View Full Version : 2006 MS Alerts - Q2
AplusWebMaster
2006-04-04, 01:53
FYI...
Microsoft Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/917077.mspx
Updated: April 3, 2006
"...Microsoft will be releasing a Compatibility Patch (deployed like a Hotfix), to be available the same day as the Internet Explorer April Security Update. Once deployed, the patch will temporarily return Internet Explorer to the previous functionality for handling ActiveX controls. This patch will function until the June Internet Explorer cumulative Update is released at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent..."
Revisions:
• April 3, 2006: Advisory updated to clarify that the Compatibility Patch will be replaced in the June update cycle..."
Microsoft Security Advisory (912945)
Non-Security Update for Internet Explorer
- http://www.microsoft.com/technet/security/advisory/912945.mspx
Updated: April 3, 2006
"...Microsoft will be releasing a Compatibility Patch. This Compatibility Patch will be available the same day as the next Internet Explorer Security Update. As soon as it is deployed, the Compatibility Patch will temporarily return Internet Explorer to the previous functionality for handling ActiveX controls. This Compatibility Patch will function until an Internet Explorer update is released as part of the June update cycle, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent..."
Revisions:
• April 3, 2006: Advisory updated to clarify that the Compatibility Patch will be replaced in the June update cycle..."
.
AplusWebMaster
2006-04-04, 23:26
FYI...
- http://secunia.com/advisories/19521/
Release Date: 2006-04-04
Critical: Less critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
Description:
...The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing a Flash file from a malicious web site.
NOTE: The impact of exploitation is reduced because the URL of the malicious Flash file is visible in the title of the browser window.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. Other versions may also be affected.
Solution:
Disable Active Scripting support..."
-------------------------------------------------
- http://secunia.com/advisories/19521/
Last Update: 2006-04-06
Critical: Moderately critical ^
Impact: Spoofing
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
Exploit code is out!...
Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected...
Solution:
Disable Active Scripting support.
2006-04-06: Added CVE reference. Added information about Internet Explorer 7 Beta 2 Preview being affected."
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-1626
:( :eek:
AplusWebMaster
2006-04-07, 16:12
FYI...
- http://blogs.technet.com/msrc/archive/2006/04/06/424519.aspx
Published Thursday, April 06, 2006 7:14 PM
"...This coming Tuesday, the 11th, we’re planning to release five security bulletins, 4 for Windows and 1 that affects both Windows and Office. One of the Windows bulletins will be the cumulative Internet Explorer update that will address the "CreateTextRange" vulnerability..."
MS Security Bulletin Advance Notification - April 2006
- http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: April 6, 2006
.
AplusWebMaster
2006-04-12, 00:42
FYI...
- http://www.techweb.com/article/printableArticle.jhtml?articleID=185300271&site_section=700028
April 11, 2006
"...What should users expect?
--- By default, IE will now consider embedded ActiveX content as inactive. Thus on unmodified sites, ActiveX content will not run. In other words, music won't play or a Flash component won't launch.
--- To activate an interactive ActiveX control, move the mouse over the content -- which now will be boxed -- and click on the pop-up tool tip dialog.
--- Alternately, users can press the Tab key until the focus is set on the content's box, then press either the spacebar or Enter key to activate.
--- Each control on each page must be manually activated in this way.
Adobe has posted a short Flash-based demo that shows the activation process. (Ironic note: If you're using IE -after- the Tuesday update has been applied, you must active the Flash demo manually.)..."
* http://www.macromedia.com/devnet/activecontent/#captivate_before
"...User Experience in the Updated Internet Explorer
Microsoft has released updates to Internet Explorer that will change how it handles active content such as that viewed in Adobe’s Macromedia Flash Player, Authorware Player, Shockwave Player, and Adobe Reader, as well as Sun Java, Apple QuickTime, RealNetworks RealPlayer and other ActiveX controls.
Active content that is embedded in HTML pages in certain ways will not be able to receive user input (for example, keyboard or mouse events) until the user clicks to either activate or continue loading the control. To get more information on what types of interaction are blocked before the user clicks the content, see the MSDN article, Activating ActiveX Controls. To see what users are expected to experience when they view Flash content with the new browser, watch the following demo..." (...at the Macromedia URL above)
:confused:
AplusWebMaster
2006-04-12, 02:45
FYI...
- http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx
Published: April 11, 2006
...Critical (3)
Microsoft Security Bulletin MS06-013
Cumulative Security Update for Internet Explorer (912812)
- http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
Executive Summary: This update resolves several vulnerabilities in Internet Explorer that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution ...
>>> Caveats: Microsoft Knowledge Base Article 912812 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 912812:
- http://support.microsoft.com/kb/912812
>>> Compatibility Patch – To help enterprise customers who need more time to prepare for the ActiveX update changes discussed in Microsoft Knowledge Base Article 912945 and included in Microsoft Security Bulletin MS06-013, Microsoft is releasing a Compatibility Patch on April 11, 2006. As soon as it is deployed, the Compatibility Patch will temporarily return Internet Explorer to the previous functionality for handling ActiveX controls. This Compatibility Patch will function until an Internet Explorer update is released as part of the June update cycle, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent. This compatibility patch may require an additional restart for systems it is deployed on. For more information, see Microsoft Knowledge Base Article 917425:
- http://support.microsoft.com/kb/917425 ...
Microsoft Security Bulletin MS06-014
Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
- http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
Executive Summary: This update resolves a vulnerability in MDAC that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Microsoft Security Bulletin MS06-015
Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
- http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx
Executive Summary: This update resolves a vulnerability in Windows Explorer that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
...Important (1)
Microsoft Security Bulletin MS06-016
Cumulative Security Update for Outlook Express (911567)
- http://www.microsoft.com/technet/security/Bulletin/MS06-016.mspx
Executive Summary: This update resolves a vulnerability in Outlook Express that could allow an attacker to take complete control of the affected system. User interaction is required for an attacker to exploit this vulnerability.
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
...Moderate (1)
Microsoft Security Bulletin MS06-017
Vulnerability in Microsoft Front Page Server Extensions Could Allow Cross Site Scripting (917627)
- http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx
Executive Summary: This update resolves a cross-site scripting vulnerability in FrontPage Server Extensions that could allow an attacker to run script in the context of the locally logged on user. User interaction is required for an attacker to exploit this vulnerability.
Maximum Severity Rating: Moderate
Impact of Vulnerability: Remote Code Execution...
--------------------------
Notes...
[2] Critical security updates for these platforms (W98, W98SE, and WinME) will not be available concurrently with the other security updates provided as part of this security bulletin. They will be made available as soon as possible following the release. When these security updates are available, you will be able to download them only from the Windows Update Web site...
Revisions:
• V1.0 (April 11, 2006): Bulletin published...
====================================
FYI... (ISC Analysis)
- http://isc.sans.org/diary.php?compare=1&storyid=1257
Last Updated: 2006-04-11 23:27:12 UTC
"...Microsoft Security Bulletin Summary for April, 2006..."
(Way too much to post here - see the ISC URL.)
.
Article ID : 918165
Last Review : April 15, 2006
Revision : 1.0
SYMPTOMS
After you install security update MS06-015 (908531) (http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx), you may experience one of more of the following issues:
Unable to access special folders like "My Documents" or "My Pictures".
Microsoft Office applications may stop responding when you attempt to save or open Office files in the "My Documents" folder.
Office files in the "My Documents" folder are not able to open in Microsoft Office.
Opening a file through an application's File / Open menu causes the program to stop responding.
Typing an address into Internet Explorer’s address bar has no effect.
Right-clicking on a file and selecting Send To has no effect.
Clicking on the plus (+) sign beside a folder in Windows Explorer has no effect.
Some third-party applications stop responding when opening or saving data in the “My Documents” folder.
CAUSE
The MS06-015 security update package installs a new binary, VERCLSID.EXE, which validates shell extensions before they are instantiated by the Windows Shell or Windows Explorer. On some computers, VERCLSID.EXE stops responding. The following have been identified to cause VERCLSID.EXE to stop responding:
Hewlett-Packard's Share-to-Web software. There have been reported issues where HP software causes the VERCLSID.EXE process to stop responding. In particular, HP's Share-to-Web Namespace Daemon (Hpgs2wnd.exe) which ships with:
HP PhotoSmart software
Any HP DeskJet printer that includes a card reader
HP Scanners
Some HP CD-DVD RWs
HP Cameras
Share-to-Web Namespace Daemon can be found in the "C:\Program Files\hewlett-packard\hp share-to-web\hpgs2wnd.exe" folder. Share-to-Web is auto-started from both the Startup menu and the Run registry key.
The VERCLSID.EXE process is flagged by Sunbelt Kerio Personal Firewall. Sunbelt Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm) has a feature which flags any attempt by an application to launch another application for the user's approval. Kerio is flagging Explorer.exe's launch of VERCLSID.EXE. When this occurs, VERCLSID.EXE’s execution stops until the user clicks through Kerio's notification dialog. Users can configure Kerio to allow VERCLSID.EXE to execute without prompting.
RESOLUTION
• Hewlett-Packard's Share-to-Web software. The MS06-015 (908531) (http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx) security update includes a "white list"; VERCLSID.EXE will not scan any extension that appears on this list. Adding the HP shell extension corrects the problem. Manually edit the registry:
Log on to the computer with an account with administrator privileges.
Click the Start button and then click Run.
Type Regedit and then click OK.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Right-click "Cached", point to New, click "DWORD Value", and then enter: {A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401
Set the Data of this value to 1
Close the Registry Editor.
Use Task Manager to end the Verclsid.exe process or restart the computer.
Note: If other third-party COM controls or shell extensions are determined to cause this issue, the same method must be used to add the appropriate shell extension.
VERCLSID.EXE process flagged by Sunbelt Kerio Personal Firewall. Kerio Personal Firewall Users can configure Kerio to allow VERCLSID.EXE to execute without prompting.
It has not been determined if there are other third-party COM controls or shell extensions that may also cause this problem. If the steps above do not resolve your issue, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/directory/overview.asp (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fdirectory%2foverview.asp)
--------------------------------------------------------------------------------
APPLIES TO
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Small Business Server 2003 Premium Edition
Microsoft Windows Small Business Server 2003 Standard Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1, when used with:
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003 R2 Datacenter x64 Edition
Microsoft Windows Server 2003 R2 Enterprise x64 Edition
Microsoft Windows Server 2003 R2 Standard x64 Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows XP Media Center Edition 2002
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Media Center Edition 2005
Microsoft Windows XP Tablet PC Edition 2005
Microsoft Windows XP Professional x64 Edition
Microsoft BackOffice Small Business Server 2000 Service Pack 1
Microsoft Windows 2000 Service Pack 4, when used with:
Microsoft Small Business Server 2000 Standard Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Service Pack 4
AplusWebMaster
2006-04-18, 19:20
FYI...
- http://blogs.technet.com/msrc/default.aspx
posted Tuesday, April 18, 2006 1:43 AM by stepto
"Hi everyone, Mike Reavey here again. I wanted to follow up with the results of our investigation into some issues with security update MS06-015. Turns out that under certain circumstances, changes introduced in MS06-015 could cause an application to stop responding during specific interactions with older versions of Hewlett Packard’s “Share-to-web” software utility, or older NVIDIA video card drivers. In the case of the Hewlett Packard software, their new version known as “HP Image Zone Version 5” is not affected. Neither are the most recent NVIDIA graphics card drivers. So customers running these more recent versions are not affected by this issue. The current versions of the Hewlett Packard and NVIDIA software are available from the manufacturer websites.
To give you some idea of the scope of the problem, so far out of over 120 million successful installations of the MS06-015 update, the number of calls related to this issue is currently well under a thousand. Of course, even one customer having a problem is too many and that’s why we’ve been working on investigating this and determining solutions. We are also continuing to monitor the situation to measure scope and impact.
We’ve updated security bulletin MS06-015 to document this issue. In addition, we published knowledge base article 918165*, which details the older software this issue affects. We’ll be updating that soon to provide locations to the updated software that is unaffected by this issue. We’re working directly with the manufactures of the affected software to assist customers.
So to be clear, customers who are running the latest NVIDIA drivers, or who are running the current version of the Hewlett Packard Image Zone software are not impacted. Customers who believe they are affected should upgrade to the latest versions of the affected software, or they can contact Microsoft Product Support Services for assistance. Contact Product Support Services in North America for help with security update issues at no charge using the PC Safety line (1-866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
Meanwhile we're still looking at the best way to assist customers who may have been impacted by this and I encourage everyone to review KB article 918165* or contact us using the number above if they think they are having the problem..."
* http://support.microsoft.com/kb/918165/en-us
--------------------------------------------------------
Latest Microsoft Security Glitch Limited
- http://www.internetnews.com/security/article.php/3599756
April 18, 2006
"UPDATED: Microsoft said a limited range of consumer software is to blame for its latest security update unintentionally backfiring on Office and IE users. The update was among five the company released last week. Some analysts say the software giant's solution doesn't go far enough and is courting disaster. Digital photography software from HP and a personal firewall from Sunbelt Software rejected a new file Microsoft introduced as part of a security fix for a flaw in Windows Explorer. The glitch causes Office to stop saving and opening files and prevents IE from visiting Web pages. The problems reported appear limited to consumer-oriented software, Microsoft stresses on its security blog. MS06-015 included a new file, VERCLSID.EXE, which validates shell extensions before being used by Windows Explorer or Windows Shell. A vulnerability in Windows Explorer, which Microsoft deemed "important," allowed remote attackers to convince the shell to start HTML applications, thereby gaining total system control. However, the solution seems to be creating problems for some applications.
In explaining the glitch, Microsoft said HP's Share-to-Web software causes VERCLSID.EXE to stop responding. The software, used by HP's PhotoSmart software, HP DeskJet printers that include a card reader, HP cameras and scanners, as well as some HP CD-DVD burners, can also cause trouble for Windows Explorer and IE, according to Microsoft. Windows users may lose access to their "My Documents" and "My Pictures" folders. Office could stop opening or saving files in "My Documents". Attempting to open or save a document could cause Office to stop responding, according to Microsoft. Additionally, the problem causes typing an address into IE to have no effect. Also, users of Sunbelt's Kerio Personal Firewall will need to reconfigure that application to recognize the new Microsoft file. Without the change, the file is flagged and waits for user approval.
To resolve the issue, Microsoft is suggesting HP users manually edit the Windows registry "white list" included with the security update. The edit will instruct VERCLSID.EXE to not scan the HP shell extension. Microsoft had no comment beyond the blog posting, according to Pete Voss, a company spokesman. HP did not return a request for comment by press time. Although the software giant gives instructions, analysts warn the process isn't for the faint of heart.
Joe Wilcox, analyst with JupiterResearch, said a misstep could make Windows unusable. Although Microsoft says the scope of the glitch is limited to consumers, Wilcox said the type of applications –- digital imaging and security –- are more important. While a couple of applications are known today, many more could be found to be affected tomorrow, according to the analyst. "The possible interactions are immeasurable," Wilcox said. Still, Microsoft has made much of its new-found focus on security and editing the Windows registry is not enough in this case. "You have to release an updated patch," said Wilcox."
:(
AplusWebMaster
2006-04-21, 18:29
FYI...
MS to re-release MS06-015 patch
Microsoft Security Bulletin MS06-015
Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
- http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx
Updated: April 20, 2006 ...
FAQ ...For customers who have already applied the update and are experiencing the problem related to the older Hewlett Packard Share-to-Web software, or older NVIDIA drivers prior to or including version 61.94, the revised update will be available through Windows Update and Microsoft Update. The targeted re-release will be automatically delivered to affected computers through Automatic Update if it has been enabled. The re-release will not be distributed to non-affected computers...
• V1.2 (April 20, 2006): Bulletin revised: FAQ Section updated to include information about an upcoming re-release of the security update."
--------------------
Re-release available:
Microsoft Security Bulletin MS06-015
Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
- http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx
Updated: April 25, 2006
What updates does this release replace?
This security update replaces several prior security updates. The security bulletin IDs and affected operating systems are listed in the following table.
Bulletin ID ... Windows 2000... Windows XP... Windows Server 2003
MS05-016 .....Not Replaced...... Replaced....... Replaced
MS05-008 .....Replaced............ Replaced....... Replaced
Does this update contain any security-related changes to functionality?
Yes. Besides the changes that are listed in the "Vulnerability Details" section of this bulletin, this update includes the following changes in security functionality:
• This security update introduces a new file, Verclsid.exe. Verclsid.exe is used to verify a COM object before it is instantiated by Windows Explorer.
• This security update includes a Defense in Depth change which ensures that prompting occurs consistently in Internet zone drag and drop scenarios...
Version: 2.0...
• V2.0 (April 25, 2006): Bulletin revised: This bulletin has been re-released to advise customers that revised versions of the security update are available for all products listed in the “Affected Software” section. Customers who have already applied the MS06-015 update who are not experiencing the problem need take no action. For additional information, see “Why did Microsoft reissue this bulletin on April 25, 2006.” in "Frequently asked questions (FAQ) related to this security update" section..."
-------------------------------
MS06-016 Patch 'Erases' Outlook Express Addresses...
- http://isc.sans.org/diary.php?storyid=1281
Last Updated: 2006-04-21 15:55:13 UTC
"There have been reports of problems with... MS06-016 where the Outlook Express address book disappears. In this case removal of the patch and the address book re-appears, however the other vulnerabilities the patch address come back..."
Also: http://www.techweb.com/wire/security/186500211
-------------------------------
Microsoft Security Bulletin MS06-016
Cumulative Security Update for Outlook Express (911567)
- http://www.microsoft.com/technet/security/bulletin/ms06-016.mspx
• V1.2 (April 26, 2006): Bulletin revised: “Caveats” section updated due to new issues discovered with the security update. Error message when you open the Windows Address Book or you open Outlook Express after you install cumulative security update..."
Problem resolution:
- http://support.microsoft.com/kb/911567 -and- http://support.microsoft.com/kb/917288/
:confused:
AplusWebMaster
2006-04-24, 22:17
FYI...
- http://www.techweb.com/article/printableArticle.jhtml?articleID=186700456&site_section=700028
April 24, 2006
"Microsoft's Internet Explorer, which was just patched with 10 fixes two weeks ago, suffers from yet another zero-day vulnerability that can be exploited remotely, security firm Symantec said Monday. In an alert to customers of its DeepSight threat system, Symantec cited a vulnerability first posted to the Bugtraq security mailing list* by researcher Michal Zalewski, who notes that IE is prone to memory corruption because of the way it handles malformed HTML. HTML content that contains nested tags without the corresponding closure tags, said Symantec's alert, can trigger the bug. "An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user," said the advisory. "If the attack is successful, the executable content will be executed. Failed exploit attempts will likely crash the affected application"... A fully-patched version of IE 6 for Windows XP SP2 -- the most-secure production version of Microsoft's browser -- is open to the attack. ... While Zalewski has published HTML code that crashes the browser, no more-malicious exploit has yet been seen, said Symantec. Still, it warned IE users to run the browser in a non-administration user account, stay away from questionable Web sites, and disable HTML in e-mail clients, since an attack could also be launched by getting users to preview HTML-based messages. Symantec rated the new zero-day vulnerability with an overall threat score of 7.5 out of a possible 10..."
* http://www.securityfocus.com/archive/1/431796
------------------------------------------------------------
- http://secunia.com/advisories/19762/
Release Date: 2006-04-25
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x ...
Solution:
Do not visit untrusted web sites... "
------------------------------------------------------------
Correction to "Security Tracker" reference:
The "Security Tracker" post regarding this bug was one of 3 posted for IE on 4.27.2006:
- http://securitytracker.com/archives/target/49.html
------------------------------------------------------------
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1992
Last revised: 4/26/2006
Source: US-CERT/NIST
Overview
mshtml.dll 6.00.2900.2873, as used in Microsoft Internet Explorer, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via nested OBJECT tags, which trigger invalid pointer dererences including NULL dereferences.
Impact
CVSS Severity: 8.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides user account access, Allows disruption of service..."
:eek:
AplusWebMaster
2006-04-28, 22:38
FYI...(MS updates per US-CERT)
"Summary of Security Items from April 20 through April 26, 2006
- http://www.us-cert.gov/cas/bulletins/SB06-117.html#win6
> Microsoft Outlook Express
- http://www.microsoft.com/technet/security/bulletin/ms06-016.mspx
V1.2: Revised due to issues discovered with the security update...
> Microsoft Windows Explorer
- http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx
V2.0: Revised to inform customers that revised versions of the security update are available.
> Microsoft Internet Explorer 6.0 SP2
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1992
Last revised: 4/26/2006
Source: US-CERT/NIST
Overview
mshtml.dll 6.00.2900.2873, as used in Microsoft Internet Explorer, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via nested OBJECT tags, which trigger invalid pointer dererences including NULL dereferences.
Impact
CVSS Severity: 8.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides user account access, Allows disruption of service..."
:confused:
AplusWebMaster
2006-05-09, 21:20
FYI...
- http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx
Published: May 9, 2006
Version: 1.0
Critical (2)
Microsoft Security Bulletin MS06-019
Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
- http://www.microsoft.com/technet/security/bulletin/ms06-019.mspx
...Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Affected Software:
• Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004(870540)
• Microsoft Exchange Server 2003 Service Pack 1
• Microsoft Exchange Server 2003 Service Pack 2...
Microsoft Security Bulletin MS06-020
Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)
- http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx
...Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Affected Software:
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)...
Moderate (1)
Microsoft Security Bulletin MS06-018
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
- http://www.microsoft.com/technet/security/bulletin/ms06-018.mspx
Impact of Vulnerability: Denial of Service
Maximum Severity Rating: Moderate...
Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows Server 2003
• Microsoft Windows Server 2003 for Itanium-based Systems...
Revisions:
• V1.0 (May 9, 2006): Bulletin published..."
-----------------------------------------
ISC Analysis:
MS06-019 (Critical)
- http://isc.sans.org/diary.php?storyid=1322
Last Updated: 2006-05-09 18:32:46 UTC
"...Exchange admins you will have your hands full, especially if you are running your own RIM/Blackberry Enterprise Server. Please read the earlier entry*... for details on the "gotcha" there. This vulnerability allows for remote code execution and is critical that it be patched.
* http://www.isc.sans.org/diary.php?storyid=1320
MS06-020 (Critical)
- http://isc.sans.org/diary.php?storyid=1323
Last Updated: 2006-05-09 18:05:03 UTC
"...This bulletin addresses flaws in older versions of Adobe's flash player. Both have been fixed for a while by Adobe. In case you haven't yet, this is your last chance to update the Adobe Flash player. MS06-020 patched this vulnerability as well. However, it only patched Flash Player 7 (or 8 ). If a user had initially Flashplayer 6 installed, MS06-020 was not applied. As a result, a user may have installed 7 or 8 later, and ended up vulnerable as a result. See the KB article above for details ( http://support.microsoft.com/kb/913433 ). The "safe" version is 8.0.24.0 (this is currently the most recent version)... This patch should be applied fast on all desktops. You may be able to wait a bit on servers, or you could just uninstall the flash player on servers (if you never use them to browse)..."
MS06-018 (Moderate)
- http://isc.sans.org/diary.php?storyid=1321
Last Updated: 2006-05-09 18:32:27 UTC
"...This update patches two vulnerabilities in MSDTC (CVE-2006-0034,CVE-2006-1184). Both represent a denial of service in MSDTC which can be exploited locally or remotely with malformed messages. This vulnerability is listed as moderate for Windows 2000 versus Low for XP and 2003 because MSDTC is enabled by default on that platform. The severity is the same on the other platforms when the service is running..."
:fear:
AplusWebMaster
2006-05-11, 15:10
FYI...
- http://www.techweb.com/article/printableArticle.jhtml?articleID=187202025&site_section=700028
May 10, 2006
"...Problems with the MS06-020 update -- the one tagged as "critical" that patched flawed Flash Players -- drove many to mark complaints on the Windows Update newsgroup. Threads with titles such as "Security Update for Flash Player," and "Flash Player" contain a slew of grievances, most of them remarking about repeated failures of the patch to install. Microsoft is aware of the problem, which it dubbed a "known issue" in a support document* posted Wednesday. The document offers a workaround that requires users to delete a pair of Flash-related files, then manually download and install the Player update. The problem, Microsoft said, involves a PC's specific history with Flash. If, for instance, a user had installed Flash Player 7 or 8 on a machine that previously had version 6, then later uninstalled version 7 or 8, Windows Update will repeatedly offer the update, and display the error "The version of Macromedia Flash you have installed does not match the update you are trying to install." ...Buried in the FAQ section of MS06-020 is a paragraph that spells it out for Windows 98 and Millennium users... Even some users who followed the rules, however, were nonplussed. "I had already gotten [updated Flash Player version] 8.0.r24 from [Adobe's] site a while ago, but Windows Update still tried to patch me up," wrote Kevin Hobbs in an e-mail to TechWeb. "Go figure..."
* http://support.microsoft.com/default.aspx/kb/913433?
:( :spider:
AplusWebMaster
2006-05-23, 13:30
FYI...
Microsoft Security Advisory (919637)
Vulnerability in Word Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/919637.mspx
Published: May 22, 2006
"Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user must first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.
Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.
Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed..."
-----------------------------------------------
Update on Word 0-Day Issue
- http://isc.sans.org/diary.php?storyid=1351
Last Updated: 2006-05-23 03:25:51 UTC
"Microsoft and Eeye have each released advisories related to the issue this evening.
Microsoft's security advisory can be found here: http://www.microsoft.com/technet/security/advisory/919637.mspx
Eeye's advisory can be found here: http://www.eeye.com/html/resources/newsletters/alert/pub/AL20060523.html?sb=kwkbmvamunbmvambckmn
The information about vulnerable exploits differs a little between the two advisories. Microsoft says the vulnerability only affects Word 2002/XP and Word 2003 and that Word 2000 is not vulnerable. The Microsoft advisory contains information on workarounds including not using Word as the default mail editor in Outlook and running Word in 'Safe Mode' to disable the functionality that is affected by the vulnerability and exploit.
Eeye says that the vulnerability affects Word 2000 as well. The Eeye advisory mentions that they believe there are two variants of this exploit. Thus, it may be that the first variant only affects Word 2002/XP and 2003 and the second variant affects all three versions."
:spider:
AplusWebMaster
2006-06-08, 21:34
FYI...
- http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: June 8, 2006
"On 13 June 2006 Microsoft is planning to release:
Security Updates
• Nine Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
Note that, as discussed in Microsoft Security Bulletin MS06-013, with the release of one of these bulletins, support for the compatibility patch discussed in Microsoft Knowledge Base Article 917425 will cease.
This means that all users who apply this security update will receive the ActiveX update discussed in Microsoft Knowledge Base Article 912945 regardless of whether or not they have applied the compatibility patch discussed in Microsoft Knowledge Base Article 917425.
Administrators are encouraged to review the following articles prior to release and take appropriate steps for their environment:
• Microsoft Security Advisory 912945 – Non-Security Update for Internet Explorer
• Microsoft Knowledge Base Article 912945
• Microsoft Knowledge Base Article 917425
• Information for Developers about Internet Explorer
• One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for this is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
Note that this update will include the functionality change discussed in Microsoft Knowledge Base Article 912918. Administrators are urged to review this Knowledge Base article prior to release and take steps appropriate for their environment.
• Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release 1 NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."
--------------------------------------------------------------
Additional info w/links:
- http://blogs.technet.com/msrc/archive/2006/06/08/434186.aspx
:spider:
AplusWebMaster
2006-06-09, 18:30
FYI...
- http://www.eweek.com/article2/0,1759,1974100,00.asp?kc=EWRSS03129TX1K0000614
June 8, 2006
"Malicious hackers are actively exploiting a flaw patched by Microsoft in its April batch of bulletins to hijack computers for use in botnets, according to a warning from malware hunters. Researchers at Exploit Prevention Labs, an Atlanta-based Internet security outfit, said several bot-seeding scripts are targeting the MDAC (Microsoft Data Access Components) flaw covered in the software maker's MS06-014* bulletin. ... the MDAC exploits present a serious threat to corporate Windows users who have not yet deployed the patch. "Some businesses take a long time to completely install all patches. In some cases, they are six months behind"... Windows users using Automatic Updates to apply patches should be safe, but because it's a Web-based exploit, enterprise IT departments should avoid depending entirely on firewalls for protection..."
* http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
:fear:
AplusWebMaster
2006-06-13, 21:20
FYI...
- http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx
"Published: June 13, 2006
Version: 1.0...
--------------------
Critical ( 8 )
--------------------
Microsoft Security Bulletin MS06-021
Cumulative Security Update for Internet Explorer (916281)
- http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Caveats:
• Microsoft Knowledge Base Article 916281 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 916281.
• Microsoft is releasing an additional security update included with Microsoft Security Bulletin MS06-023: Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344). We recommend that you install both security updates at the same time as an update in Microsoft Security Bulletin MS06-021: Cumulative Security Update for Internet Explorer (916281) could expose the JScript vulnerability or cause application compatibility issues.
• This security update also replaces the cumulative update for Internet Explorer that was released on February 28, 2006. For more information about this update, see Microsoft Knowledge Base Article 912945.
• This security update also replaces the compatibility patch released on April 11, 2006. That compatibility patch temporarily returned Internet Explorer to the previous functionality for handling ActiveX controls, to help enterprise customers who needed more time to prepare for the ActiveX update changes discussed in Microsoft Knowledge Base Article 912945. This security update replaces that compatibility patch, and makes the changes in Microsoft Knowledge Base Article 912945 permanent. For more information about these changes, see Microsoft Knowledge Base Article 912945 and the product documentation...
Microsoft Security Bulletin MS06-022
Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439)
- http://www.microsoft.com/technet/security/Bulletin/MS06-022.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Microsoft Security Bulletin MS06-023
Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344)
- http://www.microsoft.com/technet/security/Bulletin/MS06-023.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Microsoft Security Bulletin MS06-024
Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)
- http://www.microsoft.com/technet/security/Bulletin/MS06-024.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Microsoft Security Bulletin MS06-025
Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
- http://www.microsoft.com/technet/security/Bulletin/MS06-025.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Microsoft Security Bulletin MS06-026
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)
- http://www.microsoft.com/technet/security/Bulletin/MS06-026.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Microsoft Security Bulletin MS06-027
Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)
- http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
Microsoft Security Bulletin MS06-028
Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768)
- http://www.microsoft.com/technet/security/Bulletin/MS06-028.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical...
--------------------
Important (3)
--------------------
Microsoft Security Bulletin MS06-029
Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)
- http://www.microsoft.com/technet/security/Bulletin/MS06-029.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important...
Microsoft Security Bulletin MS06-030
Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389)
- http://www.microsoft.com/technet/security/Bulletin/MS06-030.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important...
Microsoft Security Bulletin MS06-032
Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
- http://www.microsoft.com/technet/security/Bulletin/MS06-032.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important...
--------------------
Moderate (1)
--------------------
Microsoft Security Bulletin MS06-031
Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736)
- http://www.microsoft.com/technet/security/Bulletin/MS06-031.mspx
Impact of Vulnerability: Spoofing
Maximum Severity Rating: Moderate...
--------------------
...Revisions:
• V1.0 (June 13, 2006): Bulletin published..."
=====================================
ISC Analysis:
- http://isc.sans.org/diary.php?storyid=1404
Last Updated: 2006-06-13 20:48:25 UTC
"...
* MS06-021 Cumulative patch for Internet Explorer - Critical
- http://isc.sans.org/diary.php?storyid=1400
* MS06-022 ART image library buffer overflow - Critical
- http://isc.sans.org/diary.php?storyid=1401
* MS06-023 Microsoft JScript memory corruption - Critical
- http://isc.sans.org/diary.php?storyid=1402
* MS06-024 Windows media player - Critical
- http://isc.sans.org/diary.php?storyid=1406
* MS05-025 RRAS - Critical
- https://isc.sans.org/diary.php?storyid=1409
* MS06-026 Graphics rendering engine remote code execution - Critical
- http://isc.sans.org/diary.php?storyid=1403
(** This vulnerability ONLY applies to Windows 98, 98SE, and ME... Windows 2000, XP and beyond are not vulnerable **)
* MS06-027 Word remote code execution - Critical
- http://isc.sans.org/diary.php?storyid=1405
* MS06-028 Powerpoint remote code execution -Critical
- http://isc.sans.org/diary.php?storyid=1407
* MS06-029 Exchange - Important
- http://isc.sans.org/diary.php?storyid=1414
* MS06-030 SMB privilege escalation - Important
- http://isc.sans.org/diary.php?storyid=1412
* MS06-031 RPC mutual authentication spoofing - Moderate
- http://isc.sans.org/diary.php?storyid=1413
* MS06-032 IP source routing allows remote code execution - Important
- http://isc.sans.org/diary.php?storyid=1410
...also re-released one: * MS06-011
- http://isc.sans.org/diary.php?storyid=1408 ..."
.
AplusWebMaster
2006-06-14, 19:18
FYI...
- http://isc.sans.org/diary.php?storyid=1415
Last Updated: 2006-06-14 11:31:15 UTC
"After yesterday's patchday, we start to receive a number of reports about newly released exploits for vulnerabilities announced on Tuesday. Here a quick lists of what we have seen so far:
MS06-024: Windows Media Player.
Exploit released by penetration testing vendor to customers.
MS06-025: RRAS
Exploit released by penetration testing vendor to customers.
MS06-027: Word remote code execution
Exploit available -before- release of patch.
MS06-030: SMB Priviledge Escalation.
Two exploits released to the public.
MS06-032: IP Source Routing Exploit.
DoS exploits released privately (trivial exploit) ..."
==========================================
- http://www.techweb.com/article/printableArticle.jhtml?articleID=189401307&site_section=700028
June 14, 2006 (5:41 PM EDT)
"Although security experts said Tuesday that the previous day's patching of 21 Microsoft vulnerabilities shouldn't present users with any major threats, closer examination of the updates a day later indicates different. Exploits or proof-of-concept code samples are already available for more than a third of the patched bugs... VeriSign iDefense also noted that almost 20 percent (4 out of 21) of the patches fixed bugs that had previously been disclosed in public forums. Two of the four went public in May and one in April, but the fourth harks back to December 2005..."
:fear: :spider:
AplusWebMaster
2006-06-18, 06:09
FYI...
- http://isc.sans.org/diary.php?compare=1&storyid=1423
Last Updated: 2006-06-17 20:55:03 UTC
"...UPDATE: We received an email from one of our readers today indicating that the MS06-025 update is causing problems with the iPassConnect program. I would recommend if you are using the iPassConnect program then test with the update before rolling the update out."
- http://blogs.technet.com/msrc/archive/2006/06/17/436882.aspx
- http://support.microsoft.com/kb/911280
Last Review: June 17, 2006
Revision: 1.1 ...
"Known Issues
• An issue has been confirmed involving dial-up connections which use the terminal window or dial-up scripting. Dial-up terminal windows or scripting is an older technology rarely used by most modern dial-up connections. If dial-up scripting is used in a connection, the connection may stop responding. This does not affect any dial-up connections that do not use dial-up scripting. This issue may affect direct dial connections to a corporate or university network or to some ISPs (Internet Service Providers). Microsoft is working on developing and testing a revision to this update which will address this issue. If you need to use these dial-up scripting or terminal window features do not install security update MS06-025 (KB911280) until the revised version is available. More information on dial-up scripting can be found at http://www.microsoft.com/technet/archive/winntas/proddocs/network/xns10.mspx . Virtual private network (VPN) connections are not affected by this issue; dial-up scripting is not supported in VPN scenarios..."
========================================
EDIT/ADD:
- http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx
"V1.1 (June 19, 2006): FAQ and Vulnerability Details sections updated to provide clarification on affected RASMAN component. Caveats section updated to include known issues.
V1.2 (June 21, 2006): Bulletin updated to provide additional differentiation between RRAS, RAS, and RASMAN components."
- http://support.microsoft.com/kb/911280
Last Review: June 20, 2006
Revision: 3.0
"...If you must use dial-up scripting or terminal window features, do not install security update 911280 (MS06-025) until the revised version is available*..."
*(Currently still -un-available.)
:fear:
AplusWebMaster
2006-06-20, 00:25
FYI...
Microsoft Security Advisory (921365)
Vulnerability in Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/921365.mspx
Published: June 19, 2006
"Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker. Opening the Excel document out of email will prompt the user to be careful about opening the attachment. As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit this vulnerability. Microsoft is also actively sharing information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks...
Mitigating Factors for Microsoft Excel Remote Code Execution Vulnerability:
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• On Excel 2002 and Excel 2003, the vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must accept a prompt confirming that they Open, Save or Cancel the attachment that is sent in an e-mail message before the exploit could occur.
• This vulnerability could not be exploited automatically through a Web-based attack scenario. An attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
Note: Excel 2000 does not prompt the user to Open, Save, or Cancel before opening a document..."
=====================================
EDIT/ADD:
MS Office Long Link Buffer Overflow Vuln
- http://secunia.com/advisories/20748/
Release Date: 2006-06-20
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software:
Microsoft Excel 2000, Microsoft Excel 2002, Microsoft Excel 2003, Microsoft Excel Viewer 2003, Microsoft Office 2000, Microsoft Office 2003 Professional Edition, Microsoft Office 2003 Small Business Edition, Microsoft Office 2003 Standard Edition, Microsoft Office 2003 Student and Teacher Edition, Microsoft Office XP ...
...The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document. Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed in Microsoft Excel 2003 SP2 (fully updated). Other versions and Office products may also be affected.
NOTE: Secunia is currently not aware of this vulnerability being actively exploited and working exploit code is not currently publicly available. However, the vulnerability is quite simple to exploit and it is therefore likely that exploit code is published soon.
Solution:
Do not open untrusted Microsoft Office documents.
Do not follow links in Microsoft Office documents..."
- http://isc.sans.org/diary.php?storyid=1432
Last Updated: 2006-06-20 17:34:08 UTC
"...the organizations that really need to be concerned about 0day are the ones responsible for protecting military/government assets, financial institutions, and critical infrastructure agencies. Since you know 0day exists and if you are a target, what are you doing to protect yourself? How do you protect against, detect, and respond to unknown vulnerabilities?
For the rest of the folks out there (small/medium businesses, hobbyists)... Should you worry about 0day? Usually not, but if you have all the other critical security components in place then go ahead... There is also a good list of commercial products for Windows... here: http://isc.sans.org/diary.php?storyid=635
In summary, you should expect 0day to be alive and well for your favorite operating systems, daemons, and applications. And if it concerns you, then do something about it instead of waiting to get smacked with it later. You will sleep better at night and not be frustrated at your favorite software vendor when they take 6+ months to patch simple little vulnerabilities."
Suggested reads:
- http://isc.sans.org/diary.php?storyid=635
- Data Execution Protection (DEP): http://support.microsoft.com/kb/875352
========================================
EDIT/ADD:
Microsoft Hyperlink Object Library stack buffer overflow
- http://www.kb.cert.org/vuls/id/394444
Last Updated: 06/21/2006
"...The Problem
There is a stack-based buffer overflow in the Microsoft Hyperlink Object Library. The overflow may be triggered by clicking a specially crafted hyperlink. Note that any program that links to the HLINK.DLL library may be vulnerable, including Microsoft Office applications. Exploit code for this vulnerability is publicly available...
Solution: There is currently no patch or update to correct this problem. Until a solution is available, refer to the workaround below.
- Do not follow unsolicited hyperlinks
- Do not click on unsolicited links received in email or embedded in Office documents. Exploitation of this vulnerability requires a user to click a specially crafted link. By only accessing hyperlinks from known and trusted sources, the chances of exploitation are reduced..."
:fear:
AplusWebMaster
2006-06-22, 23:17
FYI...
- http://www.techweb.com/article/printableArticle.jhtml?articleID=189600616&site_section=700028
June 22, 2006
...Excel 'Shockwave Flash Object' Lets Remote Users Execute Code...
- http://www.securitytracker.com/alerts/2006/Jun/1016344.html
CVE Reference: CVE-2006-3014 ...
Date: Jun 20 2006
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed: Yes
Description: A vulnerability was reported in Microsoft Excel. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can create an Excel file that includes a malicious Flash file embedded using the Excel 'Shockwave Flash Object' function. When the target user opens the Excel file, the Flash code will execute automatically without user interaction. The code will run with the privileges of the target user. The vendor was notified on May 3, 2006...
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: No solution was available at the time of this entry.
Microsoft indicates that customers can set ActiveX control kill bits to prevent the observed behavior. Information on setting kill bits is available at: http://support.microsoft.com/kb/240797/EN-US/ ..."
:fear: :fear: :fear: