December 12, 2006
Microsoft Patch Disclosure - December 2006
This month Microsoft released seven new bulletins which repair a total of eleven separate vulnerabilities, and re-released MS06-059. Originally Microsoft planned only six bulletins, but they recently added a patch for the ASX vulnerability that eEye Research reported as exploitable. Out of the seven bulletins, two of the bulletins are for public zero-day vulnerabilities. eEye's Blink Professional and Blink Personal software protected systems against these zero-day exploits prior to their discovery. Blink does not require updated signatures or updated rule sets to provide protection, unlike other host protection products.
The most critical client-side vulnerabilities this month are in MS06-072 (IE) and MS06-078 (Media Format). The most critical network vulnerability is MS06-074 (SNMP). Administrators of enterprise-sized networks should assess which vulnerabilities impact their networks most using this summary, and should begin building a patch plan following a patch precedence structure. eEye has suggestions for this process in an archived VERSA article and will be discussing patch strategies in tomorrow's Vulnerability Expert Forum.
As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity.
This Month's Bulletins
Critical
- MS06-072 - Cumulative Security Update for Internet Explorer
- MS06-073 - Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution
- MS06-078 - Vulnerability in Windows Media Format Could Allow Remote Code Execution
- MS06-059 - Re-Release: Vulnerabilities in Excel Could Allow Remote Code Execution
- MS06-074 - Vulnerability in SNMP Could Allow Remote Code Execution
- MS06-075 - Vulnerability in Windows Could Allow Elevation of Privilege
- MS06-076 - Cumulative Security Update for Outlook Express
- MS06-077 - Vulnerability in Remote Installation Service Could Allow Remote Code Execution
Bulletin Summary
MS06-072
Cumulative Security Update for Internet Explorer (925454)
http://www.microsoft.com/technet/security/bulletin/MS06-072.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This Cumulative Update fixes four vulnerabilities with ranging severities within IE5.01 and IE6:
- CVE-2006-5579 - Script Error Handling Memory Corruption Vulnerability
A remote code execution vulnerability exists in Internet Explorer due to attempts to access previously freed memory when handling script errors in certain situations. - CVE-2006-5581 - DHTML Script Function Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer interprets certain DHTML script function calls to incorrectly created elements. - CVE-2006-5578 - TIF Folder Information Disclosure Vulnerability
An information disclosure vulnerability exists in Internet Explorer in the way that drag and drop operations are handled in certain situations. - CVE-2006-5577 - TIF Folder Information Disclosure Vulnerability
An information disclosure vulnerability exists in Internet Explorer in certain scenarios where the path to the cached content in the TIF folder could be disclosed.
Recommendations
Since there are multiple attack vectors patched within this Cumulative Update, eEye Research suggests that users of Internet Explorer that are vulnerable patch their systems as soon as possible following the details of MS06-072.
MS06-073
Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)
http://www.microsoft.com/technet/security/bulletin/MS06-073.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes a zero-day vulnerability within the Visual Studio 2005 WMI Object Broker ActiveX which allows for the execution of arbitrary code under the context of the logged-in user. This vulnerability was released publicly as a Metasploit plugin prior to notifying Microsoft, putting users at risk for exploitation without an available patch.
- CVE-2006-4704 - WMI Object Broker Vulnerability
A remote code execution vulnerability exists in the WMI Object Broker control that the WMI Wizard uses in Visual Studio 2005.
Recommendations
Considering that exploit code has been available for this vulnerability for over four months, eEye Research recommends that users with Visual Studio 2005 apply this patch as soon as possible. To identify hosts with this ActiveX installed, administrators can perform an audit for the following registry key entry: "HKEY_CLASSES_ROOT\CLSID\{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}".
Resources
eEye ZDT - WMI Object Broker ActiveX
MS06-074
Vulnerability in SNMP Could Allow Remote Code Execution (926247)
http://www.microsoft.com/technet/security/bulletin/MS06-074.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Critical
Description
This patch fixes one vulnerability within the SNMP Service for windows.
- CVE-2006-5583 - SNMP Memory Corruption Vulnerability
A remote code execution vulnerability exists in SNMP Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
Recommendations
Because exploit code has already been released for this vulnerability, eEye suggests hosts with SNMP be patched as soon as possible. Mitigation is possible by changing the community string name on an SNMP host to have a lower probability of being guessed.
The community name can be modified via the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities. You can modify the names of community name strings within that key, or disable names completely by setting the value of a name to 0. For instance: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities\public=0(DWORD) will disable the 'public' community string name. Restarting the SNMP service is not required for changes to take effect, but is suggested since the change does not happen immediately after registry modification. Of course, always ensure that this modification does not conflict with other software on the system, and always be sure to backup registry keys prior to modification.
For hosts that do not need to have SNMP running, eEye Research suggests that administrators remove the SNMP service to minimize the attack surface for possible future SNMP vulnerabilities.
MS06-075
Vulnerability in Windows Could Allow Elevation of Privilege (926255)
http://www.microsoft.com/technet/security/bulletin/MS06-075.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Medium
Description
This patch fixes one vulnerability within Windows which allows for a local elevation of privileges.
- CVE-2006-5585 - File Manifest Corruption Vulnerability
A privilege elevation vulnerability exists in the way that Microsoft Windows starts applications with specially crafted file manifests. This vulnerability could allow a logged on user to take complete control of the system.
Recommendations
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. However, regarding patch precedence, this vulnerability does not pose as large of a threat as any of the other vulnerabilities patched this month.
MS06-076
Cumulative Security Update for Outlook Express (923694)
http://www.microsoft.com/technet/security/bulletin/MS06-076.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes a vulnerability within Outlook Express 5.5 and 6 which would allow for a remote attacker to execute arbitrary code under the context of the logged in user. Outlook Express is installed by default, which increases the criticality of this vulnerability.
- CVE-2006-2386 - Windows Address Book Contact Record Vulnerability
A remote code execution vulnerability in a component of Outlook Express could allow an attacker who sent a Windows Address Book file to a user of an affected system to take complete control of the system.
Recommendations
Since Outlook Express is so widely installed, eEye Research suggests that Windows users update their systems with this patch as soon as possible.
MS06-077
Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)
http://www.microsoft.com/technet/security/bulletin/MS06-077.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes a vulnerability within Remote Installation Service (RIS) which had the potential to allow a remote user to take complete control over the host.
- CVE-2006-5584 - RIS Writable Path Vulnerability
The Remote Installation Service enables a TFTP service on the server which by default could allow an anonymous user to potentially overwrite existing operating system files or upload a specially crafted file. This could allow an attacker to compromise operating system installs offered by the RIS server.
The exploitation of this vulnerability does not require any user interaction, but requires that the attacker has access to the Remote Installation Service of the targeted host.
Recommendations
eEye Research recommends that all Windows 2000 systems fix this vulnerability with the registry patch outlined in MS06-077. This is a similar attack vector as outlined in eEye Research's BootRoot, but is an unrelated vulnerability.
MS06-078
Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)
http://www.microsoft.com/technet/security/bulletin/MS06-078.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes two vulnerabilities within Windows which may allow for a remote attacker to execute arbitrary code. One of the vulnerabilities was originally reported as a denial of service, but was later proved to be exploitable by eEye Research and was reported first on the eEye Zero-Day Tracker.
- CVE-2006-4702 - Windows Media Format ASF Parsing Vulnerability
A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles Advanced Systems Format (ASF) files. An attacker could exploit the vulnerability by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or opens an e-mail message with malicious content. An attacker who successfully exploited this vulnerability could take complete control of an affected system. - CVE-2006-6134 - Windows Media Format ASX Parsing Vulnerability
A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles certain elements contained in Advanced Stream Redirector (ASX) files. An attacker could exploit the vulnerability by constructing a specially crafted ASX file that could allow remote code execution if a user visits a malicious Web site, where specially crafted ASX files are used to launch Windows Media player, or if a user clicks on a URL pointing to a specially crafted ASX file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Recommendations
Considering that a proof of concept has been available for one of these vulnerabilities since November 22, eEye Research recommends that users protect their systems with this patch as soon as possible.
Resources
eEye ZDT - ASX Playlist
MS06-059
Re-Release: Vulnerabilities in Excel Could Allow Remote Code Execution (924164)
http://www.microsoft.com/technet/security/bulletin/MS06-059.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
MS06-059 was re-released for Excel 2002 (XP) because of an issue with Microsoft's update mechanism. For some installations of Excel 2002, the update would report as installed, but the Excel.exe binary was not updated and was still vulnerable to the four vulnerabilities reported in MS06-059.
Recommendations
All Excel 2002 (XP) customers should ensure that their Excel.exe binary is updated. If the version of Excel.exe is below 10.0.6816.0, the host is still vulnerable to all four vulnerabilities reported on October 10, 2006. eEye Research suggests updating the vulnerable hosts as soon as possible.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina customers can update their scanner to detect systems vulnerable to these issues and verify if this month's Microsoft patches are installed. Retina audits are available to customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/december2006.html#audits
Blink® Unified Client Security
eEye's Blink protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality. Additionally, Blink does not require the killing of services or applications as a means of protection. The result is 100% protection, with zero downtime or impact to operations.
Current Blink customers aren't required to do anything to realize the protection from these flaws. No updates or policy changes are required. If you are interested in protecting your systems with Blink, an evaluation version is available for download here:
http://www.eeye.com/html/products/blink/download/index.html
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
You have received this announcement to %%emailaddr%% as a valued member of eEye's Alert: eEye Security Bulletin list. If you wish to modify your subscription settings, please visit our website:
http://www.eeye.com/sub/%%userid_%%