizations are still running version 6, it is very critical that you patch this ASAP if you haven't upgraded yet.  This bulletin replaces MS06-067.  There is also a link provided by Microsoft on possible issues that may arise as a result of this patch:  http://support.microsoft.com/kb/925454

Script Error Handling Memory Corruption Vulnerability - CVE-2006-5579
Previously freed memory space is accessed when encountering certain script errors which may cause the system's memory to become corrupt and allow for code execution.

DHTML Script Function Memory Corruption Vulnerability - CVE-2006-5581
When Internet Explorer interprets certain DHTML script function calls to incorrectly created elements it may corrupt system memory in such a way that an attacker could execute arbitrary code.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5578
The issue lies in how Internet Explorer handles drag and drop operations and would allow for files to be accessed on the user's system in the Temporary Internet Files Folder.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5577
This one is similar to the previous vulnerability discussed, however the vulnerability reveals the path to the Temporary Internet Files Folder and allows it to be accessed and files to be retrieved.  According to Microsoft, this requires actions on the user's part for this to occur.

Keywords: Microsoft
0 comment(s)

MS06-078: 2 Windows Media Format Vulnerabilities (CVE-2006-4702, CVE-2006-6134)

Published: 2006-12-12
Last Updated: 2006-12-12 18:51:42 UTC
by Robert Danford (Version: 1)
0 comment(s)
This advisory addresses 2 vulnerabilites in the Windows "Media Format Runtime" which is utilized by applications using Windows Media Content.
The unchecked buffer and URL parsing vulnerabilities could result in full system compromise if exploited.
An attacker would create a malicious Advanced Streaming Format (.ASF) file or a malicious Advanced Stream Redirector (.ASX) file and present it to a vulnerable client through a malicious URL, an email attachment or perhaps through a malicious IFRAME or redirect.

These vulnerabilities poses the most risk to systems which are used for web surfing or for checking email. Especially if the user is logged in as Administrator or if an unrestricted or lower than High zone Internet Explorer browser is being used. MS Outlook default restrictions might shield a user, but clicking on a URL within an email launches a browser outside of those restrictions.

Note: Known exploits have been circulating for CVE-2006-6134 (ASX).

Note that it may take several patches to update a system. Windows Media Player 6.4 is patched differently than the Media Format Runtime. It may be a challenge to assess the posture of any given system in regards to these two vulnerabilities short of utilizing the Microsoft tools.

Affected:
Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions:
Microsoft Windows 2000 Service Pack 4 - Download the update (KB923689)
Microsoft Windows XP Service Pack 2 - Download the update (KB923689)
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1 - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions:
Microsoft Windows XP Professional x64 Edition - Download the update (KB923689)
Microsoft Windows Server 2003 x64 Edition - Download the update (KB923689)
Microsoft Windows Media Player 6.4
Windows 2000 Service Pack 4 - Download the update (KB925398)
Microsoft Windows XP Service Pack 2 - Download the update (KB925398)
Microsoft Windows XP Professional x64 Edition ? Download the update (KB925398)
Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 ? Download the update (KB925398)
Microsoft Windows Server 2003 x64 Edition ? Download the update (KB925398)

Reference URLs:
http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
http://support.microsoft.com/kb/923689
http://support.microsoft.com/kb/925398
Windows Media Format ASF Parsing Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4702
Windows Media Format ASX Parsing Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-6134
http://research.eeye.com/html/alerts/zeroday/20061122.html
http://blogs.technet.com/msrc/archive/2006/12/07/public-proof-of-concept-code-for-asx-file-format-isssue.aspx


0 comment(s)

MS06-075: csrss local privilege escalation (CVE-2006-5585)

Published: 2006-12-14
Last Updated: 2006-12-14 16:14:42 UTC
by Jim Clausing (Version: 2)
0 comment(s)
Microsoft has release bulletin MS06-075 which addresses a local privilege escalation vulnerability affecting Windows XP SP2 and Windows Server 2003 in the client/server run-time subsystem (csrss) which is a required component of Windows (in other words, it is always running on all Windows machines).  Note, Vista and Windows Server 2003 SP1 are claimed not to be affected at this time, as is Windows 2000 SP4.

We rate this one as important.  If someone can get access to the system via other means (cracked password, etc.) this vulnerability allows that person to elevate their privileges to become administrator by running a specially crafted executable.

References:
KB926255
CVE-2006-5585
Keywords: csrss Microsoft
0 comment(s)

MS06-076: Windows Address Book Contact Record flaw (CVE-2006-2386)

Published: 2006-12-12
Last Updated: 2006-12-12 18:48:20 UTC
by Scott Fendley (Version: 1)
0 comment(s)
MS06-076:  Windows Address Book Contact Record flaw  (CVE-2006-2386)

References: KB923694
Severity:  Highly Important to Workstations, lesser for servers

This update is a cumulative update for Outlook Express versions 5.5 and 6.  It addresses a remote code execution problem involving Windows Address Book (or .wab files).  The vulnerability exists in a component of Outlook Express which could allow an attacker who sends a specially crafted address book file to an unpatched system to take control of that system.  The vulnerability does not contain any privlige escalation capabilities.  If the attacker successfully exploits this vulnerability, he or she would gain the same access rights as the logged in user.  So please remember to configure end user accounts with as few of privlidges as possible.

I would recommend that this update or the registry change workaround to any client workstations as soon as possible.

This update replaces  MS06-016  and MS06-043 as it is a cumulative update.
Keywords:
0 comment(s)

MS06-073: WMI Object Broker Vulnerability (CVE-2006-4704)

Published: 2006-12-12
Last Updated: 2006-12-12 18:21:28 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This one is "highly critical". A working exploit is already available for Metasploit.

The WMI Object Broker is a special ActiveX control which is used by Vsiaul Studio 2005. An attacker would use a malicious web page to exploit it. You have to have Visual Studio 2005 installed in order to be vulnerable. The vulnerable file is WmiScriptUtils.dll.


As with other ActiveX features, Internet Explorer 7 will mitigate them somewhat as you have to "opt-in" to individual ActiveX controlls in order to use them. The restricted mode in Windows 2003 will turn off ActiveX as well, limiting exposure.

What you should do:
- On a client with Visual Studio 2005 installed: Patch now.
- On a client without Visual Studio 2005: you should not have this control.
- On a server:  Check if you are using the "Enhanced Security Configuration" for MSIE. The patch is unlikely to apply.

I do recommend upgrading to Internet Explorer 7 if you are regularly using Internet Explorer.

References:
KB927709
MS06-073
CVE-2006-4704
eEye Advisory
Keywords:
0 comment(s)

ICMP - call for packets ?

Published: 2006-12-12
Last Updated: 2006-12-12 15:49:25 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

One of our readers is reporting a fairly recent increase in ICMP packets hitting his firewall. If you're seeing the same we'd like some data:

  • on the importance and timeframe of the increase;
  • the type of ICMP packets you're receiving;
  • some idea of how it correlates (sweeping your address range, just hitting one IP, coming from all over, coming from specific hosts, ...);
  • if possible a small sample of some out of the ordinary packet captures.
As always you can upload your results through our contact form.

--
Swa Frantzen -- Section 66


Keywords:
0 comment(s)

PHP security: the scene might change

Published: 2006-12-12
Last Updated: 2006-12-12 01:56:58 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Will drew our attention to an interesting read in Stefan Esser's blog. It's about his resignation from the PHP Security Response Team. It's interesting to note that he both discovered and reported about PHP vulnerabilities in the past.

It seems the bottom line will be that we can expect some changes in how vulnerabilities in PHP are going to be handled in the future. It might include advisories about vulnerabilities without there being patches available. It might also mean an increase in the number of reported vulnerabilities.

Anyway it'll be worth it to add his PHP security blog to your routine if you need to know about PHP vulnerabilities.

Announcements about security vulnerabilities in widely deployed open source software without the matching patch is a very dangerous situation, so we hope this doesn't escalate too far.

--
Swa Frantzen -- Section 66

Keywords:
0 comment(s)
Diary Archives