August 8, 2006
Microsoft Patch Disclosure - August 2006
We hope those of you that were on summer holidays or attending the Black Hat Briefings in Las Vegas last week are well rested because today's patch Tuesday has brought us twelve patches, nine of which are critical. If we were to count the number vulnerabilities fixed in these patches, we would see a total of 23. Of course not all of the 23 are critical, but a number of the issues have been publicly disclosed before the patch or have been reported as being actively exploited in the wild.
For additional insight on this month's vulnerabilities, please join the eEye Research Team for a Vulnerability Expert Forum online seminar on Wednesday and Thursday of this week.
This Month's Bulletins
Critical
- MS06-040 - Vulnerability in Server Service Could Allow Remote Code Execution
- MS06-041 - Vulnerability in DNS Resolution Could Allow Remote Code Execution
- MS06-042 - Cumulative Security Update for Internet Explorer
- MS06-043 - Vulnerability in Microsoft Windows Could Allow Remote Code Execution
- MS06-044 - Vulnerability in Microsoft Management Console Could Allow Remote Code Execution
- MS06-046 - Vulnerability in HTML Help Could Allow Remote Code Execution
- MS06-047 - Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution
- MS06-048 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
- MS06-051 - Vulnerability in Windows Kernel Could Result in Remote Code Execution
- MS06-045 - Vulnerability in Windows Explorer Could Allow Remote Code Execution
- MS06-049 - Vulnerability in Windows Kernel Could Result in Elevation of Privilege
- MS06-050 - Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution
Bulletin Summary
MS06-040
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
Last month MS06-035 addressed issues with the Server Service and this month MS06-040 is another patch addressing different issues in the same service. As you may remember from last month, exploitation of the issue was difficult and not completely anonymous on all operating systems. This time around, the vulnerability, an unchecked buffer in the Server Service, allows for anonymous exploitation remotely. In addition, US-CERT and Microsoft have both claimed to have observed existing exploits for this vulnerability. At time of writing, the full story about the known attacks using this vulnerability is not public, but watch the eEye Research BLOG for more information on this.
Recommendations
While eEye cannot confirm or deny claims of exploits in the wild, we have no choice but to trust them until proven otherwise. Because of this, we recommend that users who cannot install this patch immediately should insure that TCP ports 139 and 445 are blocked at corporate gateways. Obviously blocking these ports internally is not an option as it will break many essential services.
Resources
eEye Research BLOG
MS06-041
Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
http://www.microsoft.com/technet/security/bulletin/MS06-041.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch addresses two separate issues in Microsoft's implementation of DNS. CVE-2006-3440 is a remote code execution in Winsock that allows for remote code to be executed when a user is tricked into opening a file or visiting a maliciously crafted website. The second issue, CVE-2006-3441, is a DNS Client Buffer Overrun Vulnerability that allows for remote code to be executed.
Recommendations
Both of these issues are serious, but there are some mitigation steps that can be taken for those that are not able to immediately install the patch. For CVE-2006-3440, Microsoft suggests editing your registry to remove the attack vectors; for CVE-2006-3441, you can block specific DNS record types at your gateway. While these are useful short term mitigations, they do not solve the actual vulnerability so it is recommended that this patch be installed.
MS06-042
Cumulative Security Update for Internet Explorer (918899)
http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This month we have yet another Internet Explorer Cumulative Update. This one addresses eight different issues, some of which have already been publicly disclosed. As with past Internet Explorer vulnerabilities, all of these issues require vulnerable users to be tricked into visiting a malicious website, or in some cases opening a malicious HTML file. Some of the issues fixed in this update allow for remote code execution, which takes place in the context of the logged-in user.
Recommendations
User education is the best defense as we have all seen how easy it can be to trick users into visiting malicious websites. It is also recommended that administrators do not use their administrative accounts when not performing administrative tasks. The best way to prevent users from becoming victims is to install this patch.
MS06-043
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
http://www.microsoft.com/technet/security/bulletin/MS06-043.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This Microsoft bulletin addresses an issue in the way that Windows incorrectly parses the MHTML protocol. By using a maliciously crafted website or HTML email, an attacker can execute code on a vulnerable system. Like the Internet Explorer vulnerabilities in the previous patch, the code is executed in the context of the logged-in user.
Recommendations
This vulnerability is another one that was publicly disclosed before the vendor patch. This means that the risk of exploitation is higher and will remain high until the patch is installed. Users who cannot install the patch immediately may also disable MHTML Parsing via the registry, but should note that doing so will prevent all MHTML, even non-malicious code, from being rendered.
MS06-044
Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
http://www.microsoft.com/technet/security/bulletin/MS06-044.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This bulletin can be a bit inconsistent and confusing to those that take the time to read the entire thing. At one point the bulletin states that:
"To attempt to exploit the vulnerability, an attacker must be able to log on locally to the system and run a program."
But then the rest of the bulletin talks about exploiting this issue via a maliciously crafted website, which of course does not require the attacker to log on locally.
The bulletin is also unclear about the level of rights an attacker will have if he exploits a vulnerable system. At one point the bulletin states:
"An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
But then it points out:
"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
On the last Windows system we looked at, you required a level of administrative rights to "create new accounts with full user rights" and even in some cases to install programs.
So, to try and clear up the confusion: Yes, this is a web-based attack scenario that requires the victim to perform multiple actions starting with clicking on a malicious link or visiting a malicious website. Note that it has also been pointed out that malicious banner ads can also be used. At this point exploitation is not automatic and will still require user interaction. Once exploited, an attacker can run commands in the context of the logged-in user. Because we are talking about Microsoft Management console, it is safe to assume that the logged-in user will be an Administrator.
Recommendations
We recommend that this patch be installed since the workaround suggested by Microsoft - disabling active scripting - will typically cause more issues than it fixes.
MS06-045
Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
http://www.microsoft.com/technet/security/bulletin/MS06-045.mspx
Microsoft Severity Rating: Moderate
eEye Severity Rating: Moderate
Description
This vulnerability was found in the way that Windows Explorer handles drag and drop events, which allows for code execution in the context of the logged-in user.
In order for this vulnerability to be exploited, users must first be tricked into visiting a malicious website, saving a malicious file, then executing that file. Alternatively, this vulnerability can be exploited via email attachments but does require the victim to open the attachment.
Recommendations
By now everyone should be aware of the dangers of downloading and opening unknown files. That said, an attack vector that requires this much user interaction has proven to still be somewhat successful. This patch should be installed as part of your normal patch management process.
MS06-046
Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
http://www.microsoft.com/technet/security/bulletin/MS06-046.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This is a vulnerability in a string buffer in the HTML Help ActiveX control. This is a different issue than the one discovered by the eEye Research Team back in March 2005 and patched in June.
This vulnerability, when exploited via a malicious website, will execute commands in the context of the logged-in user.
Recommendations
There are a number of workarounds to prevent this vulnerability, each of which has its own effect on various functionality. It is recommended that users install this patch.
MS06-047
Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
http://www.microsoft.com/technet/security/bulletin/MS06-047.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch addresses a vulnerability in the way that VBA checks certain document properties when opening a document. Exploitation allows for remote code execution in the context of the logged-in user. At first glance many might dismiss this vulnerability, as it would appear that a vulnerable user has to open a document in order to be exploited. However, the malicious code may also be embedded in Microsoft Office documents and in HTML emails! In the email attack vector a user would only be exploited if they reply or forward the malicious message.
Think about that last sentence for a moment. In the battle to reduce spam, many IT organizations setup a folder and ask their users to FORWARD spam messages to that folder. That process makes for a great attack vector.
Recommendations
While many of the attack vectors for this vulnerability require a level of user interaction, the potential email attack vector makes this vulnerability a dangerous one for spam-based attacks, although users of Outlook 2002 and 2003 will be warned of potential problems. We recommend this patch be installed.
MS06-048
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
http://www.microsoft.com/technet/security/bulletin/MS06-048.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch addresses two separate issues with Microsoft PowerPoint that both allow for remote code execution. One of the issues, CVE-2006-3590, is the infamous PowerPoint "zero day" vulnerability we saw being used in attacks shortly after July's patch Tuesday.
For both vulnerabilities, exploitation results in code execution in the context of the logged-in user
Recommendations
Because one of the issues has already been actively used in attacks we recommend that this patch be installed.
MS06-049
Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
http://www.microsoft.com/technet/security/bulletin/MS06-049.mspx
Microsoft Severity Rating: Moderate
eEye Severity Rating: Moderate
Description
This patch addresses an unchecked buffer in the Windows Kernel and affects only Windows 2000 systems. It is a local privilege escalation vulnerability that requires that the attacker be able to log into a system.
Recommendations
While this vulnerability cannot be exploited over the Internet, it is a prime vulnerability for use in a staged attack, possibly in conjunction with some of the other vulnerabilities patched today. We recommend that this patch be installed.
MS06-050
Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
http://www.microsoft.com/technet/security/bulletin/MS06-050.mspx
Microsoft Severity Rating: Moderate
eEye Severity Rating: Moderate
Description
This patch fixes two separate issues in the way that Windows handles Hyperlink Objects.
The first issue, CVE-2006-3086, is an unchecked buffer in the code that is used for handling hyperlinks. This vulnerability, when exploited via a malicious hyperlink, leads to remote code execution in the context of the logged-in user. The second issue, CVE-2006-3438, is also exploited via a malicious hyperlink and takes advantage of an unchecked buffer allowing for remote code execution.
Recommendations
When exploited both of these issues result in remote code in the context of the logged-in user so we recommend that you install this patch. There are also multiple workarounds for these vulnerabilities, but each has its own potentially undesired impact.
MS06-051
Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
http://www.microsoft.com/technet/security/bulletin/MS06-051.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch addresses two issues. The first one, CVE-2006-3443, addresses a privilege escalation vulnerability allowing a logged-in user the ability to gain additional access. The second issue, CVE-2006-3648, is a remote code execution vulnerability that results from the way that exception handling is managed.
Like a previous bulletin there are a few errors around exploit scenarios, especially for the second vulnerability where it incorrectly states that an attacker needs to be logged on to exploit the vulnerability.
The reality is that CVE-2006-3648 can be exploited via a malicious website or even banner advertisements.
Recommendations
While the Microsoft bulletin states that for the first issue to be a risk the attacker must already have login credentials, remember that these types of threats can be used in staged attacks. The second issue can be exploited via malicious websites or banner ads, so we recommend that this update be installed.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina customers can update their scanner to detect systems vulnerable to these issues and verify if this month's Microsoft patches are installed. Retina audits are available to customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/august2006.html#audits
Blink® Unified Client Security
eEye's Blink protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality. Additionally, Blink does not require the killing of services or applications as a means of protection. The result is 100% protection, with zero downtime or impact to operations.
Current Blink customers aren't required to do anything to realize the protection from these flaws. No updates or policy changes are required. If you are interested in protecting your systems with Blink, an evaluation version is available for download here:
http://www.eeye.com/html/products/blink/download/index.html
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forums on Wednesday and Thursday of this week. These forums enable participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
You have received this announcement to %%emailaddr%% as a valued member of eEye's Alert: eEye Security Bulletin list. If you wish to modify your subscription settings, please visit our website:
http://www.eeye.com/sub/%%userid_%%