Microsoft Security Bulletin Summary for April, 2006

Published: 2006-04-11
Last Updated: 2006-04-11 23:50:25 UTC
by Deborah Hale (Version: 2)
0 comment(s)

As you can see the gang at the Internet Storm Center have been very busy little beavers.  They have helped me put together this great Diary update for you.  Thanks to Johannes, Marcus, Scott and Pedro for all of their hardwork. So below is the "low down" on Microsoft Patch Tuesday.  Happy reading.

Cumulative Security Update for Internet Explorer (912812)

MS06-013, KB912812, CVE-2006-1359, 1388, 1185, 1186, 1188, 1189, 1190

This patch should be applied as fast as possible, but due to a change in ActiveX functionality requires extra careful testing. Microsoft bundled all but one of this months Internet Explorer updates  in this "Cumulative update". This particular update patches no less then 8 remote code execution issues. In addition one information disclosure problem and an address bar spoofing vulnerability are fixed. Note that there are exploits public for at least one (CVE-2006-1245) and possibly two (CVE-2006-1388) of the advisories. While the exploits known to us only trigger a DoS condition, it is very much possible that more sinister exploits are already in use. Microsoft states that they are not aware of any exploits in the wild, which likely refers to remote execution exploits, not DoS exploit.

As far as mitigation steps go: Disabling Active Scripting may help with some of the vulnerabilities, but others (e.g. CVE-2006-1185 and CVE-2006-1188) can be triggered without Active Scripting. Of course, running Internet Explorer with reduced rights will limit your exposure.

So this is a "must apply fast" patch. However, be careful. This patch includes the "Eolas Patent Patch", a change in functionality Microsoft had to issue in order to avoid paying for certain patent right.
Read this http://support.microsoft.com/kb/912812 carefully (in particular if you are using Siebel 7)

(Thanks Johannes for the write-up)

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)

MS06-014, KB911562, CVE-2006-2003

This update resolves a newly-discovered, privately-reported vulnerability.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Software:

  • Microsoft Windows XP Service Pack 1 running Microsoft Data Access Components 2.7 Service Pack 1
  • Microsoft Windows XP Service Pack 2 running Microsoft Data Access Components 2.8 Service Pack 1
  • Microsoft Windows XP Professional x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2 . Microsoft Windows Server 2003 running Microsoft Data Access Components 2.8
  • Microsoft Windows Server 2003 Service Pack 1 running Microsoft Data Access Components 2.8 Service Pack 2. Microsoft Windows Server 2003 for Itanium-based Systems running Microsoft Data Access Components 2.8 . Microsoft Windows Server 2003 with SP1 for Itanium-based Systems running Microsoft Data Access Components 2.8 Service Pack 2
  • Microsoft Windows Server 2003 x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2 . Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Affected Components:
  • Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.5 Service Pack 3 installed . Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.7 Service Pack 1 installed . Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 installed
  • Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 Service Pack 1 installed . Windows XP Service Pack 1 with Microsoft Data Access Components 2.8 installed
This vulnerability can result in remote code execution, and is deemed as CRITICAL for Win9x, Win2k SP4, and WinXP SP1 and 2.  It is labeled as MODERATE for Windows Server 2003 including SP1.

This is not "wormable" in that the vulnerability depends on the failure of an ActiveX control rather than a process listening on an open port. However, an attacker could successfully inject malicious code on a victim's machine via HTML-enabled email or a web site.

Thanks Marcus for this write-up

Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)

MS06-015; KB908531; CVE-2006-0012

Yes, time for patching again...and regarding this one, the Windows Shell vulnerability, I would HIGHLY recommend you to test and then apply on your machines affected by this one.

This time, our fellow COM Objects can be used to execute arbitrary code...

The O.S. affected are:

  •  Microsoft Windows 2000 Service Pack 4
  •  Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
About the vulnerability:
The vulnerability itself is a critical one and will allow remote code to be executed in your machine. Did you get the word "REMOTE"?

According the original advisory:
"A remote code execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. An attacker would need to convince a user to visit a Web site that could force a connection to a remote file server. This remote file server could then cause Windows Explorer to fail in a way that could allow code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

So, while speaking in workarounds, if you can't apply the patch right away, MS recommends:

  • Disable the Web Client service
  • Use the Group Policy settings to disable the WebClient service on all affected systems that do not require this feature.
  • Block TCP ports 139 and 445 at the firewall
Right...:) but before someone asks why one of MS workaround is to block port 139 and 445, I will answer, YES, these ports can be used to exploit the vulnerability...But, you already block these ports, right?:)

One special note for Windows 98/98SE/ME. They ARE affected by this vulnerability, but the patch is not available yet. According MS it will be soon after this release.

(Thanks to Pedro for this write-up.)

1 Important

Cumulative Security Update for Outlook Express (911567)

MS06-016; KB911567; CVE-2006-0014

A remote code execution vulnerability exists within Outlook Express involving its handling of Windows Address Book (.wab) files. Attackers can craft a suitable version of the .wab file and then convince the end user to open the file through either direct email, or through opening a link on a web site. The attacker would gain the
same administrative rights as the end user.  As a workaround to this update, you can change or remove the file associate to the .wab format.

This update replaces 2 prior security updates (MS04-018 and MS05-030) in most supported operating systems.  The exceptions are Outlook Express 6 for Windows XP SP2 and for Windows Server 2003 SP1 (32 and
64 bit).  Prior versions of Outlook Express on lesser Service Pack levels should be aware of this replacement.

Windows 98/98SE and ME are also impacted but not critically enough for Microsoft to release updates for these systems.

(Thanks Scott for the write-up.

1 Moderate

Vulnerability in Microsoft Front Page Server Extensions Could Allow Cross Site Scripting (917627)

MS06-017
KB917627
CVE-2006-0017

A remote code execution exists in  FrontPage Server Extensions (FPSE) or Sharepoint Team Services (STS) which could allow an attacker to run client-side scripts on behalf of an FPSE user. If the user has administrative rights, the attacker would gain complete access of the server.  Otherwise, it will be limited to the administrative rights granted to the end user.  As there is a list of mitigating circumstances, and the default install of Windows Server, Microsoft is releasing this as a moderate issue.  However, pay attention that this is a remote code execution problem and could be more critical in your particular circumstances.

So for those that have IIS installed on your workstations or servers, or have FPSE or Sharepoint on your network,  please be aware of this bulletin and its corresponding knowledge base article (KB917627)
as there are known issues with deploying the update.

Also, users of FrontPage 2002 may be offered the security patch through Office Update site and/or MBSA.  This update is recommended though it is not believed to be vulnerable to this exploit at this time.

MS03-051 is replaced for those using FrontPage Server Extensions 2002 which was downloaded and installed on Windows XP or  Server 2000 SP4 machines.  MS05-006 is replaced for those using Microsoft SharePoint Team Services 2002.

Thanks Scott for this write-up.

Update for Outlook 2003 Junk Email Filter (KB914454)

Microsoft released an update to the Junk E-mail Filter in Microsoft
Office Outlook 2003.  This update provides a more current definition
of which e-mail messages should be considered junk e-mail.

Windows Malicious Software Removal Tool - April 2006 (KB890830)

Microsoft released the monthly update to the Malicious Software Removal Tool (MSRT).  The newest version supports 3 new specific and prevalent malicious software which may be on infected computers.  For more information on the new additions, please see http://www.microsoft.com/security/malwareremove/default.mspx  for details.  As a reminder this tool is not supposed to be a replacement or your corporate or individual owned antivirus and spyware protection.

Keywords:
0 comment(s)

Comments


Diary Archives