November 14, 2006
Microsoft Patch Disclosure - November 2006
This month Microsoft released six bulletins which repair a total of thirteen individual vulnerabilities, three of which have already been publicly exploited on the Internet as "zero-day" vulnerabilities. eEye's Blink Professional and Blink Personal software protected systems against these zero-day exploits prior to their release. Blink does not require updated signatures or updated rule sets to provide protection, unlike other host protection products.
Four of today's six patches deal with ActiveX vulnerabilities, and the other two represent remotely-accessible network services. eEye is credited for the discovery of MS06-070, which was patched 112 days after disclosure to Microsoft. Like every month, eEye suggests that users roll out these patches as fast as possible, but preferably after testing the impact on internal applications and network continuity.
This Month's Bulletins
Critical
- MS06-067 - Cumulative Security Update for Internet Explorer
- MS06-068 - Vulnerability in Microsoft Agent Could Allow Remote Code Execution
- MS06-069 - Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution
- MS06-070 - Vulnerability in Workstation Service Could Allow Remote Code Execution
- MS06-071 - Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
- MS06-066 - Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution
Bulletin Summary
MS06-066
Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution (923980)
http://www.microsoft.com/technet/security/bulletin/MS06-066.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within the Client Service for NetWare. This service is not enabled by default on Windows, but is commonly found running in heterogeneous networks that have NetWare hosts. These networks are most at risk from this vulnerability, but any host running the Client Service for NetWare (CSNW) is potentially exploitable.
- CVE-2006-4688 - Client Service for NetWare Memory Corruption Vulnerability
This vulnerability allows a remote, anonymous attacker to execute arbitrary code on a remote system. - CVE-2006-4689 - NetWare Driver Denial of Service Vulnerability
This vulnerability, when exploited, causes a kernel-mode denial of service resulting in blue-screen (BSOD) on the affected host.
Recommendations
Because both of the vulnerabilities fixed in this patch are high impact, eEye recommends applying this patch as soon as possible. Also, for hosts where the Client Service for NetWare (CSNW) is enabled but is not actually being used, eEye suggests disabling this service to have less of a potential attack surface.
MS06-067
Cumulative Security Update for Internet Explorer (922760)
http://www.microsoft.com/technet/security/bulletin/MS06-067.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes three vulnerabilities within Internet Explorer. The first two vulnerabilities related to daxctle.ocx were "zero-day" vulnerabilities that were publicly disclosed without notifying Microsoft first. Public exploits have existed for these vulnerabilities since August 28, 2006. It should be noted that Microsoft did not actually repair the underlying heap-overflow zero-day vulnerability reported in August, but instead disabled the use of the DirectAnimation.PathControl entirely with a simple registry modification. The third vulnerability attacks Internet Explorer code directly via HTTP layout mangling.
- CVE-2006-4446 - Heap-based buffer overflow in DirectAnimation.PathControl COM object
This vulnerability allows for the remote execution of code in the context of the logged in user by exploiting the DirectAnimation.PathControl ActiveX object (daxctle.ocx). The vulnerable code is reached via a Spline function call whose first argument specified a large number of points. The common vector for this exploitation typically is through specially-crafted web pages that call the vulnerable ActiveX object, explaining why a kill-bit for this ActiveX object was included as part of the Internet Explorer cumulative update. - CVE-2006-4777 - Heap-based buffer overflow in the DirectAnimation Path Control COM object
This vulnerability allows for the remote execution of code in the context of the logged-in user by exploiting the DirectAnimation.PathControl ActiveX object (daxctle.ocx). The vulnerable code (different than CVE-2006-4446) is reached by manipulating arguments to the KeyFrame method. Although exploitation details are still at a minimum, most signs point to an integer overflow vulnerability. The common vector for this exploitation typically is through specially-crafted web pages that call the vulnerable ActiveX object, explaining why a kill-bit for this ActiveX object was included as part of the Internet Explorer cumulative update. - CVE-2006-4687 - HTML Rendering Memory Corruption Vulnerability
This vulnerability allows for the remote execution of code in the context of the logged-in user by exploiting an HTML layout handling vulnerability that is caused by the way that Internet Explorer handles certain HTML layout combinations.
Recommendations
Although kill-biting the CLSID entries for DirectAnimation.PathControl will stop the attack vector for two of the vulnerabilities, the patch is still necessary for the third vulnerability that does not attack an ActiveX control. Also, considering that exploit code has been available for two of these vulnerabilities for quite some time, eEye recommends that users protect their systems with this patch as soon as possible.
MS06-068
Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)
http://www.microsoft.com/technet/security/bulletin/MS06-068.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes a vulnerability in the Microsoft Agent ActiveX Control. Microsoft Agent is not installed by default on Microsoft Windows machines, but can easily be installed by normal ActiveX installations.
- CVE-2006-3445 - Microsoft Agent Memory Corruption Vulnerability
This vulnerability allows for the remote execution of code in the context of the logged in user by exploiting the Microsoft Agent ActiveX object.
Recommendations
eEye recommends that users with Microsoft Agent apply this patch as soon as possible. To identify hosts with Microsoft Agent installed, users can perform an audit for the ActiveX registry key entry: "HKEY_CLASSES_ROOT\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}".
MS06-069
Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)
http://www.microsoft.com/technet/security/bulletin/MS06-069.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes five vulnerabilities within the Macromedia Flash Player from Adobe. Two of the vulnerabilities have minimal vulnerability details, and the remaining three remain "unspecified vulnerabilities". However, since there is a buffer overflow vulnerability present (CVE-2006-3311), the severity of this bulletin remains critical because of the high probability of exploitation of this vulnerability.
- CVE-2006-3311 - Buffer Overflow In Adobe Flash Player
This vulnerability allows for the remote execution of code in the context of the logged-in user by exploiting the Adobe Flash ActiveX object. - CVE-2006-3014 - Excel Embedded Shockwave Flash ActiveX Arbitrary JavaScript Execution
This vulnerability, when exploited, allows for an attacker to execute arbitrary JavaScript on a remote host by embedding a Shockwave Flash Player ActiveX Object, which is automatically executed when the user opens the spreadsheet. - CVE-2006-3587,CVE-2006-3588,CVE-2006-4640 - Unspecified vulnerabilities within Adobe Flash Player prior to 9.0.16.0
Recommendations
eEye recommends that users with Adobe Flash apply this patch as soon as possible in order to upgrade Flash to version 9.0.16.0.
Resources
Adobe Advisory [APSB06-11]
MS06-070
Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)
http://www.microsoft.com/technet/security/bulletin/MS06-070.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes a vulnerability within the Workstation Service on Windows 2000 and Windows XP. Exploit code is rumored to be available for this vulnerability, which could allow for rapid exploitation of vulnerable hosts.
- CVE-2006-4691 - Workstation Service Memory Corruption Vulnerability
This vulnerability allows for a remote, anonymous attacker to execute arbitrary code on a remote system on Windows 2000 Service Pack 4, and allows for remote code execution with authentication Windows XP Service Pack 1. On Windows XP Service Pack 2, this vulnerability allows for local privilege escalation from Administrator to SYSTEM, which is not as critical of a threat. This vulnerability requires no user interaction.
Recommendations
eEye recommends that all hosts apply the patch for this high-impact vulnerability as soon as possible.
Resources
eEye Advisory: Workstation Service NetpManageIPCConnect Buffer Overflow
MS06-071
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes a zero-day vulnerability within the XML Core Services which allows for the execution of arbitrary code under the context of the logged-in user. This vulnerability was released publicly as an exploit prior to notifying Microsoft, putting users at risk for exploitation without an available patch.
- CVE-2006-5745 -
Microsoft XML Core Services Vulnerability
This vulnerability allows for a remote, anonymous attacker to execute arbitrary code on a remote system by exploiting the XMLHTTP ActiveX control within Microsoft XML Core Services 4 or 6.
Recommendations
Considering that exploit code has been available for this vulnerability, eEye recommends that users protect their systems with this patch as soon as possible.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina customers can update their scanner to detect systems vulnerable to these issues and verify if this month's Microsoft patches are installed. Retina audits are available to customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/november2006.html
Blink® Endpoint Vulnerability Prevention
eEye's Blink protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality. Additionally, Blink does not require the killing of services or applications as a means of protection. The result is 100% protection, with zero downtime or impact to operations.
Current Blink customers aren't required to do anything to realize the protection from these flaws. No updates or policy changes are required. If you are interested in protecting your systems with Blink, an evaluation version is available for download here:
http://www.eeye.com/html/products/blink/download/index.html
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.