2006 MS Alerts - Q3

[AplusWebMaster]

FYI...

(The ISC obviously is aware that following all the mods, updates, re-releases of the MS Updates is, well, "challenging", to say the least, for August in particular. They have put alot of effort into a fine chart, which makes it ALOT easier to follow.)

Microsoft August 2006 Patches: STATUS
- http://isc.sans.org/diary.php?compare=1&storyid=1611
Last Updated: 2006-08-18 02:40:20 UTC

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/21557/
Release Date: 2006-08-23
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Software: Microsoft Internet Explorer 6.x
...The vulnerability affects Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1 and was introduced by the MS06-042 patches.
Solution: The vendor recommends disabling the HTTP 1.1 protocol in Internet Explorer (see the vendor's advisory for details)...
Original Advisory:
Microsoft: http://www.microsoft.com/technet/sec...ry/923762.mspx
http://support.microsoft.com/kb/923762/
Other References: US-CERT VU#821156:
- http://www.kb.cert.org/vuls/id/821156
Last Updated 08/23/2006
"...Microsoft Internet Explorer 6 Service Pack 1 on Windows 2000 and Windows XP SP1 contains a vulnerability when viewing a web site using the HTTP 1.1 protocol. If the web site uses HTTP 1.1 compression and contains an overly long URL, a buffer overflow can occur. Note that this vulnerability was introduced with the first release of the MS06-042 updates on August 8, 2006..."
=============================

FYI...

MS06-042 reissued
- http://isc.sans.org/diary.php?storyid=1634
Last Updated: 2006-08-24 17:23:04 UTC
"The anxiously awaited reissue of the patch from bulletin MS06-042 is now live. Time to re-apply the patch on Internet Explorer 6 Service Pack 1 for Windows XP Service Pack 1 (all versions) and Windows 2000 (all versions)".
* http://www.microsoft.com/technet/sec.../MS06-042.mspx
Updated: August 24, 2006

[AplusWebMaster]

FYI...

- http://www.symantec.com/enterprise/s..._software.html
September 3, 2006
"...In the past couple of days, we have seen samples of a trojan that exploits a previously unknown vulnerability in Microsoft's Office applications. This time it is in Microsoft Word 2000 running on Windows 2000. This trojan (detected.. as Trojan.MDropper.Q*) takes advantage of the vulnerability to drop another file onto the target computer. Detected as a trojan, this dropped file in turn drops another file, which turns out to be new variant of Backdoor.Femo**. As with other recent Office vulnerabilities, documents incorporating the exploit code must be opened with a vulnerable copy of Microsoft Word 2000 for it to work. As such, it makes the vulnerability unsuitable for the creation of self-replicating network worms... Until a vendor supplied patch is made available and then installed, users should follow safe computing practices and exercise extreme caution when opening unsolicited emails containing Microsoft Office documents."

* http://www.symantec.com/enterprise/s...090219-2855-99

** http://www.symantec.com/security_res...080521-2111-99

Also:
- http://isc.sans.org/diary.php?storyid=1669

- http://vil.mcafeesecurity.com/vil/content/v_119055.htm

- http://secunia.com/advisories/21735/
==================================================

Microsoft Security Advisory (925059)
Vulnerability in Word Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/925059.mspx
Published: September 6, 2006
"Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000. In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker...
Mitigating Factors for Microsoft Word Remote Code Execution Vulnerability...
• Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000* will be prompted with Open, Save, or Cancel before opening a document.
* http://www.microsoft.com/downloads/d...6-C9538E9F2A2F ...
Workarounds for Microsoft Word Remote Code Vulnerability...
• Use Word Viewer 2003 to open and view files. Word Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. To download the Word Viewer 2003 for free, visit the following website**:
** http://www.microsoft.com/downloads/d...9-AB826E7B8FDF ...

[AplusWebMaster]

FYI...

- http://www.microsoft.com/technet/sec...n/advance.mspx
Updated: September 7, 2006
"On 12 September 2006 Microsoft is planning to release:

Security Updates
• Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.
• One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release Two NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release three NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."

.

[AplusWebMaster]

FYI...

- http://www.microsoft.com/technet/sec.../ms06-sep.mspx
Published: September 12, 2006

"Critical (1)

Microsoft Security Bulletin MS06-054
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)
- http://www.microsoft.com/technet/sec.../MS06-054.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Office...

Important (1)

Microsoft Security Bulletin MS06-052
Vulnerability in Reliable Multicast Program (PGM) Could Result in Denial of Service (919007)
- http://www.microsoft.com/technet/sec.../MS06-052.mspx
This update resolves a vulnerability in Reliable Multicast Program (PGM) that could cause a denial of service condition.
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service
Affected Software: Windows...

Moderate (1)

Microsoft Security Bulletin MS06-053
Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685)
- http://www.microsoft.com/technet/sec.../MS06-053.mspx
This update resolves a vulnerability in the Indexing Service that could allow information disclosure.
Maximum Severity Rating: Moderate
Impact of Vulnerability: Information Disclosure
Affected Software: Windows...


Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind..."

=============================

Re-released:

Microsoft Security Bulletin MS06-040
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
- http://www.microsoft.com/technet/sec.../ms06-040.mspx
• V2.0 (September 12, 2006): The update has been revised and re-released for Microsoft Windows 2003 and Microsoft Windows XP Professional x64 Edition to address the issues identified in Microsoft Knowledge Base Article 921883.
- http://support.microsoft.com/kb/921883
Last Review: September 12, 2006
Revision: 5.0

Microsoft Security Bulletin MS06-042
Cumulative Security Update for Internet Explorer (918899)
- http://www.microsoft.com/technet/sec.../ms06-042.mspx
Updated: September 12, 2006
Caveats: On September 12, 2006, this Security Bulletin and Internet Explorer 6 Service Pack 1, Internet Explorer 5.01 Service Pack 4, and Internet Explorer 6 for Microsoft Windows Server 2003 security updates were updated to address a vulnerability documented in the Vulnerability Details section as Long URL Buffer Overflow – CVE-2006-3873. Customers using these versions of Internet Explorer should apply the new update immediately..."
- http://blogs.msdn.com/ie/archive/2006/09/12/750815.aspx
"...Users running Windows XP SP2, Server 2003 SP1 or any of the IE7 betas, IE7 Release Candidate 1, or Windows Vista are not affected and do -not- need to take action..."

=============================

ISC Anaylsis:

- http://isc.sans.org/diary.php?storyid=1690 MS06-054

- http://isc.sans.org/diary.php?storyid=1692 MS06-052

- http://isc.sans.org/diary.php?storyid=1693 MS06-053

=============================

ISC Overview of the September 2006 Microsoft patches
- http://isc.sans.org/diary.php?storyid=1691
Last Updated: 2006-09-13 01:35:38 UTC


.

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1720
Last Updated: 2006-09-21 16:26:38 UTC
"...Once again the folks at NISCC have posted info on a beauty. Their NISCC Vulnerability Advisory 693564/NISCC/FOLDERSHARE - Security Implications of the FolderShare Program* details huge vulnerabilities (https tunnel, EFS bypassing, and more) in FolderShare, an "add-in tool for Microsoft Desktop Search" which enables "remote access to files stored on Windows and Mac OS X based computers.".
MS's KB "Best practices and security issues to consider when you use FolderShare**" is weak, it's only useful recommendation is;
"you can effectively block outgoing traffic to FolderShare. To permanently block the FolderShare satellite from running in a particular environment, block access to the following host name on port TCP/443: redir1.foldershare.com "..."

* http://www.uniras.gov.uk/niscc/docs/...5.html?lang=en

** http://support.microsoft.com/kb/925077
Last Review: September 19, 2006
Revision: 1.1
"...FolderShare is a Windows Live service and an add-in for Microsoft Desktop Search. If you use FolderShare incorrectly, you might unintentionally disclose information on a network..."

[AplusWebMaster]

FYI...

More VML exploits released
- http://www.websense.com/securitylabs...hp?AlertID=632
September 21, 2006
"...We are seeing the addition of payload code that includes Trojan Horse Backdoors and code which is designed to steal information from the end-user or their machines (i.e. Crimeware)... In addition, reports out of Australia CERT (see: http://www.auscert.org.au/render.html?it=6771 ) are that attacks are surfacing through emails with URL lures. We have confirmed this to be true and that this is using a modified version of the Web Attacker Toolkit... we have some examples of sites that are distributing the code or are pointing to sites that are distributing the code..."
===========================

Updated:
Microsoft Security Advisory (925568)
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/925568.mspx
"• September 21, 2006: Advisory updated with new CVE reference, un-register vgx.dll workaround updated, and Outlook Express mitigation added."
(Use the URL above to review updated detail.)

Also see: http://www.us-cert.gov/cas/techalerts/TA06-262A.html
Revised - September 21, 2006
===========================

(InfoCon level to yellow) - MSIE VML exploit spreading
- http://isc.sans.org/diary.php?storyid=1727
Last Updated: 2006-09-22 15:09:18 UTC
"The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes. If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly. Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well. Weekends are moreover popular moments in time for the bad guys to build their botnets..."

(Recommended action and other references available at the ISC URL above.)
===========================

- http://www.techweb.com/article/print...section=700028
September 22, 2006
"...Pressure on Microsoft to fix the flaw may be mounting, said other security professionals, who have noticed increased attack activity. "VML attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of iDefense's rapid response team, in an e-mail to TechWeb. "At least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains to redirect users to a hostile VML exploiting site," Dunham continued. Eric Sites, vice president of research and development at Sunbelt Software, which first reported the vulnerability and exploit earlier this week, also said that attacks were "definitely escalating." In a conversation with a tier 1 support representative at Cox Cable on Friday, Sites said, he was told that the cable operator had several thousand support calls and e-mails backed up, with users reporting a wide variety of complaints, including IE crashes. "That may be a targeted attack," said Sites. Both Dunham and Sites warned of even larger attacks over the weekend. "[Users should] implement a workaround ASAP due to imminent global attacks," said Dunham. "There are a lot more sites using [a VML exploit]," added Sites. Part of their concern is that the exploit may quickly move to e-mail, with spam-style attacks compromising PCs as soon as the recipient views an infected message in an HTML preview pane. Symantec, for example, confirmed Friday that a working exploit against Microsoft Outlook has been written and posted by Immunity Inc. for its CANVAS exploit framework.
An e-mailed attack is dangerous because it requires no out-of-the-ordinary user action, said Sites. "If you see a message in the Preview Pane or double click it, a well-crafted exploit will crash Outlook. You won't see any error message." As soon as that happens, the attacker can begin loading a user's PC with adware, spyware, and other malicious code, he added..."
===========================

VML exploits with OS version detection
- http://isc.sans.org/diary.php?storyid=1733
Last Updated: 2006-09-24 20:46:46 UTC
"We are seeing samples of the VML exploit that are coded to include browser / OS detection, and are able to trigger working exploits for Win 2000, 2003 and XP. Some reports indicate that client-side anti-virus is not sufficient to protect, some AV apparently only catches the VML exploit code once Internet Explorer writes the temp file to disk, which can be too late. The exploits versions seen so far usually pull and run an EXE file, but adding patterns for new EXE payloads is an arms race the AV vendors can't win. If you have the option, we suggest you use the work around of unregistering the DLL as indicated in our earlier diary entry*."
* http://isc.sans.org/diary.php?storyid=1727

[AplusWebMaster]

FYI...

- http://www.f-secure.com/weblog/archi....html#00000980
"Microsoft has released a patch against the VML vulnerability outside of their normal update cycle. Which is great. The patch is available right now via http://update.microsoft.com . Get it."

~or~

- http://isc.sans.org/diary.php?storyid=1738
Last Updated: 2006-09-26 19:22:11 UTC ...(Version: 3)...
"Microsoft has just released an update to address the VML (VGX) issue. The update can currently be found on Microsoft Update and is titled:

Microsoft Security Bulletin MS06-055
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
> http://www.microsoft.com/technet/sec.../MS06-055.mspx
Published: September 26, 2006
Version: 1.0
"A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer..."

It is recommended that the patch be applied immediately (after testing) unless a suitable mitigation strategy is in place.
Update: Also, note that if you applied the ACL mitigation (removing Everyone Read access from the DLL), you will need to undo that before this update will apply successfully..."

> http://blogs.technet.com/msrc/archiv...26/459194.aspx
=========================================================

- http://blogs.technet.com/msrc/archiv...26/459237.aspx
September 26, 2006
"...One thing to note, we recommend that you undo any of the previously recommended workarounds involving VGX.DLL before applying this update. Information on how to undo those workarounds is detailed in the bulletin. This is very important because if you do not revoke the VGX.DLL changes, the update could fail to install or deploy..."

- http://www.f-secure.com/weblog/archi....html#00000980
...Updated to add: For those of you that applied the work-around that we suggested, the vgx.dll file will need to be re-registered before applying the Microsoft Update. Otherwise, the update might not find anything to fix.

Use the command below from Start, Run:

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

.

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1740
Last Updated: 2006-09-28 02:09:35 UTC
"Microsoft confirms yet another powerpoint vulnerability that leads to code execution... McAfee has a writeup* of the exploit they detected against this vulnerability to connect back to... mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places... It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable. Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs..."
> http://www.microsoft.com/technet/sec...ry/925984.mspx

* http://www.avertlabs.com/research/blog/?p=95
=============================================

- http://secunia.com/advisories/22127/
Release Date: 2006-09-28
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Office..., Microsoft Powerpoint...
Original Advisory: Microsoft:
http://www.microsoft.com/technet/sec...ry/925984.mspx
Other References: US-CERT VU#231204:
http://www.kb.cert.org/vuls/id/231204 ..."