Microsoft patch day
Microsoft is releasing today 12 new security bulletins:
Handlers actively working on these include Arrigo, John, Kyle, Lorna, Johannes, Scott and Swa.
- MS06-021 Cumulative patch for Internet Explorer - Critical
- MS06-022 ART image library buffer overflow - Critical
- MS06-023 Microsoft JScript memory corruption - Critical
- MS06-024 Windows media player - Critical
- MS06-025 RRAS - Critical
- MS06-026 Graphics rendering engine remote code execution - Critical
- MS06-027 Word remote code execution - Critical
- MS06-028 Powerpoint remote code execution -Critical
- MS06-029 Exchange - Important
- MS06-030 SMB privilege escalation - Important
- MS06-031 RPC mutual authentication spoofing - Moderate
- MS06-032 IP source routing allows remote code execution - Important
Handlers actively working on these include Arrigo, John, Kyle, Lorna, Johannes, Scott and Swa.
Keywords:
0 comment(s)
MS06-029: Script injection through Exchange/OWA
MS06-029 - KB 912442
Affected Software:
Severity: Important
Description: Microsoft Exchange servers running Outlook Web Access (OWA) to allow clients to remotely check emails are placing their clients at risk to a script injection vulnerability. A specially crafted email sent to the user and opened with OWA would allow the script to run. According to Microsoft "A script injection vulnerability exists that could allow an attacker to run a malicious script. If this malicious script is run, it would run in the security context of the user on the client." If you are running Microsoft Exchange OWA service, it is very important that you patch ASAP.
If you have been tracking the issue with Yahoo web mail, this should sound very familiar.
The vulnerability is covered in CVE-2006-1193.
--
Lorna Hutcheson
Affected Software:
- Microsoft Exchange 2000 Server Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup
- Microsoft Exchange Server 2003 Service Pack 1
- Microsoft Exchange Server 2003 Service Pack 2
Severity: Important
Description: Microsoft Exchange servers running Outlook Web Access (OWA) to allow clients to remotely check emails are placing their clients at risk to a script injection vulnerability. A specially crafted email sent to the user and opened with OWA would allow the script to run. According to Microsoft "A script injection vulnerability exists that could allow an attacker to run a malicious script. If this malicious script is run, it would run in the security context of the user on the client." If you are running Microsoft Exchange OWA service, it is very important that you patch ASAP.
If you have been tracking the issue with Yahoo web mail, this should sound very familiar.
The vulnerability is covered in CVE-2006-1193.
--
Lorna Hutcheson
Keywords:
0 comment(s)
MS06-025: RRAS arbitrary code execution
MS06-025 - KB 911280
A CRITICAL vulnerability in Microsoft's Routing and Remote Access Services (RRAS). A successful exploit could allow an attacker to execute arbitrary code. In order to exploit the vulnerability remotely, an
attacker has to be able to log in to a system first.
The RRAS is used to connect to Microsoft networks remotely via dial up modems. With RRAS, a user can dial up to a remote network (e.g. corporate network) and access all services on the remote network like
connected locally. In addition, RRAS is used for various multi-protocol LAN/WAN connections via VPNs.
It is not clear how exactly the exploit would occur over a network, or what the traffic will look like. We will update this diary later once we figured it out. According to this list, RRAS uses port 1701/UDP (L2TP), 1723/TCP (PPTP), as well as protocols 47 (GRE), 51 (AH) and 50 (ESP). In particular the protocols other then TCP/UDP may not be blocked by all firewalls.
For most users, the best option is to disable the service. See the bulletin on how to do this. Double check that you disabled all guest accounts or other accounts that allow connections with no or weak passwords.
--
Johannes Ullrich
A CRITICAL vulnerability in Microsoft's Routing and Remote Access Services (RRAS). A successful exploit could allow an attacker to execute arbitrary code. In order to exploit the vulnerability remotely, an
attacker has to be able to log in to a system first.
The RRAS is used to connect to Microsoft networks remotely via dial up modems. With RRAS, a user can dial up to a remote network (e.g. corporate network) and access all services on the remote network like
connected locally. In addition, RRAS is used for various multi-protocol LAN/WAN connections via VPNs.
It is not clear how exactly the exploit would occur over a network, or what the traffic will look like. We will update this diary later once we figured it out. According to this list, RRAS uses port 1701/UDP (L2TP), 1723/TCP (PPTP), as well as protocols 47 (GRE), 51 (AH) and 50 (ESP). In particular the protocols other then TCP/UDP may not be blocked by all firewalls.
For most users, the best option is to disable the service. See the bulletin on how to do this. Double check that you disabled all guest accounts or other accounts that allow connections with no or weak passwords.
--
Johannes Ullrich
Keywords:
0 comment(s)
MS06-021: Internet Explorer patch
MS06-021 - KB 916281
Fixes memory corruption that can lead to remote code execution, disclosure of sensitive information and creation of additional accounts on the host operating system.
Microsoft rates this patch as critical and considering an impact of remote code execution in the client system, for a browser we woould rate such a thing as very critical.
Microsoft claims the attack vector has to be web based, the use of it through outlook should not be possible.
Please note that this patch affects the issues in kb 917425 by terminating the compatibility period.
This includes a fix for publicly known bugs: CSS cross domain information disclosure (CVE-2005-4089) and address bar spoofing (CVE-2006-1626).
--
Swa Frantzen -- section 66
Fixes memory corruption that can lead to remote code execution, disclosure of sensitive information and creation of additional accounts on the host operating system.
Microsoft rates this patch as critical and considering an impact of remote code execution in the client system, for a browser we woould rate such a thing as very critical.
Microsoft claims the attack vector has to be web based, the use of it through outlook should not be possible.
Please note that this patch affects the issues in kb 917425 by terminating the compatibility period.
This includes a fix for publicly known bugs: CSS cross domain information disclosure (CVE-2005-4089) and address bar spoofing (CVE-2006-1626).
--
Swa Frantzen -- section 66
Keywords:
0 comment(s)
MS06-031: RPC Mutual Authentication Vulnerability
MS06-031 - KB 917736
This looks to be an obscure bug that only affects Windows 2000. In
reality, the conditions for exploitation seem rare and no code execution
is possible. The bug only affects custom RPC applications using SSL
with mutual authentication, which probably doesn't amount to many
applications out there. Finally, the impact of this bug only
allows the attacker to impersonate a trusted RPC server - it doesn't
allow code execution.
For all the overworked sysadmins, you can probably leave this at the
bottom of your patch list.
this vulnerability is also covered in CVE-2006-2380.
--
Kyle Haugsness
This looks to be an obscure bug that only affects Windows 2000. In
reality, the conditions for exploitation seem rare and no code execution
is possible. The bug only affects custom RPC applications using SSL
with mutual authentication, which probably doesn't amount to many
applications out there. Finally, the impact of this bug only
allows the attacker to impersonate a trusted RPC server - it doesn't
allow code execution.
For all the overworked sysadmins, you can probably leave this at the
bottom of your patch list.
this vulnerability is also covered in CVE-2006-2380.
--
Kyle Haugsness
Keywords:
0 comment(s)
MS06-030: Microsoft SMB Vulnerabilities
MS06-030 - KB 914389
MS06-030 covers two vulnerabilities. The more severe one ("SMB Driver Elevation of Privilege Vulnerability") will allow an attacker who has regular user access to a system to gain administrator access. The attack requires some form of regular access, for example valid login credentials or an exploit against a regular user on the system.
You could disable the Workstation service to mitigate this vulnerability. However, this is probably only going to work for stand alone workstations. Disabling the Workstation service will break file and printer sharing.
The second vulnerability ("SMB Invalid Handle Vulnerability") results in a Denial of Service condition, but as the first vulnerability it requires valid login credentials.
This vulnerability is covered in CVE-2006-2373.
--
Johannes Ullrich
MS06-030 covers two vulnerabilities. The more severe one ("SMB Driver Elevation of Privilege Vulnerability") will allow an attacker who has regular user access to a system to gain administrator access. The attack requires some form of regular access, for example valid login credentials or an exploit against a regular user on the system.
You could disable the Workstation service to mitigate this vulnerability. However, this is probably only going to work for stand alone workstations. Disabling the Workstation service will break file and printer sharing.
The second vulnerability ("SMB Invalid Handle Vulnerability") results in a Denial of Service condition, but as the first vulnerability it requires valid login credentials.
This vulnerability is covered in CVE-2006-2373.
--
Johannes Ullrich
Keywords:
0 comment(s)
Barracuda Networks outage statement
A number of readers have written in about problems with their Barracuda Networks mail appliances. Barracuda networks sent in their public statement:
"Outage on 6/13/2006 for Barracuda Spam Firewall Customers
Barracuda Networks remains committed to open communications with our customer base. This morning, we had an outage that affected a large number of Barracuda Spam Firewall customers. The affected customers were Barracuda Spam Firewall customers employing the virus scan feature of the Barracuda Spam Firewall using virus definition 1.5.144. The outage resolved itself with a subsequent Energize Update to virus definition 1.5.145.
Details:
Beginning at 4:53 AM PST today, a faulty virus definition was released that had an incomplete virus database (virus definition 1.5.144). To protect our customers in the event such a circumstance occurred, the Barracuda Spam Firewall has a built in precautionary feature which automatically prevents email from being sent through in order to keep potentially infected emails from being delivered. Any Barracuda Spam Firewall in the field that had received virus definition 1.5.144 immediately began to queue all incoming messages until the complete virus database became available.
At 7:02 AM PST, the majority of Barracuda Spam Firewalls automatically received virus definition 1.5.145 containing the complete virus database, and email began to process normally for those customers previously affected.
The cause of the incomplete virus definition has been identified and resolved, and additional measures have been put in place to prevent this issue from occuring in the future.
Due to the volume of calls to our Technical Support department during this period, we did experience a phone system malfunction which caused many customers to have to wait for longer periods of time than what they have come to expect. We apologize for any delay or inconvenience this may have caused and feel confident that our support department is back online and ready to assist customers right away.
Thank you for your patience. We look forward to continuing to provide all our customers with the same high quality service and support that they have come to rely on.
Sincerely,
Barracuda Networks Support and Operations Teams"
"Outage on 6/13/2006 for Barracuda Spam Firewall Customers
Barracuda Networks remains committed to open communications with our customer base. This morning, we had an outage that affected a large number of Barracuda Spam Firewall customers. The affected customers were Barracuda Spam Firewall customers employing the virus scan feature of the Barracuda Spam Firewall using virus definition 1.5.144. The outage resolved itself with a subsequent Energize Update to virus definition 1.5.145.
Details:
Beginning at 4:53 AM PST today, a faulty virus definition was released that had an incomplete virus database (virus definition 1.5.144). To protect our customers in the event such a circumstance occurred, the Barracuda Spam Firewall has a built in precautionary feature which automatically prevents email from being sent through in order to keep potentially infected emails from being delivered. Any Barracuda Spam Firewall in the field that had received virus definition 1.5.144 immediately began to queue all incoming messages until the complete virus database became available.
At 7:02 AM PST, the majority of Barracuda Spam Firewalls automatically received virus definition 1.5.145 containing the complete virus database, and email began to process normally for those customers previously affected.
The cause of the incomplete virus definition has been identified and resolved, and additional measures have been put in place to prevent this issue from occuring in the future.
Due to the volume of calls to our Technical Support department during this period, we did experience a phone system malfunction which caused many customers to have to wait for longer periods of time than what they have come to expect. We apologize for any delay or inconvenience this may have caused and feel confident that our support department is back online and ready to assist customers right away.
Thank you for your patience. We look forward to continuing to provide all our customers with the same high quality service and support that they have come to rely on.
Sincerely,
Barracuda Networks Support and Operations Teams"
Keywords:
0 comment(s)
MS06-032: Source routing buffer overflow
MS06-032 - KB 917953
While Microsoft rates this as important only, we at the Internet Storm Center feel that it is very critical. It is easy to exploit this. One (spoofed) packet could allow an attacker to "own" a vulnerable system. The TCP/IP stack is vulnerable to a buffer overflow in the handling of source routed packets.
While some firewalls might protect from this, consider systems that are used on the road such as in airport, hotels, ... so they must be protected now.
Workarounds:
--
Swa Frantzen -- section 66
While Microsoft rates this as important only, we at the Internet Storm Center feel that it is very critical. It is easy to exploit this. One (spoofed) packet could allow an attacker to "own" a vulnerable system. The TCP/IP stack is vulnerable to a buffer overflow in the handling of source routed packets.
While some firewalls might protect from this, consider systems that are used on the road such as in airport, hotels, ... so they must be protected now.
Workarounds:
- Block packets with source routing options in the firewall. According to Microsoft "IP source route options 131 and 137" are the dangerous ones, but why would you allow source routing through your firewall anyway?
- Personal firewall might help as well
- Disable source routing in windows by setting a registry key (see the Microsoft bulletin for details) [highly recommended action, even if you patched already]
--
Swa Frantzen -- section 66
Keywords:
0 comment(s)
MS06-027: MS Word object pointer / Remote Code Execution
MS06-027 - KB 919637
Vulnerable: Word 2000 (including Word Viewer 2003) and better and Works 2000 and better
Not Vulnerable: Word for Mac
This is a remote code execution vulnerability that uses a malformed object pointer to corrupt system memory and can be used to execute arbitrary code. If the user logged in has administrative privileges, the exploit will run with those same privileges and could take complete system control.
In order to successfully exploit this vulnerability, an attacker would have to persuade a user to open a malicious Word document, either through e-mail or a web page. This vulnerability is marked critical and Microsoft Office users should apply the patch immediately.
It is possible to not log in with an administrator-level account, but that would not prevent "spyware" classes of attacks.
--
John Bambenek -- University of Illinois
Vulnerable: Word 2000 (including Word Viewer 2003) and better and Works 2000 and better
Not Vulnerable: Word for Mac
This is a remote code execution vulnerability that uses a malformed object pointer to corrupt system memory and can be used to execute arbitrary code. If the user logged in has administrative privileges, the exploit will run with those same privileges and could take complete system control.
In order to successfully exploit this vulnerability, an attacker would have to persuade a user to open a malicious Word document, either through e-mail or a web page. This vulnerability is marked critical and Microsoft Office users should apply the patch immediately.
It is possible to not log in with an administrator-level account, but that would not prevent "spyware" classes of attacks.
--
John Bambenek -- University of Illinois
Keywords:
0 comment(s)
MS06-011 Updated
MS06 - 011 - KB 914798
This update was originally released in March. Our analysis at the time is located here.
The bulletin was re-released today with a number of tweaks. "This update has been revised to include updated registry key values for the NetBT, RemoteAccess, and TCPIP services. These values have been modified to be the same as Windows XP Service Pack 2 on Windows XP Service Pack 1 systems, and the same as Windows 2003 Service Pack 1 on Windows 2003 systems with no service pack applied. Customers are encouraged to apply this revised update for additional security from privilege elevation through the these services as described in the Vulnerability Details section of this security bulletin."
Scott Fendley - Univ of Arkansas
This update was originally released in March. Our analysis at the time is located here.
The bulletin was re-released today with a number of tweaks. "This update has been revised to include updated registry key values for the NetBT, RemoteAccess, and TCPIP services. These values have been modified to be the same as Windows XP Service Pack 2 on Windows XP Service Pack 1 systems, and the same as Windows 2003 Service Pack 1 on Windows 2003 systems with no service pack applied. Customers are encouraged to apply this revised update for additional security from privilege elevation through the these services as described in the Vulnerability Details section of this security bulletin."
Scott Fendley - Univ of Arkansas
Keywords:
0 comment(s)
MS06-028: PowerPoint malformed record / Remote Code Execution
MS06-028 - KB 916768
Vulnerable: Office 2000, XP, 2003 for Windows and Office v.X and Office 2004 for Mac (yes, this vulnerability is present on Mac systems)
This vulnerability affects PowerPoint documents and allows for remote code execution with the privileges of the logged in user. A malicious PowerPoint document with a malformed record can corrupt system memory and be used to execute code. This patch replaces MS06-010 for PowerPoint 2000.
An attacker would have to somehow convince a victim to open a malicious PowerPoint file to exploit this vulnerability (either by e-mail or web download, for instance). If the user is logged in as administrator, an attacker would gain full control of the system. Presumably, different malicious PowerPoint files would have to be created to exploit Windows and Mac (i.e. the same PowerPoint file would likely not be able to exploit both operating systems).
This patch is classified critical for PowerPoint 2000 only, and important for all other versions (including Mac). This patch fixes the vulnerability detailed in CVE-2006-0022. Users are advised to apply this patch if they use Microsoft PowerPoint.
John Bambenek -- University of Illinois
Vulnerable: Office 2000, XP, 2003 for Windows and Office v.X and Office 2004 for Mac (yes, this vulnerability is present on Mac systems)
This vulnerability affects PowerPoint documents and allows for remote code execution with the privileges of the logged in user. A malicious PowerPoint document with a malformed record can corrupt system memory and be used to execute code. This patch replaces MS06-010 for PowerPoint 2000.
An attacker would have to somehow convince a victim to open a malicious PowerPoint file to exploit this vulnerability (either by e-mail or web download, for instance). If the user is logged in as administrator, an attacker would gain full control of the system. Presumably, different malicious PowerPoint files would have to be created to exploit Windows and Mac (i.e. the same PowerPoint file would likely not be able to exploit both operating systems).
This patch is classified critical for PowerPoint 2000 only, and important for all other versions (including Mac). This patch fixes the vulnerability detailed in CVE-2006-0022. Users are advised to apply this patch if they use Microsoft PowerPoint.
John Bambenek -- University of Illinois
Keywords:
0 comment(s)
MS06-026: Graphics Rendering Engine / Remote Code Execution
MS06 - 026 - KB 918547
** This vulnerability ONLY applies to Windows 98, 98SE, and ME (We aren't still running these, are we?). Windows 2000, XP and beyond are not vulnerable **
This is a critical vulnerability in the Graphics Rednering Engine that allows remote code execution of the target system using specifically crafted WMF files. When successfully exploited, the target system can be completely compromised. This is a new vulnerability not associated with the WMF vulnerabilities from earlier this year. An attacker can exploit this vulnerability by using a specifically crafted webpage (and getting the victim to view that page) or by sending an exploit in email (where the email reader renders images).
If you are running Windows 98, 98SE, or ME, you should upgrade your operating system to Windows 2000, XP or later. If you cannot upgrade, this patch should be installed immediately.
John Bambenek -- University of Illinois
** This vulnerability ONLY applies to Windows 98, 98SE, and ME (We aren't still running these, are we?). Windows 2000, XP and beyond are not vulnerable **
This is a critical vulnerability in the Graphics Rednering Engine that allows remote code execution of the target system using specifically crafted WMF files. When successfully exploited, the target system can be completely compromised. This is a new vulnerability not associated with the WMF vulnerabilities from earlier this year. An attacker can exploit this vulnerability by using a specifically crafted webpage (and getting the victim to view that page) or by sending an exploit in email (where the email reader renders images).
If you are running Windows 98, 98SE, or ME, you should upgrade your operating system to Windows 2000, XP or later. If you cannot upgrade, this patch should be installed immediately.
John Bambenek -- University of Illinois
Keywords:
0 comment(s)
MS06-023: Microsoft's JScript remote code execution
MS06-023 - KB 917344
A problem in JScript where it releases memory too soon can cause memory corruption and lead to remoee code execution.
The attack vector is web based where visiting malicious contant is sufficint to exploit the browser. This is strongly linked with MS06-021 and Microsoft recommends to install both at the same time.
Obviously it's better not to log in with administrative rights as it makes the impact of these vulnerabilities a lot worse.
--
Swa Frantzen -- section 66
A problem in JScript where it releases memory too soon can cause memory corruption and lead to remoee code execution.
The attack vector is web based where visiting malicious contant is sufficint to exploit the browser. This is strongly linked with MS06-021 and Microsoft recommends to install both at the same time.
Obviously it's better not to log in with administrative rights as it makes the impact of these vulnerabilities a lot worse.
--
Swa Frantzen -- section 66
Keywords:
0 comment(s)
MS06-022: buffer overflow in ART image rendering library
MS06-022 - KB 918439
ART is an image file format (yep, image formats are still popular reasearch topics for hackers it seems). The format is used by AOL.
The impact of this is that users logged in with administrative rights can be exploited with remote code execution.
Microsoft rates this vulnerability as critical.
The patch removes support for ART image files from MSIE, as such they will not be rendered any longer.
It's interesting to note that the image library is an optional install on windows 2000.
Workarounds:
--
Swa Frantzen -- section 66
ART is an image file format (yep, image formats are still popular reasearch topics for hackers it seems). The format is used by AOL.
The impact of this is that users logged in with administrative rights can be exploited with remote code execution.
Microsoft rates this vulnerability as critical.
The patch removes support for ART image files from MSIE, as such they will not be rendered any longer.
It's interesting to note that the image library is an optional install on windows 2000.
Workarounds:
- Do not login as administrator or with an account with administative rights, it's dangerous.
- Consider switching to an alternative browser, they work really well and it makes the lives of the hackers harder is not all of us use the same browser with the same vulnerabilities.
--
Swa Frantzen -- section 66
Keywords:
0 comment(s)
MS06-024: buffer overflow in windows media player
MS06-024 - KB 917734
Windows Media player is vulnerable in it's handling of PNG images.
Microsoft rates his vulnerability as critical. It allows remote code execution.
Attack vectors of both email and web are possible through the use of .wmz files.
Workarounds will be based on content filetring in gateways, but might be below par on effectiveness if you count encrypted messages and the like as possible exploit vectors.
--
Swa Frantzen -- section 66
Windows Media player is vulnerable in it's handling of PNG images.
Microsoft rates his vulnerability as critical. It allows remote code execution.
Attack vectors of both email and web are possible through the use of .wmz files.
Workarounds will be based on content filetring in gateways, but might be below par on effectiveness if you count encrypted messages and the like as possible exploit vectors.
--
Swa Frantzen -- section 66
Keywords:
0 comment(s)
Javascript/AJAX/Worm Like Behavior
We have seen the Yamanner worm spread throughout Yahoo over the past few days. This worm manages to spread without the user doing anything other than viewing a malicious email. Yahoo to its credit had already
fixed the exploit in it's new beta client.
Software developers, and webmasters alike should take this as a warning, new exploits will be coming that will use javascript and Ajax-like behavior to spread. The current worm could be readily modified to spread across many systems that do not escape javascript when displaying data from a foreign source. Many web developers should reexamine their code, and make sure that display functions do not deliver potentially malicious code.
After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.
We will be sending notice to affected software vendors that we have identified at this time, however we currently do not have plans to publish specific applications until new releases/patches are available.
fixed the exploit in it's new beta client.
Software developers, and webmasters alike should take this as a warning, new exploits will be coming that will use javascript and Ajax-like behavior to spread. The current worm could be readily modified to spread across many systems that do not escape javascript when displaying data from a foreign source. Many web developers should reexamine their code, and make sure that display functions do not deliver potentially malicious code.
After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.
We will be sending notice to affected software vendors that we have identified at this time, however we currently do not have plans to publish specific applications until new releases/patches are available.
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments