2006 MS Alerts - Q4

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1804
Last Updated: 2006-10-26 04:49:56 UTC
"Secunia ( http://secunia.com/advisories/22542/ is reporting a new Microsoft Internet Explorer (MSIE) 7.0 vulnerability. This vulnerability allows a malicious site to spoof the content of the address bar. Instead of the actual URL, the user will see a "fake" URL. We tested the vulnerability and found it to work quite well.
As a quick workaround you may want to configure MSIE 7.0 to open new windows in a new tab. In order to do this, Tools -> Internet Options -> Tabs Settings -> When a pop-up is encountered: Always open pop-ups in a new tab.
The PoC exploit by Secunia is pushing the real URL off the screen to the left by adding multiple '%A0' characters between the real URL and the string 'www.microsoft.com'. It appears that the new window will only show right-most part of the URL. For tabs, the left most part is shown. This vulnerability has a lot of potential for phishers or others that attempt to trick the user into trusting the popup window as they trust the site displayed in the main window."
=========================

- http://blogs.technet.com/msrc/archiv...bar-issue.aspx
October 26, 2006
"...This is an issue with how URLs are displayed in the address bar. Specifically, we’ve seen that this occurs in a pop-up window after a user clicks a specially formed link on an untrusted website or in an untrusted e-mail. Now, while the full URL is actually present in the address bar, the left part of the URL is not initially displayed. But, you can see the full URL if you either click in the browser window or in the address bar and then scroll within the address bar. We’re not aware of any attacks that are attempting to use this, but as always we will continue to monitor the situation throughout our investigation... We do have this issue under investigation and as always, once we complete our investigation we’ll take appropriate steps to protect our customers..."
============================================

> http://secunia.com/product/12366/?task=advisories
10.30.2006
"...Currently, 100% (3 out of 3) are marked as Unpatched with the most severe being rated Moderately critical.."

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1807
Last Updated: 2006-10-27 18:50:51 UTC
"A recently discovered vulnerability in ADODB.connection has a proof of concept exploit. Microsoft has mentioned it in their blog*. (This may) be the 'drive by' threat vector of the next little while. This particular threat impact is remote code execution of choice. The code creates new ActiveXObject('ADODB.Connection.2.7') and then executes a number of times. The PoC is a Denial of Service, but it is just a question of time until a working version with shellcode is out (if not already).
> Mitigation: Disable ActiveX completely, or only allow it in trusted zones.
US-CERT has published a note here**. "The ADODB.Connection ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: {00000514-0000-0010-8000-00AA006D2EA4} "

* http://blogs.technet.com/msrc/archiv...published.aspx
October 27, 2006
"...We are fully aware of the recent Proof of Concept (POC) code posting regarding ADODB.Connection. We have initiated our Software Security Incident Response Process to investigate this issue. Once we have completed the investigation and understand if there is a threat to customers we will take the appropriate action to protect and provide guidance – as required. As always we are working with our MSRA partners to monitor and secure the ecosystem. I'll do my best to keep everyone up to date as the investigation progresses."
** http://www.kb.cert.org/vuls/id/589272
Date Last Updated: 10/27/2006

~ ~

[AplusWebMaster]

FYI...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5448
Last revised: 10/24/2006
Source: US-CERT/NIST
Overview:
The drmstor.dll ActiveX object in Microsoft Windows Digital Rights Management System (DRM) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long parameter to the StoreLicense function, which triggers "memory corruption" and possibly a buffer overflow.
Impact:
CVSS Severity: 8.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides user account access , Allows disruption of service..."

> http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-5448

[AplusWebMaster]

FYI...

- http://www.pcworld.com/printable/art...printable.html
October 30, 2006

- http://isc.sans.org/diary.php?storyid=1809
Last Updated: 2006-10-29 20:29:35 UTC
"We have received a report that a DoS exploit has been released that targets ipnathlp.dll, which is used by the Windows Firewall/Internet Connection Sharing (ICS) service. We also received a report that the exploit works against a fully patched XP SP2 system... The Windows Firewall/Internet Connection Sharing (ICS) service may be running even though Windows Firewall is disabled.
To determine if your system has the service running, type the following at a command prompt:
sc query sharedaccess
The short name of this service is SharedAccess, the full name is Windows Firewall/Internet Connection Sharing (ICS).
...Microsoft Error Message:
'Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.'
View What's in this report:
Error signature:
szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e ...
Other information;
UPDATE - 5:40 PM EDST - According to the MS Windows Compute Cluster Server 2003 Deployment website*, "Windows Compute Cluster Server 2003 relies on Internet Connection Sharing (ICS) to provide network address translation between the public and private networks. ICS also provides DHCP service for the private network. ICS is enabled during Compute Cluster Pack setup".
SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).
Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt
SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).
Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt
> msdn Diagram of Internet Connection Sharing and Internet Connection Firewall
> http://msdn.microsoft.com/library/en...n_firewall.asp

* http://technet2.microsoft.com/Window...3.mspx?pf=true

MS ICS DoS 0Day in the Wild - ICS DoS FAQ
** http://blog.ncircle.com/archives/200...soft_ics_d.htm

- http://secunia.com/advisories/22592/
Release Date: 2006-10-30
Critical: Less critical
Impact: DoS
Where: From local network
Solution Status: Unpatched
OS: Microsoft Windows XP Home, XP Professional
...The vulnerability is confirmed in a fully patched Windows XP SP2 system. Other versions may also be affected.
Solution: Use another way of sharing the Internet connection...
================================================
BTW...

- http://www.sans.org/newsletters/news...7&rss=Y#sID204

"...the attack would have no effect on a third-party firewall..."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (927709)
Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/927709.mspx
Published or Last Updated: 10/31/2006
"Microsoft is investigating public reports of a vulnerability in an ActiveX control in Visual Studio 2005 on Windows. We are aware of proof of concept code published publicly and of the possibility of limited attacks that are attempting to use the reported vulnerability. Customers who are running Visual Studio 2005 on Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Visual Studio 2005 customers who are running Internet Explorer 7 with default settings, are not at risk until this control has been activated through the ActiveX Opt-in Feature in the Internet Zone. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports. The ActiveX control is the WMI Object Broker control, which is included in WmiScriptUtils.dll.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs..."
(Also see "Mitigating Factors" at the URL above.)

- http://secunia.com/advisories/22603/
Release Date: 2006-11-01
Critical: Extremely critical
"...Solution: Microsoft has recommended various workarounds including setting the kill-bit for the affected ActiveX control (see the vendor's advisory for details)..."

EDIT/ADD:
- http://blogs.technet.com/msrc/archiv...09-posted.aspx
November 01, 2006
"...We are aware of the possibility of limited attacks that are attempting to use the reported vulnerability..."
- http://isc.sans.org/diary.php?storyid=1813
Last Updated: 2006-11-01 20:45:19 UTC
"...This vulnerability is being **actively exploited**. The advisory states that Microsoft is planning an update for this problem and it should go out in the next monthly patch cycle..."
- http://www.kb.cert.org/vuls/id/854856
Date Last Updated: 11/01/2006
"...Solution: ...Disable the WMI Object Broker ActiveX control in Internet Explorer. The WMI Object Broker ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
More information about how to set the kill bit is available in Microsoft Support Document 240797*."
* http://support.microsoft.com/kb/240797

.

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1816
Last Updated: 2006-11-02 14:04:01 UTC
"...Internet Explorer 7.0 is now a high priority update on Windows Update. Unless you setup the respective blocking script, expect IE 7 to be installed on your systems if they are configured to retrieve and install high priority updates from Windows Update..."

- http://update.microsoft.com/microsof....aspx?ln=en-us
"High-priority updates
Windows Internet Explorer 7.0 for Windows XP
Date last published: 11/1/2006
Download size: 14.8 MB
"Get help and support
http://go.microsoft.com/fwlink/?LinkId=71719
More information
http://go.microsoft.com/fwlink/?LinkId=71727 "
--------------------------------------------------------

- http://isc.sans.org/diary.php?compare=1&storyid=1816
Last Updated: 2006-11-02 16:30:24 UTC (Version: 2)
"...You will still have to accept the update, and MSIE 7 will not be installed fully automatically. For details see: http://www.microsoft.com/technet/upd...ouncement.mspx ..."
("Automatic Updates Delivery Experience Screenshots" shown there.)