2006 MS Alerts - Q2

FYI...

- http://blogs.technet.com/msrc/default.aspx
posted Tuesday, April 18, 2006 1:43 AM by stepto
"Hi everyone, Mike Reavey here again. I wanted to follow up with the results of our investigation into some issues with security update MS06-015. Turns out that under certain circumstances, changes introduced in MS06-015 could cause an application to stop responding during specific interactions with older versions of Hewlett Packard’s “Share-to-web” software utility, or older NVIDIA video card drivers. In the case of the Hewlett Packard software, their new version known as “HP Image Zone Version 5” is not affected. Neither are the most recent NVIDIA graphics card drivers. So customers running these more recent versions are not affected by this issue. The current versions of the Hewlett Packard and NVIDIA software are available from the manufacturer websites.
To give you some idea of the scope of the problem, so far out of over 120 million successful installations of the MS06-015 update, the number of calls related to this issue is currently well under a thousand. Of course, even one customer having a problem is too many and that’s why we’ve been working on investigating this and determining solutions. We are also continuing to monitor the situation to measure scope and impact.
We’ve updated security bulletin MS06-015 to document this issue. In addition, we published knowledge base article 918165*, which details the older software this issue affects. We’ll be updating that soon to provide locations to the updated software that is unaffected by this issue. We’re working directly with the manufactures of the affected software to assist customers.
So to be clear, customers who are running the latest NVIDIA drivers, or who are running the current version of the Hewlett Packard Image Zone software are not impacted. Customers who believe they are affected should upgrade to the latest versions of the affected software, or they can contact Microsoft Product Support Services for assistance. Contact Product Support Services in North America for help with security update issues at no charge using the PC Safety line (1-866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
Meanwhile we're still looking at the best way to assist customers who may have been impacted by this and I encourage everyone to review KB article 918165* or contact us using the number above if they think they are having the problem..."

* http://support.microsoft.com/kb/918165/en-us

--------------------------------------------------------

Latest Microsoft Security Glitch Limited
- http://www.internetnews.com/security...le.php/3599756
April 18, 2006
"UPDATED: Microsoft said a limited range of consumer software is to blame for its latest security update unintentionally backfiring on Office and IE users. The update was among five the company released last week. Some analysts say the software giant's solution doesn't go far enough and is courting disaster. Digital photography software from HP and a personal firewall from Sunbelt Software rejected a new file Microsoft introduced as part of a security fix for a flaw in Windows Explorer. The glitch causes Office to stop saving and opening files and prevents IE from visiting Web pages. The problems reported appear limited to consumer-oriented software, Microsoft stresses on its security blog. MS06-015 included a new file, VERCLSID.EXE, which validates shell extensions before being used by Windows Explorer or Windows Shell. A vulnerability in Windows Explorer, which Microsoft deemed "important," allowed remote attackers to convince the shell to start HTML applications, thereby gaining total system control. However, the solution seems to be creating problems for some applications.
In explaining the glitch, Microsoft said HP's Share-to-Web software causes VERCLSID.EXE to stop responding. The software, used by HP's PhotoSmart software, HP DeskJet printers that include a card reader, HP cameras and scanners, as well as some HP CD-DVD burners, can also cause trouble for Windows Explorer and IE, according to Microsoft. Windows users may lose access to their "My Documents" and "My Pictures" folders. Office could stop opening or saving files in "My Documents". Attempting to open or save a document could cause Office to stop responding, according to Microsoft. Additionally, the problem causes typing an address into IE to have no effect. Also, users of Sunbelt's Kerio Personal Firewall will need to reconfigure that application to recognize the new Microsoft file. Without the change, the file is flagged and waits for user approval.
To resolve the issue, Microsoft is suggesting HP users manually edit the Windows registry "white list" included with the security update. The edit will instruct VERCLSID.EXE to not scan the HP shell extension. Microsoft had no comment beyond the blog posting, according to Pete Voss, a company spokesman. HP did not return a request for comment by press time. Although the software giant gives instructions, analysts warn the process isn't for the faint of heart.
Joe Wilcox, analyst with JupiterResearch, said a misstep could make Windows unusable. Although Microsoft says the scope of the glitch is limited to consumers, Wilcox said the type of applications –- digital imaging and security –- are more important. While a couple of applications are known today, many more could be found to be affected tomorrow, according to the analyst. "The possible interactions are immeasurable," Wilcox said. Still, Microsoft has made much of its new-found focus on security and editing the Windows registry is not enough in this case. "You have to release an updated patch," said Wilcox."

:(

FYI...

MS to re-release MS06-015 patch
Microsoft Security Bulletin MS06-015
Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
- http://www.microsoft.com/technet/sec.../ms06-015.mspx
Updated: April 20, 2006 ...
FAQ ...For customers who have already applied the update and are experiencing the problem related to the older Hewlett Packard Share-to-Web software, or older NVIDIA drivers prior to or including version 61.94, the revised update will be available through Windows Update and Microsoft Update. The targeted re-release will be automatically delivered to affected computers through Automatic Update if it has been enabled. The re-release will not be distributed to non-affected computers...
• V1.2 (April 20, 2006): Bulletin revised: FAQ Section updated to include information about an upcoming re-release of the security update."

--------------------

Re-release available:

Microsoft Security Bulletin MS06-015
Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
- http://www.microsoft.com/technet/sec.../ms06-015.mspx
Updated: April 25, 2006
What updates does this release replace?
This security update replaces several prior security updates. The security bulletin IDs and affected operating systems are listed in the following table.
Bulletin ID ... Windows 2000... Windows XP... Windows Server 2003
MS05-016 .....Not Replaced...... Replaced....... Replaced
MS05-008 .....Replaced............ Replaced....... Replaced
Does this update contain any security-related changes to functionality?
Yes. Besides the changes that are listed in the "Vulnerability Details" section of this bulletin, this update includes the following changes in security functionality:
• This security update introduces a new file, Verclsid.exe. Verclsid.exe is used to verify a COM object before it is instantiated by Windows Explorer.
• This security update includes a Defense in Depth change which ensures that prompting occurs consistently in Internet zone drag and drop scenarios...
Version: 2.0...
• V2.0 (April 25, 2006): Bulletin revised: This bulletin has been re-released to advise customers that revised versions of the security update are available for all products listed in the “Affected Software” section. Customers who have already applied the MS06-015 update who are not experiencing the problem need take no action. For additional information, see “Why did Microsoft reissue this bulletin on April 25, 2006.” in "Frequently asked questions (FAQ) related to this security update" section..."

-------------------------------

MS06-016 Patch 'Erases' Outlook Express Addresses...
- http://isc.sans.org/diary.php?storyid=1281
Last Updated: 2006-04-21 15:55:13 UTC
"There have been reports of problems with... MS06-016 where the Outlook Express address book disappears. In this case removal of the patch and the address book re-appears, however the other vulnerabilities the patch address come back..."

Also: http://www.techweb.com/wire/security/186500211
-------------------------------

Microsoft Security Bulletin MS06-016
Cumulative Security Update for Outlook Express (911567)
- http://www.microsoft.com/technet/sec.../ms06-016.mspx
• V1.2 (April 26, 2006): Bulletin revised: “Caveats” section updated due to new issues discovered with the security update. Error message when you open the Windows Address Book or you open Outlook Express after you install cumulative security update..."
Problem resolution:
- http://support.microsoft.com/kb/911567 -and- http://support.microsoft.com/kb/917288/

:confused:

FYI...

- http://www.techweb.com/article/print...section=700028
April 24, 2006
"Microsoft's Internet Explorer, which was just patched with 10 fixes two weeks ago, suffers from yet another zero-day vulnerability that can be exploited remotely, security firm Symantec said Monday. In an alert to customers of its DeepSight threat system, Symantec cited a vulnerability first posted to the Bugtraq security mailing list* by researcher Michal Zalewski, who notes that IE is prone to memory corruption because of the way it handles malformed HTML. HTML content that contains nested tags without the corresponding closure tags, said Symantec's alert, can trigger the bug. "An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user," said the advisory. "If the attack is successful, the executable content will be executed. Failed exploit attempts will likely crash the affected application"... A fully-patched version of IE 6 for Windows XP SP2 -- the most-secure production version of Microsoft's browser -- is open to the attack. ... While Zalewski has published HTML code that crashes the browser, no more-malicious exploit has yet been seen, said Symantec. Still, it warned IE users to run the browser in a non-administration user account, stay away from questionable Web sites, and disable HTML in e-mail clients, since an attack could also be launched by getting users to preview HTML-based messages. Symantec rated the new zero-day vulnerability with an overall threat score of 7.5 out of a possible 10..."
* http://www.securityfocus.com/archive/1/431796

------------------------------------------------------------
- http://secunia.com/advisories/19762/
Release Date: 2006-04-25
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x ...
Solution:
Do not visit untrusted web sites... "
------------------------------------------------------------

Correction to "Security Tracker" reference:

The "Security Tracker" post regarding this bug was one of 3 posted for IE on 4.27.2006:
- http://securitytracker.com/archives/target/49.html

------------------------------------------------------------

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1992
Last revised: 4/26/2006
Source: US-CERT/NIST
Overview
mshtml.dll 6.00.2900.2873, as used in Microsoft Internet Explorer, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via nested OBJECT tags, which trigger invalid pointer dererences including NULL dereferences.
Impact
CVSS Severity: 8.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides user account access, Allows disruption of service..."

:eek:

FYI...(MS updates per US-CERT)

"Summary of Security Items from April 20 through April 26, 2006
- http://www.us-cert.gov/cas/bulletins/SB06-117.html#win6

> Microsoft Outlook Express
- http://www.microsoft.com/technet/sec.../ms06-016.mspx
V1.2: Revised due to issues discovered with the security update...

> Microsoft Windows Explorer
- http://www.microsoft.com/technet/sec.../ms06-015.mspx
V2.0: Revised to inform customers that revised versions of the security update are available.

> Microsoft Internet Explorer 6.0 SP2
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1992
Last revised: 4/26/2006
Source: US-CERT/NIST
Overview
mshtml.dll 6.00.2900.2873, as used in Microsoft Internet Explorer, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via nested OBJECT tags, which trigger invalid pointer dererences including NULL dereferences.
Impact
CVSS Severity: 8.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides user account access, Allows disruption of service..."

:confused: