Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: 2006 MS Alerts - Q3

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS Security Bulletin Summary - July, 2006

    FYI...

    - http://www.microsoft.com/technet/sec...l.mspx?pf=true
    Published: July 11, 2006
    ... Summary ...

    --- Critical (5) ---

    Microsoft Security Bulletin MS06-035
    Vulnerability in Server Service Could Allow Remote Code Execution (917159)
    - http://www.microsoft.com/technet/sec.../ms06-035.mspx
    This update resolves two vulnerabilities in the Server service, the most serious of which could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-036
    Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
    - http://www.microsoft.com/technet/sec.../ms06-036.mspx
    This update resolves a vulnerability in the DHCP Client service that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-037
    Vulnerability in Microsoft Excel Could Allow Remote Code Execution (917285)
    - http://www.microsoft.com/technet/sec.../ms06-037.mspx
    This update resolves several vulnerabilities in Excel, the most serious of which could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-038
    Vulnerability in Microsoft Office Could Allow Remote Code Execution (915384)
    - http://www.microsoft.com/technet/sec.../ms06-038.mspx
    This update resolves two vulnerabilities in Office, the most serious of which could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-039
    Vulnerability in Microsoft Office Could Allow Remote Code Execution (915384)
    - http://www.microsoft.com/technet/sec.../ms06-039.mspx
    This update resolves two vulnerabilities in Office, the most serious of which could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    --- Important (2) ---

    Microsoft Security Bulletin MS06-033
    Vulnerability in ASP.NET Could Allow Information Disclosure (917283)
    - http://www.microsoft.com/technet/sec.../ms06-033.mspx
    This vulnerability could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folder explicitly by name. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system.
    Maximum Severity Rating: Important
    Impact of Vulnerability: Information Disclosure

    Microsoft Security Bulletin MS06-034
    Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)
    - http://www.microsoft.com/technet/sec.../ms06-034.mspx
    This vulnerability could allow an attacker to take complete control of an affected system. Note that the attacker must have valid logon credentials, but if a server has been purposely configured to allow users, either anonymous or authenticated, to upload web content such as .ASP pages to web sites, the server could be exploited by this vulnerability.
    Maximum Severity Rating: Important
    Impact of Vulnerability: Remote Code Execution

    ...Disclaimer:
    The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind..."
    ============================

    FYI... ISC analysis:

    - http://isc.sans.org/diary.php?storyid=1473
    Last Updated: 2006-07-11 20:57:16 UTC
    "MS06-034 - This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files. In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important. In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don't know about any public exploits yet.
    Microsoft's advisory is at http://www.microsoft.com/technet/sec.../MS06-034.mspx
    CVE at http://www.cve.mitre.org/cgi-bin/cve...=CVE-2006-0026 ..."

    - http://isc.sans.org/diary.php?storyid=1471
    Last Updated: 2006-07-11 20:40:21 UTC
    "MS06-035 (CVE-2006-1314) looks to be the most dangerous of the vulnerabilities announced this month, specifically the Mailslot heap overflow. The vulnerability can be exploited remotely against the "Server" service. So this would definitely be something that could be used for widespread compromise with no user interaction, or a worm.
    'Looks like Windows 2000 SP4 is vulnerable by default. Windows XP SP2 and Server 2003 don't appear to be vulnerable with a default installation unless services are listening on Mailslots. At this point, it is unclear exactly what software would enable Mailslots to create a vulnerable condition.
    So how long before exploit code is available? Well, clever readers will have noticed that Pedram Amini and H D Moore are credited with discovering this vulnerability (the Mailslot heap overflow). Those guys are some of the best in the business, so you do the math... I'm guessing that they have had reliable exploit code working for a while now... You should probably make this your top priority in patching."

    - http://isc.sans.org/diary.php?storyid=1472
    Last Updated: 2006-07-11 20:28:16 UTC by Patrick Nolan (Version: 1)
    "MS06-036 has been issued, MS has said systems "Primarily" at risk are Microsoft Windows 2000, Windows XP and Windows Server 2003... An attacker could exploit the vulnerability by answering a client's DHCP request on the local subnet with malformed packets... An attacker could try to exploit this vulnerability over the Internet... Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, however the vulnerability is not critical... CVE-2006-2372"

    - http://isc.sans.org/diary.php?storyid=1474
    Last Updated: 2006-07-11 21:10:31 UTC
    "MS06-037 - ...This update resolves several public, privately reported, and newly discovered vulnerabilities. All of these state that a remote code execution vulnerability exists in Excel dealing with each of the identified items. The only workaround suggested and tested is to NOT open attachments from untrusted sources. I guess that means, PATCH. Microsoft states: "When using vulnerable versions of Office, if a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.""

    - http://isc.sans.org/diary.php?compare=1&storyid=1475
    Last Updated: 2006-07-11 21:54:43 UTC
    "MS06-038 - ...It appears that all of the Microsoft Office 2000, 2002, 2003 programs are affected. Not affected is Works applications. Summary: This is another remote code execution problem and appears to impact Office 2000 applications the worse lending to a critical assessment. The other versions of Office identified as vulnerable are listed as important for all three of the CVE's... In all three cases the only tested work around is NOT to open attachments from untrusted sources. I guess that means to apply the patch ASAP."

    - http://isc.sans.org/diary.php?storyid=1476
    Last Updated: 2006-07-11 21:59:39 UTC
    "MS06-039 - ...This patch fixes two vulnerabilities in all Microsoft Office products (Office 2000, XP, 2003 are affected, as well as Project 2000, 2002 and Microsoft Works 2004, 2005, 2006). Microsoft Office for Mac is not affected. The vulnerabilities can be exploited by crafting a special GIF or PNG graphic files. In both cases the user needs to open the file so, while this vulnerability can not be exploited automatically through e-mail, it is still very easy to get user into opening a file. It is worth mentioning that, when the file is hosted on a web site, Office 2000 does not prompt the user before opening the document (which means that it's enough for a user to click on a link leading to the file). As the only workarounds are not to open or save files "you receive from un-trusted sources or that you received unexpectedly from trusted sources" you should patch as soon as possible.
    MS advisory is at http://www.microsoft.com/technet/sec.../MS06-039.mspx .
    CVEs are at http://www.cve.mitre.org/cgi-bin/cve...=CVE-2006-0033 and http://www.cve.mitre.org/cgi-bin/cve...=CVE-2006-0007 ."
    ===============================================

    > http://www.us-cert.gov/cas/techalerts/TA06-192A.html

    Last edited by AplusWebMaster; 2006-07-12 at 05:33. Reason: ISC analysis added...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS Excel - critical update now available / MS06-037

    FYI...

    - http://secunia.com/advisories/20686/
    Release Date: 2006-06-16
    Last Update: 2006-07-12
    Critical: Extremely critical
    Impact: System access
    Where: From remote
    Solution Status: Vendor Patch...
    NOTE: This vulnerability is a so-called 0-day and is already being actively exploited.
    Successful exploitation of the vulnerabilities allows execution of arbitrary code...
    Solution: Apply patches...
    Advisory:
    MS06-037 (KB917285): http://www.microsoft.com/technet/sec.../MS06-037.mspx ..."

    ============================

    Microsoft Security Advisory (921365)
    Vulnerability in Excel Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/921365.mspx
    Updated: July 11, 2006
    "...We have issued MS06-037* to address this issue...'

    * http://www.microsoft.com/technet/sec.../ms06-037.mspx

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Zero-day PowerPoint Attack (via Trojan) Under Way

    FYI...

    - http://www.techweb.com/wire/security/190400030
    July 13, 2006
    "An unpatched bug in Microsoft's PowerPoint presentation maker is being exploited by an in-the-wild attack, Symantec researchers said Thursday, marking the latest bad news for Office users. According to the Cupertino, Calif. security vendor's threat analysis team, attacks are currently under way using an unpatched vulnerability in PowerPoint. If the "zero-day" attack is successful, the hacker gains complete control of the compromised computer. The attack is carried out by a Trojan horse with the moniker "PPDDropper.b"* which hides inside a malicious PowerPoint file attached to an e-mail with a Google Gmail return address. PPDDropper.b, in turn, drops a backdoor component, dubbed "Bifrose.e" by Symantec. Bifrose.e then injects a malicious routine into Windows' EXLORER.EXE process, and overwrites the malformed PowerPoint file with a new, clean presentation document... That part of the process is identical to one used last month by a now-patched Excel attack... Unlike the Excel bug, the PowerPoint flaw -- confirmed only in PowerPoint 2003 thus far -- remains open to attack..."
    * http://www.symantec.com/enterprise/s...071212-4413-99
    Trojan.PPDropper.B
    Risk Level 1: Very Low
    "...It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string..."
    MSRC blog - Information on the recent Powerpoint vulnerability
    - http://blogs.technet.com/msrc/archiv...14/441893.aspx
    "...We’ll be documenting this through the weekend in the form of a security advisory and will post it as soon as we are confident in the protection steps (we’re targeting Monday morning)..."
    - http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-3590
    Assigned (20060714)
    "...Unspecified vulnerability in mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows remote user-complicit attackers to execute arbitrary commands via a crafted PPT file, which causes a "memory corruption error..."
    - http://www.kb.cert.org/vuls/id/936945
    - http://secunia.com/advisories/21040/
    Release Date: 2006-07-14
    Critical: Extremely critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched ..."
    ===========================================
    Microsoft Security Advisory (922970)
    Vulnerability in PowerPoint Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/922970.mspx
    Published: July 17, 2006
    "Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In order for this attack to be carried out, a user must first open a malicious PowerPoint document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.
    Microsoft is completing development of a security update for Microsoft PowerPoint that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the August security updates on August 8, 2006, or sooner as warranted...
    Mitigating Factors...
    • Note: PowerPoint 2000 does not prompt the user to Open, Save, or Cancel before opening a document.
    • Use PowerPoint Viewer 2003 to open and view files. PowerPoint Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. You can download PowerPoint Viewer 2003 for free*... "
    Workarounds...
    Do not open or save Microsoft Office files that you receive from un-trusted sources or that you received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file..."

    * http://www.microsoft.com/downloads/d...displaylang=en

    .
    Last edited by AplusWebMaster; 2006-07-18 at 16:38. Reason: Added MS Advisory info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS06-036 DHCP exploit released

    FYI...

    - http://isc.sans.org/diary.php?storyid=1502
    Last Updated: 2006-07-22 13:21:20 UTC
    "As a "present" for blackhat*, an exploit against the DHCP client of Windows 2000 was released publicly. See MS06-036** for more details.
    The exploit claims to add the user "bl4ck" with a very insecure password and might cause the service to terminate. The author left some suggestions for "improvement" in the source code, so expect potentially nastier versions to be used in real life.
    If you still have not patched your Windows client systems, it is a very good time to do so now. The nature of DHCP makes it so that any device on a LAN can answer any and all DHCP request. So be sure people understand there is no need to attack or compromise any server first. Detecting this is helped slightly by DHCP's use of broadcasts (the client doesn't have an IP address).
    It is quite imaginable that this gets used not just over wired networks - where the defending staff could disable a port in a worst-case scenario - but also over wireless networks, hotspots, hotels etc. where no such option is available. Or it could be used in a multi-stage attack where this gets inside your network in other ways and then does its "magic" on the local LAN."

    * http://www.blackhat.com/

    ** http://isc.sans.org/diary.php?storyid=1472

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS06-034, MS06-035, and MS06-036 exploits available

    FYI...

    - http://isc.sans.org/diary.php?storyid=1471
    Last Updated: 2006-07-24 20:28:35 UTC
    "We have been made aware of publicly available exploit code for MS06-034, MS06-035, and MS06-036. If you haven't already patched for these vulnerabilities you should take immediate action.

    For more information on those vulnerablies here are links to the original diary entries for them.

    http://isc.sans.org/diary.php?storyid=1473 (MS06-034)

    http://isc.sans.org/diary.php?storyid=1471 (MS06-035)

    http://isc.sans.org/diary.php?storyid=1472 (MS06-036)

    I have not tested any of the exploits yet. I do not plan to provide the urls or even a hint as to where to get the exploits..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow MS Security Bulletin Advance Notification - August 2006

    FYI...

    - http://www.microsoft.com/technet/sec...n/advance.mspx
    Updated: August 3, 2006
    "On 8 August 2006 Microsoft is planning to release:

    Security Updates
    -Ten- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
    -Two- Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

    Microsoft Windows Malicious Software Removal Tool
    Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).

    Non-security High Priority updates on MU, WU, WSUS and SUS
    Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
    Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

    Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS Security Bulletin Summary - August, 2006

    FYI...

    * http://www.microsoft.com/technet/sec...g.mspx?pf=true
    Updated: August 8, 2006

    "Summary
    Included in this advisory are updates for newly discovered vulnerabilities. These vulnerabilities, broken down by severity are:

    Critical (9)...

    Microsoft Security Bulletin MS06-040
    Vulnerability in Server Service Could Allow Remote Code Execution (921883)
    - http://www.microsoft.com/technet/sec.../ms06-040.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-041
    Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
    - http://www.microsoft.com/technet/sec.../ms06-041.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-042
    Cumulative Security Update for Internet Explorer (918899)
    - http://www.microsoft.com/technet/sec.../ms06-042.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-043
    Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
    - http://www.microsoft.com/technet/sec.../ms06-043.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-044
    Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
    - http://www.microsoft.com/technet/sec.../ms06-044.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-046
    Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
    - http://www.microsoft.com/technet/sec.../ms06-046.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-047
    Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
    - http://www.microsoft.com/technet/sec.../ms06-047.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-048
    Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
    - http://www.microsoft.com/technet/sec.../ms06-048.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-051
    Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
    - http://www.microsoft.com/technet/sec.../ms06-051.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution


    Important (3)...

    Microsoft Security Bulletin MS06-045
    Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
    - http://www.microsoft.com/technet/sec.../ms06-045.mspx
    Maximum Severity Rating: Important
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-049
    Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
    - http://www.microsoft.com/technet/sec.../ms06-049.mspx
    Maximum Severity Rating: Important
    Impact of Vulnerability: Elevation of Privilege

    Microsoft Security Bulletin MS06-050
    Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
    - http://www.microsoft.com/technet/sec.../ms06-050.mspx
    Maximum Severity Rating: Important
    Impact of Vulnerability: Remote Code Execution


    Affected Software: ...For more information, see the Affected Software and Download Locations section*..."

    =============================

    ISC Anaylsis:
    - http://isc.sans.org/diary.php?storyid=1573

    =============================

    Microsoft Fixes 23 Security Flaws
    - http://blog.washingtonpost.com/secur..._23_secur.html
    August 8, 2006; 3:08 PM
    "...At least 17 of the 23 flaws could be exploited by attackers to hijack vulnerable systems or to install malicious code, the company warned. Dig through the details of the advisories and you will see that instructions showing would-be attackers how to exploit at least nine of the flaws have already been posted online. Microsoft also said it has seen at least three of the flaws being actively exploited in the wild...."

    .
    Last edited by AplusWebMaster; 2006-08-09 at 03:51. Reason: Added info from last URL posted...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS06-040, MS06-042 and MS06-046 Exploits on the Web

    FYI...

    - http://isc.sans.org/diary.php?storyid=1574
    Last Updated: 2006-08-09 11:55:47 UTC
    "...It certainly didn't take long for some to start making available (those I've seen so far are not for free) exploits against the vulnerabilities described in MS06-040, MS06-042 and MS06-046, which where only released yesterday*.
    Those of you're still testing patches, you'd better hurry up and get some of these fixed before you get hit.
    Just as a reminder:
    - Filtering ports 135-139 and 445 helps against MS06-040; as do private VLANs (preventing client-client communication in the switch). None of those will help your fileserver, so patching is critical.
    Since there are still unpatched vulnerabilities in this software, filtering still remains crucial.
    - If you cannot apply MS06-042: stop using MSIE now, use an alternate browser.
    - Switching away to a browser not doing ActiveX (almost any will do) should help protect you against MS06-046 attacks as well.
    But the best solution is to patch and do the above, layered defences!"
    * https://isc.sans.org/diary.php?storyid=1573
    =============================================

    - http://www.dhs.gov/dhspublic/display?content=5789
    August 9, 2006
    "The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights... US-CERT has issued an alert* through the National Cyber Alert System and conducted a series of briefings with federal Chief Information Officers and Chief Information Security Officers, and critical infrastructure sectors through Information Sharing and Analysis Centers. Additionally, all federal agencies are required to provide US-CERT with regular updates on their patching status..."
    * http://www.us-cert.gov/cas/techalerts/TA06-220A.html
    ===================================================

    - http://blogs.technet.com/msrc/archiv...09/445600.aspx
    August 09, 2006 ...by MSRCTEAM
    "...While we always recommend applying any updates rated "Critical" as soon as possible, we are recommending that customers give priority to MS06-040 for testing and deployment due to technical specifics around the vulnerability..."

    Also: http://www.us-cert.gov/current/curre...ty.html#msvuls
    ===========================================================

    MS06-040 exploit in the wild
    - http://isc.sans.org/diary.php?compare=1&storyid=1592
    Last Updated: 2006-08-13 00:12:49 UTC
    "We have caught a live exploit against a Windows 2000 Server. The pcap packets of the exploit fire the signatures in Sourcefire VRT for the vulnerability described in MS06-040*.
    Update: The latest bleedingsnort signatures fire also on the pcap: "BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"

    It looks like it's building a botnet (as we expected).
    * The exploit was carried out over port 445/TCP.
    * In a second phase of the exploit, it connected back out to IRC servers running on non-standard ports on redundant hosts.
    The md5 of the bot itself is: MD5: 9928a1e6601cf00d0b7826d13fb556f0

    ...We have a report of at least one second capture of what is on first looks is the same malware or at least something very related to it."
    * https://isc1.sans.org/diary.php?storyid=1557

    Last edited by AplusWebMaster; 2006-08-13 at 03:32. Reason: Added MS06-040 exploit info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow Hotfix for MSIE problem related to MS06-042

    FYI...

    - http://isc.sans.org/diary.php?storyid=1588
    Last Updated: 2006-08-12 00:47:12 UTC
    "All those of you holding off on the MS06-042 patch or suffering from issues due to MSIE crashing on Windows 2000 SP4 and Windows XP SP1, there is a new hotfix out: http://support.microsoft.com/kb/923762/en-us
    It's interesting to note the date on the file, as well as the claim that the crashes seem to be triggered by websites using the HTTP 1.1 protocol and compression..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS Security Advisory (922437) - Exploit Code Published...

    FYI...

    MS Security Advisory (922437)
    Exploit Code Published Affecting the Server Service
    - http://www.microsoft.com/technet/sec...ry/922437.mspx
    Updated: August 13, 2006
    "Microsoft is aware of public reports regarding an attack known as Win32/Graweg exploiting the vulnerability addressed by security update MS06-040. Microsoft’s initial investigation of Win32/Graweg verified that it only affects users running Windows 2000 that have not applied the update detailed in MS06-040. Microsoft has activated its emergency response process and is continuing to investigate this issue. The Microsoft Security Response Alliance partners as well as our own internal teams have determined that there is not widespread customer impact and have rated Win32/Graweb as a Low threat. At this time it does not appear to be a self-replicating internet-wide worm. Microsoft continues to recommend that customers apply the August updates as soon as possible with additional urgency and consideration given to the update detailed in MS06-040. Customers can ensure that the updates are being installed by enabling the Automatic Updates feature in Windows or by using their deployment infrastructure in their enterprise or small business. Customers who believe that they are infected or are not sure whether they are infected by Win32/Graweb should visit http://Safety.live.com and choose "Protection Scan"..."
    ==============================

    Microsoft Security Advisory (922970)
    Vulnerability in PowerPoint Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/922970.mspx
    • V 2.0 (Aug 11, 2006): Advisory updated to reference released security bulletin (MS06-048).
    ==============================

    Spammers Exploiting Newly Detailed Windows Flaw
    - http://blog.washingtonpost.com/secur...atest_mic.html
    August 13, 2006
    "...Update, 8:06 p.m. ET: It may be that Microsoft in its advisory is talking a different threat that SANS and LURHQ are highlighting. For one thing, Microsoft calls this threat "Win32/Graweg," but I could find no links in Google to any writeup on that either at Microsoft or another third-party anti-virus company... (you'll notice that as of 4:39 p.m. ET Microsoft's own anti-virus service had not detected as malicious the threat that Stewart and SANS were pointing out)..."

    Last edited by AplusWebMaster; 2006-08-14 at 14:35. Reason: Added info from Brian Krebs...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •