View Full Version : 2006 MS Alerts - Q1
AplusWebMaster
2006-01-04, 14:41
FYI...
Microsoft Security Advisory (912920)
Systems that are infected with Win32/Sober.Z@mm may download and run malicious files from certain Web domains beginning on January 6, 2006
- http://www.microsoft.com/technet/security/advisory/912920.mspx
Published: January 3, 2006
"Microsoft is aware of the Sober mass mailer worm variant named Win32/Sober.Z@mm. The worm tries to entice users through social engineering efforts into opening an attached file or executable in e-mail. If the recipient opens the file or executable, the worm sends itself to all the contacts that are contained in the systems address book. Customers who are using the most recent and updated antivirus software are at a reduced risk from infection by the Win32/Sober.Z@mm worm. On systems that are infected by Win32/Sober.Z@mm, the malware is programmed to download and run malicious files from certain Web domains beginning on January 6, 2006. Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains. As with all currently known variants of the Sober worm, the worm does not appear to target a security vulnerability, but rather relies on the user opening an infected attachment...
Suggested Actions
Check for and remove the Sober infection.
Use the Microsoft Windows Malicious Software Removal Tool, Safety.live.com, or Windows OneCare to search for and remove the Sober worm and its variants from infected systems.
Monitor outbound network connections to targeted Web sites.
Because the Win32/Sober.Z@mm worm may download and run malicious files from certain Web domains beginning on January 6, 2006, attempted connections to the following Web sites should be monitored for signs of an infected host on local networks.
Targeted Web sites
people.freenet.de
scifi.pages.at
home.pages.at
free.pages.at
home.arcor.de ..."
.
AplusWebMaster
2006-01-11, 02:52
FYI...
- http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx
Revisions:
• V2.0 (January 10, 2006): Updated to include additional Microsoft Security Bulletins
Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
- http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)
- http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx
A vulnerability exists when viewing Embedded Web Fonts that could lead to remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Microsoft Security Bulletin MS06-003
Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)
- http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx
A vulnerability exists in TNEF messages that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
-------------------------------------------------
ISC Analysis
- http://isc.sans.org/diary.php?storyid=1032
Last Updated: 2006-01-10 20:46:39 UTC
.
AplusWebMaster
2006-01-16, 04:17
FYI...
- http://isc.sans.org/diary.php?storyid=1045
Last Updated: 2006-01-16 01:31:48 UTC
"Microsoft has released a security update for the in-testing Windows Vista. The update addresses the WMF vulnerability covered earlier this month for released windows versions..."
>>> http://tinyurl.com/dxfd2
:confused: :rolleyes:
AplusWebMaster
2006-01-31, 13:55
FYI...
MS Security Advisory (904420)
- http://www.microsoft.com/technet/security/advisory/904420.mspx
Win32/Mywife.E@mm
Published: January 30, 2006
"Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.
Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.
On systems that are infected by Win32/Mywife@E.mm, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications..."
Also see:
- http://forums.spybot.info/showthread.php?p=9452#post9452
EDIT/ADD:
Security Advisories Updated or Released Today - 2.1.2006
==============================================
* Security Advisory (904420)
- Title: Win32/Mywife.E@mm
- Reason For Update: Additional information about the blank password restriction functionality in Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1. Added link to Virus Information Alliance member Sophos.
- Web site: http://go.microsoft.com/fwlink/?LinkId=50423
.
AplusWebMaster
2006-02-08, 14:43
FYI...
MS Security Advisory (914457)
Possible Vulnerability in Windows Service ACLs
- http://www.microsoft.com/technet/security/advisory/914457.mspx
Published: February 7, 2006
Microsoft is aware of published information and proof-of-concept code that attempts to exploit overly permissive access controls on third-party (i.e., non-Microsoft) application services. This code also attempts to exploit default services of Windows XP Service Pack 1 and Windows Server 2003. If these attempts were successful, a user who has low user privileges could gain privilege escalation.
Microsoft has investigated these reports and the findings are summarized in the chart below. Microsoft has confirmed that customers who run Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 are not vulnerable to these issues because security-related changes were made to these service packs as part of our ongoing security improvement process. Users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, but the risk to Windows Server 2003 users is reduced.
Users are encouraged to contact their third-party software vendors whose products require services installation to determine if any non-default Windows services are affected.
Microsoft is not aware of any attacks attempting to use the reported vulnerabilities or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.
Mitigating Factors:
The latest Microsoft operating systems, including Windows XP Service Pack2 and Windows Server 2003 Service Pack 1 are not vulnerable to these issues.
A malicious user who launches an attack based on the finders report would require at least authenticated user access to the affected operating systems
Two of the four services identified in the paper (NetBT and SCardSvr) require an attacker to already be running in a privileged security context. Additionally, the two services that do allow an authenticated user to attack are vulnerable only on Windows XP Service Pack 1.
Firewall best practices and standard default firewall configurations can help protect from attacks that originate outside the enterprise perimeter. Best practices also recommend that personal firewalls be used within a network and that systems connected to the Internet have a minimal number of ports exposed..."
.
AplusWebMaster
2006-02-08, 14:44
FYI...
MS Security Advisory (913333)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/913333.mspx
Published: February 7, 2006
"Microsoft is investigating new public reports of a vulnerability in older versions of Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. The attacker could do this by one or more of the following actions:
By hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site;
By convincing a user to open a specially crafted e-mail attachment;
By convincing a user to click on a link in an e-mail message that takes the user to a malicious Web site; or
By sending a specially crafted e-mail message to Outlook Express users, which they view in the preview pane.
>>> Note This is not the same issue as the one addressed by Microsoft Security Bulletin MS06-001 (912919).
The vulnerability exists in:
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium.
The vulnerability does not exist in:
Internet Explorer for Microsoft Windows XP Service Pack 1 and Windows XP Service Pack 2
Internet Explorer for Microsoft Windows XP Professional x64 Edition
Internet Explorer for Microsoft Windows Server 2003 and Windows Server 2003 Service Pack 1
Internet Explorer for Windows Server 2003 for Itanium-based Systems
Internet Explorer for Windows Server 2003 with Service Pack 1 for Itanium-based Systems
Internet Explorer for Windows Server 2003 x64 Edition
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 Second Edition
Internet Explorer 6 Service Pack 1 on Windows Millennium Edition
Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. In an e-mail based attack, customers would have to click a link to the malicious Web site, preview a malicious e-mail message, or open an attachment that exploited the vulnerability. In both Web-based and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs..."
.
AplusWebMaster
2006-02-10, 02:32
FYI...
- http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: February 9, 2006
"...On 14 February 2006 Microsoft is planning to release:
Security Updates
One Microsoft Security Bulletin affecting Microsoft Windows Media Player. The highest Maximum Severity rating for this is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scanning Tool.
Four Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. Some of these updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
One Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Office. The highest Maximum Severity rating for these is Important. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for this is Important. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
Microsoft will release one NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."
- http://isc.sans.org/diary.php?storyid=1109
Last Updated: 2006-02-09 23:46:02 UTC
"...There are 7 total updates, with 5 of them being labeled as critical (1 for Windows Media Player, 4 for Windows itself). Also, they'll be releasing an update of their Malicious Software Removal Tool. Looks like it will be an eventful Black Tuesday."
:buried:
AplusWebMaster
2006-02-15, 02:36
FYI...
- http://www.microsoft.com/technet/security/bulletin/ms06-feb.mspx
Published: February 14, 2006
Version: 1.0...
Critical (2):
Microsoft Security Bulletin MS06-004
Cumulative Security Update for Internet Explorer (910620)
- http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx
Microsoft Security Bulletin MS06-005
Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
- http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx
Important (5):
Microsoft Security Bulletin MS06-006
Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)
- http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx
Microsoft Security Bulletin MS06-007
Vulnerability in TCP/IP Could Allow Denial of Service (913446)
- http://www.microsoft.com/technet/security/bulletin/ms06-007.mspx
Microsoft Security Bulletin MS06-008
Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)
- http://www.microsoft.com/technet/security/bulletin/ms06-008.mspx
Microsoft Security Bulletin MS06-009
Vulnerability in the Korean Input Method Editor Could Allow Elevation of Privilege (901190)
- http://www.microsoft.com/technet/security/Bulletin/ms06-009.mspx
Microsoft Security Bulletin MS06-010
Vulnerability in PowerPoint 2000 Could Allow Information Disclosure (889167)
- http://www.microsoft.com/technet/security/Bulletin/MS06-010.mspx
...Revisions:
V1.0 (February 14, 2006): Bulletin published.
--------------------------
ISC Analysis:
- http://isc.sans.org/diary.php?storyid=1120
Happy Valentines Day and Black Tuesday
Last Updated: 2006-02-14 23:51:14 UTC
Problems with MS patch KB913446 (for the IGMP issue, MS06-007)
- http://isc.sans.org/diary.php?storyid=1121
Last Updated: 2006-02-14 19:58:30 UTC
"A number of our readers have written in (and some of the handlers have duplicated the issue) to report that when using Microsoft Update or autoupdate the patch (KB913446) downloads, but fails to install with Error Code: 0x80242006. The version located here*, however, does not appear to have this issue. Until Microsoft fixes the former, you may want to install that one patch manually..."
* http://www.microsoft.com/downloads/details.aspx?familyid=7BB21D74-C37B-472B-BB10-71D4680680A7&displaylang=en
.
AplusWebMaster
2006-02-22, 13:26
FYI...
Microsoft Security Advisory (906267)
A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit
- http://www.microsoft.com/technet/security/advisory/906267.mspx
Updated: February 21, 2006
"Microsoft has completed the investigation into a public report of a vulnerability affecting Internet Explorer. We have issued a security bulletin to address this issue*..."
* http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx
.
AplusWebMaster
2006-02-23, 13:36
FYI...
Microsoft Security Advisory (914457)
Vulnerability in Windows Service ACLs
- http://www.microsoft.com/technet/security/advisory/914457.mspx
Updated: February 22, 2006
"...Revisions:
February 7, 2006: Advisory published
February 7, 2006: Added line breaks to Group Policy workaround security template for Windows XP Service Pack 1
February 8, 2006: Added additional FAQ information for affected platforms and service start-up type properties
February 14, 2006: Additional services identified, Windows XP Service Pack 2 and Windows 2000 clarification
February 22, 2006: Added Microsoft Knowledge Base Article 914392* "
Best practices and guidance for writers of service discretionary access control lists
* http://support.microsoft.com/kb/914392
.
AplusWebMaster
2006-03-01, 04:36
FYI...
Microsoft Security Advisory (912945)
Non-Security Update for Internet Explorer
- http://www.microsoft.com/technet/security/advisory/912945.mspx
Published: February 28, 2006
"Microsoft is releasing a non-security update for Internet Explorer on February 28, 2006.
For more information about this update, see Microsoft Knowledge Base Article 912945*. This update is separate from the security update released on February 14, 2006 as part of Microsoft Security Bulletin MS06-004.
Microsoft Knowledge Base Article 912945* and the accompanying non-security update targets the following software:
Internet Explorer for Microsoft Windows XP Service Pack 2
Internet Explorer for Microsoft Windows Server 2003 Service Pack 1
Microsoft Security Bulletin MS06-004 and the accompanying security update released on February 14, 2006 targeted the following software:
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 ..."
* http://support.microsoft.com/kb/912945
Last Review : February 28, 2006
Revision: 5.0
INTRODUCTION
Microsoft is releasing a software update to Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2 and for Microsoft Windows Server 2003 Service Pack 1. This update changes the way in which Internet Explorer handles some Web pages that use ActiveX controls. Examples of programs that use ActiveX controls include the following:
- Adobe Reader
- Apple QuickTime Player
- Macromedia Flash
- Microsoft Windows Media Player
- Real Networks RealPlayer
- Sun Java Virtual Machine
After you install this update, you cannot interact with ActiveX controls from certain Web pages until these controls are enabled. To enable an ActiveX control, manually click the control. There are also techniques that Web developers can use to update their Web pages. For more information about these techniques, visit the following MSDN Web site:
http://msdn.microsoft.com/ieupdate
As part of this Internet Explorer update, Microsoft will release updates to the current versions of Windows XP and of Windows Server 2003. All client operating systems will be updated. These client operating systems include the following:
Windows XP Starter Edition
Windows XP Home Edition
Windows XP Professional Edition
Windows XP Tablet PC Edition
Windows XP Media Center Edition
Windows XP Professional for Embedded Systems
Additionally, updates for earlier versions of Internet Explorer will be released as part of the monthly security update packages.
MORE INFORMATION
Known issues
Initial logon dialog boxes may reappear and reset to default configurations
This issue occurs if you deploy the hotfix version of this software update on 64-bit systems, such as a 64-bit version of Microsoft Windows Server 2003 with Service Pack 1 or a x64-bit version of Windows XP with Service Pack 2. In this case, the initial logon dialog boxes may appear for applications and for Windows components. Additionally, some settings reset to default. This behavior may cause the following issues:
Applications ask users to opt in to privacy features.
Default settings for Internet Explorer favorites are reset.
Internet Explorer security zones are reset to default settings.
Internet Explorer advanced settings are reset to default settings.
Initial Windows Media Player dialog boxes appear.
This is a known issue and is expected to be fixed in the next update for Windows.
Google Toolbar
You may experience an access violation in the Google Toolbar when you close a window that contains an inactive ActiveX control. Microsoft and Google technical teams have been working together to address this issue. Google is expected to fix this problem by using its automatic "servicing mechanism" for Google Toolbar users. This problem affects Google Toolbar versions before version 3.0.129.2. Visit the following Google Web site to download the latest version:
http://toolbar.google.com
External script technique does not work when the "Disable Script Debugging in Internet Explorer" check box is cleared
Microsoft is investigating this problem and plans to fix it in a future cumulative update.
ActiveX controls that use Java Platform, Standard Edition 1.3 or 1.4
After you click on an ActiveX applet control in a program that runs the applet control by using Java Platform, Standard Edition (J2SE) 1.3 or J2SE 1.4, the focus does not go to the applet control. You must click the control a second time to establish focus. The focus behavior works correctly in J2SE 1.5. To obtain the latest version of J2SE, visit the following Sun Microsystems, Inc. Web site:
http://java.sun.com/j2se
For recommended techniques to make sure that ActiveX controls function without user interaction, visit the following MSDN Web site:
http://msdn.microsoft.com/ieupdate
The following issues occur on Web sites that do not use the recommended techniques.
Note: All these issues are resolved by using the techniques that are described on the MSDN Web site.
Scrolling
When you use the mouse wheel to scroll through a page that contains an interactive control, the control may not be displayed correctly. Microsoft is investigating this issue and plans to fix it in a future cumulative update.
Abstract Window Toolkit
Access violations have been reported with Java programs that use Abstract Window Toolkit (AWT) classes in the user interface. Microsoft is investigating this issue and plans to fix it in a future cumulative update.
Transparent Flash
A full-page ad disappears, but the focus rectangle remains. In this situation, the control is still there, but it is transparent. Therefore, the associated overlay window remains on the page.
DHTML menus
When a DHTML menu is expanded, the menu may appear on top of an ActiveX control. If you click the menu in this situation, you enable the control instead of gaining access to the DHTML menu. The overlay window has the highest z-order. Therefore, this window receives the mouse-click message.
Controls that prompt before they are loaded
When certain controls are loaded on a Web page, the controls are not correctly masked by the functionality of this update. These controls include controls that are used in Macromedia Shockwave Director, in QuickTime Player, and in Virtools Web Player. When Windows determines that a control is inactive, the system prompts the user before the control is loaded.
CSS attributes on controls
Controls that are hidden or that have a display-mode setting of None, but that do have size dimensions, display the focus rectangle when you move the pointer over them.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products..."
---------------------------------------
(Verrryyy interesting - a "Non-Security Update for IE" issued under an MS "Security Advisory"... only in America.)
---------------------------------------------
EDIT/ADD:
Microsoft updates IE after patent spat
- http://news.com.com/2102-1032_3-6044418.html?tag=st.util.print
Story last modified Tue Feb 28 17:38:18 PST 2006
"... Microsoft is modifying IE to shield itself from liability in a long-running patent dispute with Eolas Technologies and the University of California. Microsoft expects a second trial in the case to start sometime this year after a federal appeals court last March partially reversed a lower-court decision that exposed it to more than $500 million in damages. In September, the U.S. Patent Office upheld the validity of the patent at issue in the case. Microsoft is delivering the IE update in phases. The company last December said it would make the tweaks and a month later made the update available on MSDN, its Web site for developers. The update is now available to the general public as an optional download via Windows Update and Microsoft's Download Center Web site. "Microsoft expects the vast majority of existing IE customers will download the update as part of ongoing security updates in the next four to six months," the Microsoft representative said. The update is available for IE 6 on Windows XP with Service Pack 2 and Windows Server 2003 with SP 1, the Microsoft representative said."
.
AplusWebMaster
2006-03-10, 06:04
FYI... http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: March 9, 2006
"...On 14 March 2006 Microsoft is planning to release:
Security Updates
One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for this is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scanning Tool.
One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for this is Important. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
Microsoft will release one NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."
AplusWebMaster
2006-03-14, 21:35
FYI...
- http://www.microsoft.com/technet/security/bulletin/ms06-mar.mspx
Published: March 14, 2006
Version: 1.0 ...
Critical (1)
Microsoft Security Bulletin MS06-012
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)
- http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
(Critically) Office Affected Software:
Word 2000, Excel 2000, Outlook 2000, PowerPoint 2000, Office 2000 MultiLanguage Packs, Works Suite 2000, Works Suite 2001, Works Suite 2002
Important (1)
Microsoft Security Bulletin MS06-011
Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)
- http://www.microsoft.com/technet/security/bulletin/ms06-011.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software:
Microsoft Windows XP Service Pack 1
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Non-Affected Software:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition ...
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
V1.0 (March 14, 2006): Bulletin published...
--------------------------------------------
ISC Analysis
- http://isc.sans.org/diary.php?storyid=1190
Last Updated: 2006-03-14 19:09:39 UTC
"...
MS06-012: Critical Vulnerability in Microsoft Office, KB905413
This update fixes a number of different Excel vulnerabilities, and a "Malformed Routing Slip" vulnerability which affects muliple Office components. All the vulnerabilities come down to the same issue: If you open a malformed file, an attacker could get control of the system as the user opening the file. If you use Microsoft Office, you should apply this patch quickly.
MS06-011: Priviledge Escalation in Windows (Important)
It may be possible for a regular user to obtain the privileges assigned to a service. A lower privileged user could change the configuration for a service in order to have it execute code or modify the system in other ways, once the service is running at the higher privilege (e.g. 'system').
This vulnerability has been disclosed for a while now. It is important to note that a "service" is not just a "server". Services typically have to run at a higher privilege level as they require access to files across multiple users, and access to system resources..."
.
AplusWebMaster
2006-03-15, 10:34
FYI...
Microsoft Security Advisory (916208)
Adobe Security Bulletin: APSB06-03 Flash Player Update to Address Security Vulnerabilities
- http://www.microsoft.com/technet/security/advisory/916208.mspx
Published: March 14, 2006
"Microsoft is aware of recent security vulnerabilities in Macromedia Flash Player from Adobe, a third party software application that also was redistributed with Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 98, Windows 98 SE, and Windows Millennium Edition. The Microsoft Security Response Center is in communication with Adobe and is aware that Adobe has made updates that are available on their Web site...
Suggested Actions
• Review the Adobe Security Bulletin
Review the Adobe Security Bulletin and follow Adobe’s guidance as appropriate*..."
* http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html
----------------------------------------
Also see:
- http://secunia.com/advisories/19218/
Release Date: 2006-03-15
Critical: Highly critical
.
AplusWebMaster
2006-03-16, 09:53
FYI...
March Microsoft Security Bulletins...
- http://isc.sans.org/diary.php?compare=1&storyid=1190
Last Updated: 2006-03-15 21:44:20 UTC
"MS06-012: Critical Vulnerability in Microsoft Office, KB905413
...PoC exploits have been released. The patch window is closing rapidly..."
:eek:
AplusWebMaster
2006-03-18, 00:47
FYI...
- http://isc.sans.org/diary.php?storyid=1198
Last Updated: 2006-03-17 22:13:17 UTC
"There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE. The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag. This will cause a memory array to write out of bounds and cause an immediate or eventual browser crash. Both McAfee and Symantec have released signatures to detect this exploit. While this is only a DoS vulnerability at the moment, there are ongoing attempts to try to use this as a vector for remote code execution.
More as it develops..."
- http://www.techweb.com/wire/security/183700635
March 17, 2006
"...other browsers, such as Firefox and Opera, were not susceptible to the attack, implicitly advising users to consider an alternate browser..."
:eek:
AplusWebMaster
2006-03-23, 23:29
FYI...
- http://secunia.com/advisories/18680/
Last Update: 2006-03-23
Critical: Highly critical ...
Solution:
Disable Active Scripting support.
NOTE: The vendor is currently working on a patch...
Changelog:
2006-03-23: Added link to US-CERT vulnerability note. Added link to Microsoft Security Response Center Blog. Updated "Solution" section.
Original Advisory:
Microsoft Security Response Center Blog:
http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx
Other References:
US-CERT VU#876678:
http://www.kb.cert.org/vuls/id/876678 ..."
------------------------------------------
IE exploit on the loose... InfoCon to Yellow
- http://isc.sans.org/diary.php?storyid=1212
Last Updated: 2006-03-23 20:55:28 UTC
"...it didn't take long for the exploits to appear for that IE vulnerability. One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive... For that reason, we're raising Infocon to yellow for the next 24 hours..."
------------------------------------------
Microsoft Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/917077.mspx
March 23, 2006
"Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time...
Mitigating Factors:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
This vulnerability could not be exploited automatically through e-mail or while viewing e-mail in the preview pane while using Outlook or Outlook Express Customers would have to click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights...
FAQs...
- Is this a security vulnerability that requires Microsoft to issue a security update? Yes. Microsoft will release an update for this issue in an upcoming security update release.
- What causes this threat? When Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects, system memory may be corrupted in such a way that an attacker could execute arbitrary code. Specifically, the public postings discuss a potential behavior in Internet Explorer in the way that HTML objects may handle an unexpected createTextRange() method call to an HTML object. A Web page that is specially crafted to exploit this vulnerability will cause Internet Explorer to fail. As a result of this, system memory may be corrupted in such a way that an attacker could execute arbitrary code..."
--------------------------------------------------------------------------
- http://secunia.com/advisories/18680/
Last Update: 2006-03-24
Critical: Extremely critical
...NOTE: Exploit code is publicly available...
--------------------------------------------------------------------------
- http://isc.sans.org/diary.php?storyid=1212
Last Updated: 2006-03-24 17:46:38 UTC
"Update: We just received a report that a particular site uses the "createTextRange" vulnerability to install a spybot variant. It is a minor site with insignificant visitor numbers according to Netcraft's 'Site rank'..."
--------------------------------------------------------------------------
:eek:
AplusWebMaster
2006-03-26, 06:20
FYI...
- http://isc.sans.org/diary.php?storyid=1221
Last Updated: 2006-03-26 02:35:18 UTC
"... There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.
This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:
C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636
It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get... the individual seems to realize that folks are on to them. I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites..."
----------------------------------------------
Email attachment vector for IE createTextRange() Remote Command Execution
- http://isc.sans.org/diary.php?storyid=1222
Last Updated: 2006-03-26 14:24:42 UTC
"Do You Want To Open This File?
Just for the sake of clarity, there is an email attachment vector for this exploit that's not widely reported. I have not seen any reports of it being used at this time. MS's bulletin, in the FAQ's, in "Could this vulnerability be exploited through e-mail?", says it can be exploited if one "open(s) an attachment that could exploit the vulnerability." ISS obliquely says attacks may occur by "...simply embedding the required logic in specially crafted HTML emails.".
MS doesn't have a bulletin description specific to malicious email attachments, but one of their global workarounds includes prompting or disabling active scripting in the Local intranet security zone, which addresses a malicious attachment exploit in this situation. In addition, keeping gateway email AV sigs up to date is advisable..."
-----------------------------------------------
- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=451
March 26, 2006
"...To date we have discovered more than 200 unique URL's that are using the vulnerability to run exploit code. The most common is the use of shellcode to run a Trojan Horse downloader that downloads additional payload code over HTTP. The additional payload has been various forms of BOT's, Spyware, Backdoors, and other Trojan Downloader's. Our honeyclients are actively scanning for sites that are using this vulnerability to run code without user-interaction..."
----------------------------------
If you aren't using the Firefox browser, NOW would be a good time to start:
- http://www.mozilla.com/firefox/
----------------------------------
:eek: :eek: :eek:
AplusWebMaster
2006-03-29, 01:40
FYI...
MS Security Advisory 917077 (updated)
- http://www.microsoft.com/technet/security/advisory/917077.mspx
Updated: March 28, 2006
"...Microsoft has been carefully monitoring the attempted exploitation of the vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsofts intelligence sources indicate that the attacks are limited in scope at this time...
Microsoft is completing development of a cumulative security update for Internet Explorer that addresses the recent createTextRange vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the April security updates on April 11, 2006, or sooner as warranted.
Customers who follow the suggested actions and workarounds in this advisory are less likely to be compromised by exploitation of this vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code...
March 28, 2006: Advisory updated with information regarding additional security software protections, current limited scope of attacks, and the status of the Internet Explorer security update."
.
AplusWebMaster
2006-03-30, 19:52
FYI...
Microsoft Security Advisory (917077) updated (again)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/917077.mspx
Updated: March 29, 2006
"...Will the security update addressing this issue contain the changes detailed in Microsoft Security Advisory 912945 Non-Security Update for Internet Explorer?
Yes. However, to help enterprise customers who need more time to prepare for the update, Microsoft will be releasing a Compatibility Update, to be available the same day as the next IE Security Update. Once deployed, the Compatibility Update will temporarily return IE to the previous functionality for handling ActiveX controls. This Compatibility Update will function until an IE security update is released following the April security release, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent...
Revisions:
March 29, 2006: Advisory updated with an additional FAQ regarding Microsoft Security Advisory 912945*.
("ActiveX" changes * http://www.microsoft.com/technet/security/advisory/912945.mspx )
:scratch:
----------------------------------------------------
- http://www.techweb.com/article/printableArticle.jhtml?articleID=184417079&site_section=700028
March 30, 2006
"While users wait for Microsoft to patch the most recent zero-day vulnerability in Internet Explorer, security experts agree that the best way to protect PCs is to dump the browser's Active Scripting function. Even eEye Digital Security, one of two commercial security vendors that has released unsanctioned, temporary patches for the problem, said so. "Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," eEye warned in the advisory accompanying the patch. Microsoft's preferred workaround for the createTextRange bug is to disable Active Scripting so as to bar any JavaScript code from running. In fact, this isn't the first time that Microsoft has urged users to switch off Active Scripting; in early December, it used the same advice when another unpatched vulnerability was wreaking havoc.
Here's how to turn off Active Scripting:
-- In Internet Explorer, click Internet Options on the Tools menu.
-- Click the Security tab.
-- Click Internet, and then click Custom Level.
-- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
-- Click Local intranet, and then click Custom Level.
-- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
-- Click OK two times to return to Internet Explorer.
Doing so, however, will break some sites and/or functions within sites, as Microsoft itself warned in the security advisory posted last week and updated Wednesday. "Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly," the advisory went. "If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly."
:eek:
---------------------------------------
- http://isc.sans.org/diary.php?storyid=1228
Last Updated: 2006-03-30 21:46:03 UTC
"...UPDATE 1: Some readers have written in to express their unhappiness that the non-security-related patch done for legal reasons is being released with the fix for the zero-day IE flaw. I agree. I don't like to see them together either. Consider your complaint on that registered with the ISC, not that we can do anything about it."
:(