View Full Version : 2005 MS Alerts

2005-12-14, 04:47

- http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx
"...December 13, 2005...
Critical (1)
Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)
- http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx ...

Important (1)
Microsoft Security Bulletin MS05-055
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)
- http://www.microsoft.com/technet/security/bulletin/ms05-055.mspx ..."
Affected Software:
• MS Windows 2000 Service Pack 4 ...

ISC Analysis:
- http://isc.sans.org/diary.php?storyid=929
(Additional info for network admin decision makers, or just your own PC.)


2005-12-29, 06:08

MS Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
- http://www.microsoft.com/technet/security/advisory/912840.mspx
"...Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update...
• December 28, 2005: Advisory published
• December 29, 2005: Advisory updated. FAQ section updated.
• December 30, 2005: Advisory updated. FAQ section updated."

- http://secunia.com/advisories/18255/
"Release Date: 2005-12-28
Last Update: 2005-12-29
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched..."

...More WMF Information...
- http://isc.sans.org/diary.php?storyid=982
Last Updated: 2005-12-30
"...One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:
1. Filename extension filtering will not work.
2. Even if you un-register the DLL, some programs may re-register it by invoking it (shimgvw.dll) directly.
3. You have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
4. While images embedded into documents may not immediately trigger the exploit, they may once saved into their own file.
The reader goes on to note that whatever mitigation is offered in Microsoft's advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick."

...more to come on this, a.k.a. "Windows WMF 0-day exploit in the wild"...


Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
- http://www.microsoft.com/technet/security/advisory/912840.mspx
Updated: January 3, 2006
"...> What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?
Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.
As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.
Microsoft cannot provide similar assurance for independent third party security updates.
> Why is it taking Microsoft so long to issue a security update?
Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe..."


- http://isc.sans.org/diary.php?storyid=1011
Last Updated: 2006-01-03 18:17:57 UTC


Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/securi...12840.mspx
Updated: January 5, 2006
...Reason For Update: FAQ added with information on Windows 98, Windows 98 Second Edition and Windows Millennium. FAQ concerning embedded images in Office documents updated. Workaround updated with information about re-registering the Windows Fax and Image Viewer (Shimgvw.dll)...
Frequently Asked Questions...
"...Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates...
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. After a security update has been released and deployed, you can undo this change and re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks)..."

Updated: January 5, 2006 (Second update - same day)
Microsoft has completed the investigation into a public report of a vulnerability. We have issued a security bulletin to address this issue*...
* http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx