FYI...

- http://www.microsoft.com/technet/security/bulletin/ms06-jul.mspx?pf=true
Published: July 11, 2006
... Summary ...

--- Critical (5) ---

Microsoft Security Bulletin MS06-035
Vulnerability in Server Service Could Allow Remote Code Execution (917159)
- http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx
This update resolves two vulnerabilities in the Server service, the most serious of which could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-036
Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
- http://www.microsoft.com/technet/security/bulletin/ms06-036.mspx
This update resolves a vulnerability in the DHCP Client service that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-037
Vulnerability in Microsoft Excel Could Allow Remote Code Execution (917285)
- http://www.microsoft.com/technet/security/bulletin/ms06-037.mspx
This update resolves several vulnerabilities in Excel, the most serious of which could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-038
Vulnerability in Microsoft Office Could Allow Remote Code Execution (915384)
- http://www.microsoft.com/technet/security/bulletin/ms06-038.mspx
This update resolves two vulnerabilities in Office, the most serious of which could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-039
Vulnerability in Microsoft Office Could Allow Remote Code Execution (915384)
- http://www.microsoft.com/technet/security/bulletin/ms06-039.mspx
This update resolves two vulnerabilities in Office, the most serious of which could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

--- Important (2) ---

Microsoft Security Bulletin MS06-033
Vulnerability in ASP.NET Could Allow Information Disclosure (917283)
- http://www.microsoft.com/technet/security/bulletin/ms06-033.mspx
This vulnerability could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folder explicitly by name. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system.
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure

Microsoft Security Bulletin MS06-034
Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)
- http://www.microsoft.com/technet/security/bulletin/ms06-034.mspx
This vulnerability could allow an attacker to take complete control of an affected system. Note that the attacker must have valid logon credentials, but if a server has been purposely configured to allow users, either anonymous or authenticated, to upload web content such as .ASP pages to web sites, the server could be exploited by this vulnerability.
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution

...Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind..."
============================

FYI... ISC analysis:

- http://isc.sans.org/diary.php?storyid=1473
Last Updated: 2006-07-11 20:57:16 UTC
"MS06-034 - This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files. In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important. In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don't know about any public exploits yet.
Microsoft's advisory is at http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx
CVE at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0026 ..."

- http://isc.sans.org/diary.php?storyid=1471
Last Updated: 2006-07-11 20:40:21 UTC
"MS06-035 (CVE-2006-1314) looks to be the most dangerous of the vulnerabilities announced this month, specifically the Mailslot heap overflow. The vulnerability can be exploited remotely against the "Server" service. So this would definitely be something that could be used for widespread compromise with no user interaction, or a worm.
'Looks like Windows 2000 SP4 is vulnerable by default. Windows XP SP2 and Server 2003 don't appear to be vulnerable with a default installation unless services are listening on Mailslots. At this point, it is unclear exactly what software would enable Mailslots to create a vulnerable condition.
So how long before exploit code is available? Well, clever readers will have noticed that Pedram Amini and H D Moore are credited with discovering this vulnerability (the Mailslot heap overflow). Those guys are some of the best in the business, so you do the math... I'm guessing that they have had reliable exploit code working for a while now... You should probably make this your top priority in patching."

- http://isc.sans.org/diary.php?storyid=1472
Last Updated: 2006-07-11 20:28:16 UTC by Patrick Nolan (Version: 1)
"MS06-036 has been issued, MS has said systems "Primarily" at risk are Microsoft Windows 2000, Windows XP and Windows Server 2003... An attacker could exploit the vulnerability by answering a client's DHCP request on the local subnet with malformed packets... An attacker could try to exploit this vulnerability over the Internet... Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, however the vulnerability is not critical... CVE-2006-2372"

- http://isc.sans.org/diary.php?storyid=1474
Last Updated: 2006-07-11 21:10:31 UTC
"MS06-037 - ...This update resolves several public, privately reported, and newly discovered vulnerabilities. All of these state that a remote code execution vulnerability exists in Excel dealing with each of the identified items. The only workaround suggested and tested is to NOT open attachments from untrusted sources. I guess that means, PATCH. Microsoft states: "When using vulnerable versions of Office, if a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.""

- http://isc.sans.org/diary.php?compare=1&storyid=1475
Last Updated: 2006-07-11 21:54:43 UTC
"MS06-038 - ...It appears that all of the Microsoft Office 2000, 2002, 2003 programs are affected. Not affected is Works applications. Summary: This is another remote code execution problem and appears to impact Office 2000 applications the worse lending to a critical assessment. The other versions of Office identified as vulnerable are listed as important for all three of the CVE's... In all three cases the only tested work around is NOT to open attachments from untrusted sources. I guess that means to apply the patch ASAP."

- http://isc.sans.org/diary.php?storyid=1476
Last Updated: 2006-07-11 21:59:39 UTC
"MS06-039 - ...This patch fixes two vulnerabilities in all Microsoft Office products (Office 2000, XP, 2003 are affected, as well as Project 2000, 2002 and Microsoft Works 2004, 2005, 2006). Microsoft Office for Mac is not affected. The vulnerabilities can be exploited by crafting a special GIF or PNG graphic files. In both cases the user needs to open the file so, while this vulnerability can not be exploited automatically through e-mail, it is still very easy to get user into opening a file. It is worth mentioning that, when the file is hosted on a web site, Office 2000 does not prompt the user before opening the document (which means that it's enough for a user to click on a link leading to the file). As the only workarounds are not to open or save files "you receive from un-trusted sources or that you received unexpectedly from trusted sources" you should patch as soon as possible.
MS advisory is at http://www.microsoft.com/technet/security/Bulletin/MS06-039.mspx .
CVEs are at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0033 and http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0007 ."
===============================================

> http://www.us-cert.gov/cas/techalerts/TA06-192A.html

:spider:

FYI...

- http://secunia.com/advisories/20686/
Release Date: 2006-06-16
Last Update: 2006-07-12
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...
NOTE: This vulnerability is a so-called 0-day and is already being actively exploited.
Successful exploitation of the vulnerabilities allows execution of arbitrary code...
Solution: Apply patches...
Advisory:
MS06-037 (KB917285): http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx ..."

============================

Microsoft Security Advisory (921365)
Vulnerability in Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/921365.mspx
Updated: July 11, 2006
"...We have issued MS06-037* to address this issue...'

* http://www.microsoft.com/technet/security/bulletin/ms06-037.mspx

:fear:

FYI...

- http://www.techweb.com/wire/security/190400030
July 13, 2006
"An unpatched bug in Microsoft's PowerPoint presentation maker is being exploited by an in-the-wild attack, Symantec researchers said Thursday, marking the latest bad news for Office users. According to the Cupertino, Calif. security vendor's threat analysis team, attacks are currently under way using an unpatched vulnerability in PowerPoint. If the "zero-day" attack is successful, the hacker gains complete control of the compromised computer. The attack is carried out by a Trojan horse with the moniker "PPDDropper.b"* which hides inside a malicious PowerPoint file attached to an e-mail with a Google Gmail return address. PPDDropper.b, in turn, drops a backdoor component, dubbed "Bifrose.e" by Symantec. Bifrose.e then injects a malicious routine into Windows' EXLORER.EXE process, and overwrites the malformed PowerPoint file with a new, clean presentation document... That part of the process is identical to one used last month by a now-patched Excel attack... Unlike the Excel bug, the PowerPoint flaw -- confirmed only in PowerPoint 2003 thus far -- remains open to attack..."
* http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-071212-4413-99
Trojan.PPDropper.B
Risk Level 1: Very Low
"...It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string..."
MSRC blog - Information on the recent Powerpoint vulnerability
- http://blogs.technet.com/msrc/archive/2006/07/14/441893.aspx
"...We’ll be documenting this through the weekend in the form of a security advisory and will post it as soon as we are confident in the protection steps (we’re targeting Monday morning)..."
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3590
Assigned (20060714)
"...Unspecified vulnerability in mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows remote user-complicit attackers to execute arbitrary commands via a crafted PPT file, which causes a "memory corruption error..."
- http://www.kb.cert.org/vuls/id/936945
- http://secunia.com/advisories/21040/
Release Date: 2006-07-14
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ..."
===========================================
Microsoft Security Advisory (922970)
Vulnerability in PowerPoint Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/922970.mspx
Published: July 17, 2006
"Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In order for this attack to be carried out, a user must first open a malicious PowerPoint document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.
Microsoft is completing development of a security update for Microsoft PowerPoint that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the August security updates on August 8, 2006, or sooner as warranted...
Mitigating Factors...
• Note: PowerPoint 2000 does not prompt the user to Open, Save, or Cancel before opening a document.
• Use PowerPoint Viewer 2003 to open and view files. PowerPoint Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. You can download PowerPoint Viewer 2003 for free*... "
Workarounds...
Do not open or save Microsoft Office files that you receive from un-trusted sources or that you received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file..."

* http://www.microsoft.com/downloads/details.aspx?FamilyId=428D5727-43AB-4F24-90B7-A94784AF71A4&displaylang=en

.

FYI...

- http://isc.sans.org/diary.php?storyid=1502
Last Updated: 2006-07-22 13:21:20 UTC
"As a "present" for blackhat*, an exploit against the DHCP client of Windows 2000 was released publicly. See MS06-036** for more details.
The exploit claims to add the user "bl4ck" with a very insecure password and might cause the service to terminate. The author left some suggestions for "improvement" in the source code, so expect potentially nastier versions to be used in real life.
If you still have not patched your Windows client systems, it is a very good time to do so now. The nature of DHCP makes it so that any device on a LAN can answer any and all DHCP request. So be sure people understand there is no need to attack or compromise any server first. Detecting this is helped slightly by DHCP's use of broadcasts (the client doesn't have an IP address).
It is quite imaginable that this gets used not just over wired networks - where the defending staff could disable a port in a worst-case scenario - but also over wireless networks, hotspots, hotels etc. where no such option is available. Or it could be used in a multi-stage attack where this gets inside your network in other ways and then does its "magic" on the local LAN."

* http://www.blackhat.com/

** http://isc.sans.org/diary.php?storyid=1472

:fear: :spider:

FYI...

- http://isc.sans.org/diary.php?storyid=1471
Last Updated: 2006-07-24 20:28:35 UTC
"We have been made aware of publicly available exploit code for MS06-034, MS06-035, and MS06-036. If you haven't already patched for these vulnerabilities you should take immediate action.

For more information on those vulnerablies here are links to the original diary entries for them.

http://isc.sans.org/diary.php?storyid=1473 (MS06-034)

http://isc.sans.org/diary.php?storyid=1471 (MS06-035)

http://isc.sans.org/diary.php?storyid=1472 (MS06-036)

I have not tested any of the exploits yet. I do not plan to provide the urls or even a hint as to where to get the exploits..."

:fear: :fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: August 3, 2006
"On 8 August 2006 Microsoft is planning to release:

Security Updates
• -Ten- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
• -Two- Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."

.

FYI...

* http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx?pf=true
Updated: August 8, 2006

"Summary
Included in this advisory are updates for newly discovered vulnerabilities. These vulnerabilities, broken down by severity are:

Critical (9)...

Microsoft Security Bulletin MS06-040
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
- http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-041
Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
- http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-042
Cumulative Security Update for Internet Explorer (918899)
- http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-043
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
- http://www.microsoft.com/technet/security/bulletin/ms06-043.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-044
Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
- http://www.microsoft.com/technet/security/bulletin/ms06-044.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-046
Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
- http://www.microsoft.com/technet/security/bulletin/ms06-046.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-047
Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
- http://www.microsoft.com/technet/security/bulletin/ms06-047.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-048
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
- http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-051
Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
- http://www.microsoft.com/technet/security/bulletin/ms06-051.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution


Important (3)...

Microsoft Security Bulletin MS06-045
Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
- http://www.microsoft.com/technet/security/bulletin/ms06-045.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-049
Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
- http://www.microsoft.com/technet/security/bulletin/ms06-049.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege

Microsoft Security Bulletin MS06-050
Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
- http://www.microsoft.com/technet/security/bulletin/ms06-050.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution


Affected Software: ...For more information, see the Affected Software and Download Locations section*..."

=============================

ISC Anaylsis:
- http://isc.sans.org/diary.php?storyid=1573

=============================

Microsoft Fixes 23 Security Flaws
- http://blog.washingtonpost.com/securityfix/2006/08/microsoft_updates_fix_23_secur.html
August 8, 2006; 3:08 PM
"...At least 17 of the 23 flaws could be exploited by attackers to hijack vulnerable systems or to install malicious code, the company warned. Dig through the details of the advisories and you will see that instructions showing would-be attackers how to exploit at least nine of the flaws have already been posted online. Microsoft also said it has seen at least three of the flaws being actively exploited in the wild...."

.

FYI...

- http://isc.sans.org/diary.php?storyid=1574
Last Updated: 2006-08-09 11:55:47 UTC
"...It certainly didn't take long for some to start making available (those I've seen so far are not for free) exploits against the vulnerabilities described in MS06-040, MS06-042 and MS06-046, which where only released yesterday*.
Those of you're still testing patches, you'd better hurry up and get some of these fixed before you get hit.
Just as a reminder:
- Filtering ports 135-139 and 445 helps against MS06-040; as do private VLANs (preventing client-client communication in the switch). None of those will help your fileserver, so patching is critical.
Since there are still unpatched vulnerabilities in this software, filtering still remains crucial.
- If you cannot apply MS06-042: stop using MSIE now, use an alternate browser.
- Switching away to a browser not doing ActiveX (almost any will do) should help protect you against MS06-046 attacks as well.
But the best solution is to patch and do the above, layered defences!"
* https://isc.sans.org/diary.php?storyid=1573
=============================================

- http://www.dhs.gov/dhspublic/display?content=5789
August 9, 2006
"The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights... US-CERT has issued an alert* through the National Cyber Alert System and conducted a series of briefings with federal Chief Information Officers and Chief Information Security Officers, and critical infrastructure sectors through Information Sharing and Analysis Centers. Additionally, all federal agencies are required to provide US-CERT with regular updates on their patching status..."
* http://www.us-cert.gov/cas/techalerts/TA06-220A.html
===================================================

- http://blogs.technet.com/msrc/archive/2006/08/09/445600.aspx
August 09, 2006 ...by MSRCTEAM
"...While we always recommend applying any updates rated "Critical" as soon as possible, we are recommending that customers give priority to MS06-040 for testing and deployment due to technical specifics around the vulnerability..."

Also: http://www.us-cert.gov/current/current_activity.html#msvuls
===========================================================

MS06-040 exploit in the wild
- http://isc.sans.org/diary.php?compare=1&storyid=1592
Last Updated: 2006-08-13 00:12:49 UTC
"We have caught a live exploit against a Windows 2000 Server. The pcap packets of the exploit fire the signatures in Sourcefire VRT for the vulnerability described in MS06-040*.
Update: The latest bleedingsnort signatures fire also on the pcap: "BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"

It looks like it's building a botnet (as we expected).
* The exploit was carried out over port 445/TCP.
* In a second phase of the exploit, it connected back out to IRC servers running on non-standard ports on redundant hosts.
The md5 of the bot itself is: MD5: 9928a1e6601cf00d0b7826d13fb556f0

...We have a report of at least one second capture of what is on first looks is the same malware or at least something very related to it."
* https://isc1.sans.org/diary.php?storyid=1557

:spider: :fear:

FYI...

- http://isc.sans.org/diary.php?storyid=1588
Last Updated: 2006-08-12 00:47:12 UTC
"All those of you holding off on the MS06-042 patch or suffering from issues due to MSIE crashing on Windows 2000 SP4 and Windows XP SP1, there is a new hotfix out: http://support.microsoft.com/kb/923762/en-us
It's interesting to note the date on the file, as well as the claim that the crashes seem to be triggered by websites using the HTTP 1.1 protocol and compression..."

:spider:

FYI...

MS Security Advisory (922437)
Exploit Code Published Affecting the Server Service
- http://www.microsoft.com/technet/security/advisory/922437.mspx
Updated: August 13, 2006
"Microsoft is aware of public reports regarding an attack known as Win32/Graweg exploiting the vulnerability addressed by security update MS06-040. Microsoft’s initial investigation of Win32/Graweg verified that it only affects users running Windows 2000 that have not applied the update detailed in MS06-040. Microsoft has activated its emergency response process and is continuing to investigate this issue. The Microsoft Security Response Alliance partners as well as our own internal teams have determined that there is not widespread customer impact and have rated Win32/Graweb as a Low threat. At this time it does not appear to be a self-replicating internet-wide worm. Microsoft continues to recommend that customers apply the August updates as soon as possible with additional urgency and consideration given to the update detailed in MS06-040. Customers can ensure that the updates are being installed by enabling the Automatic Updates feature in Windows or by using their deployment infrastructure in their enterprise or small business. Customers who believe that they are infected or are not sure whether they are infected by Win32/Graweb should visit http://Safety.live.com and choose "Protection Scan"..."
==============================

Microsoft Security Advisory (922970)
Vulnerability in PowerPoint Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/922970.mspx
• V 2.0 (Aug 11, 2006): Advisory updated to reference released security bulletin (MS06-048).
==============================

Spammers Exploiting Newly Detailed Windows Flaw
- http://blog.washingtonpost.com/securityfix/2006/08/spammers_exploiting_latest_mic.html
August 13, 2006
"...Update, 8:06 p.m. ET: It may be that Microsoft in its advisory is talking a different threat that SANS and LURHQ are highlighting. For one thing, Microsoft calls this threat "Win32/Graweg," but I could find no links in Google to any writeup on that either at Microsoft or another third-party anti-virus company... (you'll notice that as of 4:39 p.m. ET Microsoft's own anti-virus service had not detected as malicious the threat that Stewart and SANS were pointing out)..."

:spider:

FYI...

- http://www.techweb.com/wire/security/192100058
August 15, 2006
"...Last week, blog entries from the MSRC* identified the MS06-040 patch as the one users should put at the top of their to-do lists. Security analysts across the board seconded the motion, with some urging users to patch before a likely worm appeared. Also last week, users who manually updated their PCs using Windows Update or Microsoft Update were greeted with an additional color-coded "Addresses a critical security problem" notation below the listing for the MS06-040 update. Both moves were firsts for Microsoft, as was its admission that it prioritizes patches provided by its update mechanisms. Microsoft's online description of those tools, for example, says nothing of prioritizing. "The threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority," Stone continued. "If you have not seen the rest of this month's updates yet on your computer rest assured they are coming and this is perfectly normal."

* http://blogs.technet.com/msrc/archive/2006/08/15/446848.aspx

:( :fear:

FYI...

(The ISC obviously is aware that following all the mods, updates, re-releases of the MS Updates is, well, "challenging", to say the least, for August in particular. They have put alot of effort into a fine chart, which makes it ALOT easier to follow.)

Microsoft August 2006 Patches: STATUS
- http://isc.sans.org/diary.php?compare=1&storyid=1611
Last Updated: 2006-08-18 02:40:20 UTC


:bigthumb:

FYI...

More MS06-042 woes
- http://isc.sans.org/diary.php?storyid=1627
Last Updated: 2006-08-22 21:20:36 UTC
"The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code....

http://isc.sans.org/diary.php?compare=1&storyid=1611 (updated patch matrix)

http://www.microsoft.com/technet/security/advisory/923762.mspx ..."

EDIT/ADD:
- http://blogs.technet.com/msrc/archive/2006/08/22/448689.aspx

- http://blogs.msdn.com/ie/archive/2006/08/22/711402.aspx

- http://research.eeye.com/html/alerts/AL20060822.html
"MS06-042 Related Internet Explorer 'Crash' is Exploitable
Date: August 22, 2006
Severity: Critical
Systems Affected:
Windows 2000 with IE6 SP1 and MS06-042 hotfix installed
Windows XP SP1 with IE6 SP1 and MS06-042 hotfix installed ..."

.

FYI...

MS06-040 exploit list grows
(See CME-762 and CME-482)
- http://cme.mitre.org/data/list.html


:( :fear:

FYI...

- http://secunia.com/advisories/21557/
Release Date: 2006-08-23
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Software: Microsoft Internet Explorer 6.x
...The vulnerability affects Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1 and was introduced by the MS06-042 patches.
Solution: The vendor recommends disabling the HTTP 1.1 protocol in Internet Explorer (see the vendor's advisory for details)...
Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/923762.mspx
http://support.microsoft.com/kb/923762/
Other References: US-CERT VU#821156:
- http://www.kb.cert.org/vuls/id/821156
Last Updated 08/23/2006
"...Microsoft Internet Explorer 6 Service Pack 1 on Windows 2000 and Windows XP SP1 contains a vulnerability when viewing a web site using the HTTP 1.1 protocol. If the web site uses HTTP 1.1 compression and contains an overly long URL, a buffer overflow can occur. Note that this vulnerability was introduced with the first release of the MS06-042 updates on August 8, 2006..."
=============================

FYI...

MS06-042 reissued
- http://isc.sans.org/diary.php?storyid=1634
Last Updated: 2006-08-24 17:23:04 UTC
"The anxiously awaited reissue of the patch from bulletin MS06-042 is now live. Time to re-apply the patch on Internet Explorer 6 Service Pack 1 for Windows XP Service Pack 1 (all versions) and Windows 2000 (all versions)".
* http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx
Updated: August 24, 2006

:fear: :fear: :fear:

FYI...

- http://www.symantec.com/enterprise/security_response/weblog/2006/09/new_tricks_with_old_software.html
September 3, 2006
"...In the past couple of days, we have seen samples of a trojan that exploits a previously unknown vulnerability in Microsoft's Office applications. This time it is in Microsoft Word 2000 running on Windows 2000. This trojan (detected.. as Trojan.MDropper.Q*) takes advantage of the vulnerability to drop another file onto the target computer. Detected as a trojan, this dropped file in turn drops another file, which turns out to be new variant of Backdoor.Femo**. As with other recent Office vulnerabilities, documents incorporating the exploit code must be opened with a vulnerable copy of Microsoft Word 2000 for it to work. As such, it makes the vulnerability unsuitable for the creation of self-replicating network worms... Until a vendor supplied patch is made available and then installed, users should follow safe computing practices and exercise extreme caution when opening unsolicited emails containing Microsoft Office documents."

* http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-090219-2855-99

** http://www.symantec.com/security_response/writeup.jsp?docid=2003-080521-2111-99

Also:
- http://isc.sans.org/diary.php?storyid=1669

- http://vil.mcafeesecurity.com/vil/content/v_119055.htm

- http://secunia.com/advisories/21735/
==================================================

Microsoft Security Advisory (925059)
Vulnerability in Word Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/925059.mspx
Published: September 6, 2006
"Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000. In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker...
Mitigating Factors for Microsoft Word Remote Code Execution Vulnerability...
• Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000* will be prompted with Open, Save, or Cancel before opening a document.
* http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F ...
Workarounds for Microsoft Word Remote Code Vulnerability...
• Use Word Viewer 2003 to open and view files. Word Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. To download the Word Viewer 2003 for free, visit the following website**:
** http://www.microsoft.com/downloads/details.aspx?familyid=95E24C87-8732-48D5-8689-AB826E7B8FDF ...

:spider:

FYI...

- http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: September 7, 2006
"On 12 September 2006 Microsoft is planning to release:

Security Updates
• Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.
• One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release Two NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release three NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."

.

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms06-sep.mspx
Published: September 12, 2006

"Critical (1)

Microsoft Security Bulletin MS06-054
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)
- http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Office...

Important (1)

Microsoft Security Bulletin MS06-052
Vulnerability in Reliable Multicast Program (PGM) Could Result in Denial of Service (919007)
- http://www.microsoft.com/technet/security/Bulletin/MS06-052.mspx
This update resolves a vulnerability in Reliable Multicast Program (PGM) that could cause a denial of service condition.
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service
Affected Software: Windows...

Moderate (1)

Microsoft Security Bulletin MS06-053
Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685)
- http://www.microsoft.com/technet/security/Bulletin/MS06-053.mspx
This update resolves a vulnerability in the Indexing Service that could allow information disclosure.
Maximum Severity Rating: Moderate
Impact of Vulnerability: Information Disclosure
Affected Software: Windows...


Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind..."

=============================

Re-released:

Microsoft Security Bulletin MS06-040
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
- http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
• V2.0 (September 12, 2006): The update has been revised and re-released for Microsoft Windows 2003 and Microsoft Windows XP Professional x64 Edition to address the issues identified in Microsoft Knowledge Base Article 921883.
- http://support.microsoft.com/kb/921883
Last Review: September 12, 2006
Revision: 5.0

Microsoft Security Bulletin MS06-042
Cumulative Security Update for Internet Explorer (918899)
- http://www.microsoft.com/technet/security/Bulletin/ms06-042.mspx
Updated: September 12, 2006
Caveats: On September 12, 2006, this Security Bulletin and Internet Explorer 6 Service Pack 1, Internet Explorer 5.01 Service Pack 4, and Internet Explorer 6 for Microsoft Windows Server 2003 security updates were updated to address a vulnerability documented in the Vulnerability Details section as Long URL Buffer Overflow – CVE-2006-3873. Customers using these versions of Internet Explorer should apply the new update immediately..."
- http://blogs.msdn.com/ie/archive/2006/09/12/750815.aspx
"...Users running Windows XP SP2, Server 2003 SP1 or any of the IE7 betas, IE7 Release Candidate 1, or Windows Vista are not affected and do -not- need to take action..."

=============================

ISC Anaylsis:

- http://isc.sans.org/diary.php?storyid=1690 MS06-054

- http://isc.sans.org/diary.php?storyid=1692 MS06-052

- http://isc.sans.org/diary.php?storyid=1693 MS06-053

=============================

ISC Overview of the September 2006 Microsoft patches
- http://isc.sans.org/diary.php?storyid=1691
Last Updated: 2006-09-13 01:35:38 UTC


.

FYI...

Microsoft Security Advisory (925143)
Adobe Security Bulletin: APSB06-11 Flash Player Update to Address Security Vulnerabilities
- http://www.microsoft.com/technet/security/advisory/925143.mspx
Purpose of Advisory: To make customers aware of a security bulletin and updates that are available from Adobe for Flash Player.
See:
- http://www.adobe.com/support/security/bulletins/apsb06-11.html


Microsoft Security Advisory (922582)
Update for Windows
- http://www.microsoft.com/technet/security/advisory/922582.mspx
Published: September 12, 2006
"Today we are announcing the availability of an update that does not address a security vulnerability, but is a high priority for customers in keeping their systems updated. The update addresses the following issue:
You may receive error code 0x80070002 when you try to update a computer running on Microsoft Windows that has a minifilter-based application installed..."

.

FYI...

- http://www.eweek.com/article2/0,1895,2016065,00.asp
September 14, 2006
"Security researchers in China have published detailed exploit code for a new zero-day vulnerability in Microsoft's dominant Internet Explorer browser. The exploit, which was posted to XSec.org and Milw0rm.com Web sites, could be easily modified to launch code execution attacks without any user action on fully patched Windows machines. A spokesman for the MSRC (Microsoft Security Response Center) said the company is investigating the latest warning, which adds to a list of known high-risk vulnerabilities that remain unpatched... "It's worth knowing about and monitoring, in case someone improves it. But it's not a huge threat as it stands," Thompson said..."

- http://secunia.com/advisories/21910/
Last Update: 2006-09-15
Critical: Extremely critical

> http://www.microsoft.com/technet/security/advisory/925444.mspx
=========================================================

MSIE DirectAnimation ActiveX 0-day update
- http://isc.sans.org/diary.php?storyid=1705
Last Updated: 2006-09-15 14:01:55 UTC (...Version: 3...)
"Microsoft released a security advisory regarding the 0-day we reported on earlier.
Timeline:
* Aug 28th: 1st exploit released publicly
* Aug 29th: CVE-2006-4446 assigned - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4446
* Sept 13th: 2nd exploit released publicly
* Sept 13th: CVE-2006-4777 assigned - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4777
* Sept 14th: Microsoft Security Advisory (925444) released
Workarounds:
* Use an alternate browser (see also diversity*)
* Disable ActiveX scripting in MSIE
* Modify the ACL on daxctle.ocx to remove rights to use it
* Set the KillBit for "{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}"
* Make MSIE prompt before executing ActiveX
Please note that windowsupdate needs an ActiveX enabled browser, but you can do that with settings to the security zones and trusting Microsoft.
Please note that the Outlook family is affected as well but that the default settings will typically mitigate much of the risk. That is as long as nobody or nothing has modified the settings ..."
* http://isc.sans.org/diary.php?storyid=1550

> http://www.kb.cert.org/vuls/id/377369

:fear: :spider: :rolleyes:

FYI...

- http://www.eweek.com/article2/0,1759,2017407,00.asp?kc=EWRSS03129TX1K0000614
September 18, 2006
"Security researchers at Sunbelt Software have discovered an active malware attack against fully patched versions of Microsoft's Internet Explorer browser. The exploit has been seeded at several porn sites hosted in Russia and is being used to launch drive-by malware downloads that appear to be hijacking Windows machines for use in botnets. eWEEK has confirmed the flaw—and zero-day attacks—and on a fully patched version of Windows XP SP2 running IE 6.0. There are at least three different sites hosting the malicious executables, which are being served up on a rotational basis. According to Eric Sites, vice president of research and development at Florida-based Sunbelt Software, the vulnerability is a buffer overflow in the way the world's most widely used browser handles VML (Vector Markup Language) code. The attack is linked to the WebAttacker, a do-it-yourself malware installation toolkit that is sold at multiple underground Web sites. "Once you click on the site, the exploit opens a denial-of-service box and starts installing spyware," Sites said. He said the exploit can be mitigated by turning off JavaScript in the browser..."
- http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
=============================================

- http://secunia.com/advisories/21989/
Release Date: 2006-09-19
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
...Successful exploitation allows execution of arbitrary code.
NOTE: Reportedly, this is currently being exploited in the wild.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution:
Do not visit untrusted web sites.
Deactivating Active Scripting will prevent exploitation using the currently known exploit..."
===========================================

- http://blog.washingtonpost.com/securityfix/2006/09/newly_detected_ie_exploit_spel.html
September 18, 2006; 10:25 PM ET
"...If past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage... Among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user. The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff..."
===============================

- http://www.symantec.com/enterprise/security_response/weblog/2006/09/trojanvimalov_a_zeroday_exploi.html
September 19, 2006
"...We have confirmed that this exploit takes advantage of a bug in VML (Vector Markup Language, which is an XML language used to produce vector graphics) to overflow a buffer and inject shell code. The exploit then downloads and installs multiple Security Risks, such as spyware, on the compromised machine... Although Microsoft has already been informed, at the time of writing there is no patch available for this particular exploit. Mitigating strategies include disabling JavaScript in Internet Explorer and using non-vulnerable browsers..."
> http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091914-1801-99
===============================

Microsoft Internet Explorer VML stack buffer overflow
- http://www.kb.cert.org/vuls/id/416092
Last Updated - 09/19/2006

============================================

- http://blogs.technet.com/msrc/archive/2006/09/19/457560.aspx

Microsoft Security Advisory (925568)
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/925568.mspx
Published: September 19, 2006
"Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited. A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs...
Workarounds -
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified..."

(More detail at the MS Advisory URL.)
============================================

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=81
Sep 20 2006
"The recently reported VML Internet Explorer "zero-day" exploit now has attack code publicly posted on the web. Although the first version results in a denial of service and not escalated privileges, we expect to see public posts of exploit code that does allows a user to run code without user-interaction. This may result in increased attacks based on the fact that there are no patches available and often "copy-cat" attacks that simply cut and paste P.O.C. code often occur after public release."

:fear:

FYI...

- http://isc.sans.org/diary.php?storyid=1720
Last Updated: 2006-09-21 16:26:38 UTC
"...Once again the folks at NISCC have posted info on a beauty. Their NISCC Vulnerability Advisory 693564/NISCC/FOLDERSHARE - Security Implications of the FolderShare Program* details huge vulnerabilities (https tunnel, EFS bypassing, and more) in FolderShare, an "add-in tool for Microsoft Desktop Search" which enables "remote access to files stored on Windows and Mac OS X based computers.".
MS's KB "Best practices and security issues to consider when you use FolderShare**" is weak, it's only useful recommendation is;
"you can effectively block outgoing traffic to FolderShare. To permanently block the FolderShare satellite from running in a particular environment, block access to the following host name on port TCP/443: redir1.foldershare.com "..."

* http://www.uniras.gov.uk/niscc/docs/br-20060920-00635.html?lang=en

** http://support.microsoft.com/kb/925077
Last Review: September 19, 2006
Revision: 1.1
"...FolderShare is a Windows Live service and an add-in for Microsoft Desktop Search. If you use FolderShare incorrectly, you might unintentionally disclose information on a network..."

:fear:

FYI...

More VML exploits released
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=632
September 21, 2006
"...We are seeing the addition of payload code that includes Trojan Horse Backdoors and code which is designed to steal information from the end-user or their machines (i.e. Crimeware)... In addition, reports out of Australia CERT (see: http://www.auscert.org.au/render.html?it=6771 ) are that attacks are surfacing through emails with URL lures. We have confirmed this to be true and that this is using a modified version of the Web Attacker Toolkit... we have some examples of sites that are distributing the code or are pointing to sites that are distributing the code..."
===========================

Updated:
Microsoft Security Advisory (925568)
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/925568.mspx
"• September 21, 2006: Advisory updated with new CVE reference, un-register vgx.dll workaround updated, and Outlook Express mitigation added."
(Use the URL above to review updated detail.)

Also see: http://www.us-cert.gov/cas/techalerts/TA06-262A.html
Revised - September 21, 2006
===========================

(InfoCon level to yellow) - MSIE VML exploit spreading
- http://isc.sans.org/diary.php?storyid=1727
Last Updated: 2006-09-22 15:09:18 UTC
"The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes. If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly. Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well. Weekends are moreover popular moments in time for the bad guys to build their botnets..."

(Recommended action and other references available at the ISC URL above.)
===========================

- http://www.techweb.com/article/printableArticle.jhtml?articleID=193004876&site_section=700028
September 22, 2006
"...Pressure on Microsoft to fix the flaw may be mounting, said other security professionals, who have noticed increased attack activity. "VML attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of iDefense's rapid response team, in an e-mail to TechWeb. "At least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains to redirect users to a hostile VML exploiting site," Dunham continued. Eric Sites, vice president of research and development at Sunbelt Software, which first reported the vulnerability and exploit earlier this week, also said that attacks were "definitely escalating." In a conversation with a tier 1 support representative at Cox Cable on Friday, Sites said, he was told that the cable operator had several thousand support calls and e-mails backed up, with users reporting a wide variety of complaints, including IE crashes. "That may be a targeted attack," said Sites. Both Dunham and Sites warned of even larger attacks over the weekend. " implement a workaround ASAP due to imminent global attacks," said Dunham. "There are a lot more sites using [a VML exploit]," added Sites. Part of their concern is that the exploit may quickly move to e-mail, with spam-style attacks compromising PCs as soon as the recipient views an infected message in an HTML preview pane. Symantec, for example, confirmed Friday that a working exploit against Microsoft Outlook has been written and posted by Immunity Inc. for its CANVAS exploit framework.
An e-mailed attack is dangerous because it requires no out-of-the-ordinary user action, said Sites. "If you see a message in the Preview Pane or double click it, a well-crafted exploit will crash Outlook. You won't see any error message." As soon as that happens, the attacker can begin loading a user's PC with adware, spyware, and other malicious code, he added..."
===========================

VML exploits with OS version detection
- http://isc.sans.org/diary.php?storyid=1733
Last Updated: 2006-09-24 20:46:46 UTC
"We are seeing samples of the VML exploit that are coded to include browser / OS detection, and are able to trigger working exploits for Win 2000, 2003 and XP. Some reports indicate that client-side anti-virus is not sufficient to protect, some AV apparently only catches the VML exploit code once Internet Explorer writes the temp file to disk, which can be too late. The exploits versions seen so far usually pull and run an EXE file, but adding patterns for new EXE payloads is an arms race the AV vendors can't win. If you have the option, [u]we suggest you use the work around of unregistering the DLL as indicated in our earlier diary entry*."
* http://isc.sans.org/diary.php?storyid=1727

:fear: :sad: :buried:

FYI...

- http://www.f-secure.com/weblog/archives/archive-092006.html#00000980
"Microsoft has released a patch against the VML vulnerability outside of their normal update cycle. Which is great. The patch is available right now via http://update.microsoft.com . Get it."

~or~

- http://isc.sans.org/diary.php?storyid=1738
Last Updated: 2006-09-26 19:22:11 UTC ...(Version: 3)...
"Microsoft has just released an update to address the VML (VGX) issue. The update can currently be found on Microsoft Update and is titled:

Microsoft Security Bulletin MS06-055
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
> http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
Published: September 26, 2006
Version: 1.0
"A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer..."

It is recommended that the patch be applied immediately (after testing) unless a suitable mitigation strategy is in place.
Update: Also, note that if you applied the ACL mitigation (removing Everyone Read access from the DLL), you will need to undo that before this update will apply successfully..."

> http://blogs.technet.com/msrc/archive/2006/09/26/459194.aspx
=========================================================

- http://blogs.technet.com/msrc/archive/2006/09/26/459237.aspx
September 26, 2006
"...One thing to note, we recommend that you undo any of the previously recommended workarounds involving VGX.DLL before applying this update. Information on how to undo those workarounds is detailed in the bulletin. This is very important because if you do not revoke the VGX.DLL changes, the update could fail to install or deploy..."

- http://www.f-secure.com/weblog/archives/archive-092006.html#00000980
...Updated to add: For those of you that applied the work-around that we suggested, the vgx.dll file will need to be re-registered before applying the Microsoft Update. Otherwise, the update might not find anything to fix.

Use the command below from Start, Run:

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

.

FYI...

- http://isc.sans.org/diary.php?storyid=1740
Last Updated: 2006-09-28 02:09:35 UTC
"Microsoft confirms yet another powerpoint vulnerability that leads to code execution... McAfee has a writeup* of the exploit they detected against this vulnerability to connect back to... mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places... It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable. Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs..."
> http://www.microsoft.com/technet/security/advisory/925984.mspx

* http://www.avertlabs.com/research/blog/?p=95
=============================================

- http://secunia.com/advisories/22127/
Release Date: 2006-09-28
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Office..., Microsoft Powerpoint...
Original Advisory: Microsoft:
http://www.microsoft.com/technet/security/advisory/925984.mspx
Other References: US-CERT VU#231204:
http://www.kb.cert.org/vuls/id/231204 ..."

:fear:

FYI...

- http://isc.sans.org/diary.php?storyid=1741
Last Updated: 2006-09-28 02:08:55 UTC
"If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE. So: No, surfing with MSIE is still not safe...
Defenses:
> Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
> Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)...
> Keep antivirus signatures up to date.
> Keep an eye out for a patch from Microsoft..."

Microsoft Windows WebViewFolderIcon ActiveX integer overflow
* > http://www.kb.cert.org/vuls/id/753044
Last Updated - 09/27/2006
=======================================================

- http://secunia.com/advisories/22159/
Release Date: 2006-09-28
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x ...
...The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution: Only allow trusted websites to run ActiveX controls..."
================================================

Microsoft Security Advisory (926043)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/926043.mspx
Published: September 28, 2006
"Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports. The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View. We are working on a security update currently scheduled for an October 10 release..."

(See/use the advisory's URL above for "Mitigating Factors" and "Workarounds".)
=================================

WebViewFolderIcon setslice exploit spreading - InfoCon level to yellow
- http://isc.sans.org/diary.php?storyid=1749
Last Updated: 2006-09-30 19:35:30 UTC
"...The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes. If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove..."
("Suggested actions" itemized at the ISC url above.)

Malicious Code: WebView FolderIcon setSlice Vulnerability
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=644
September 30, 2006
"Websense Security Labs (TM) has received several reports of the recently released " WebView FolderIcon setSlice" Internet Explorer zero-day code being utilized on the Internet. Like the recently reported VML zero-day, there are professionals at work using the exploit code.
To date all the sites we have discovered appear to be from the IFRAME Cash folks. This is the same group that we discovered using the WMF exploit back in late December 2005. The fact that they are using the exploit code poses a significant risk due because their ability to attract users to sites via search engines and email spam campaigns. Also they have iframe's embedded on. As of the time of this alert we have more than 600 active sites that have IFRAME cash placed code on them. This does not mean that all sites have the recent zero-day code but it does mean that they have the potential to because they mostly point back to main "hub servers".
Although in some cases the IFRAME Cash sites are used to download and install Potentially Unwanted Software (PUS), they also have installed Trojan Horses which open backdoors, code which is designed to steal end-user information, and sophisticated rootkits..."

:fear: :fear: :fear: :spider: