2006 MS Alerts - Q4

[AplusWebMaster]

FYI...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5448
Last revised: 10/24/2006
Source: US-CERT/NIST
Overview:
The drmstor.dll ActiveX object in Microsoft Windows Digital Rights Management System (DRM) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long parameter to the StoreLicense function, which triggers "memory corruption" and possibly a buffer overflow.
Impact:
CVSS Severity: 8.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides user account access , Allows disruption of service..."

> http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-5448

[AplusWebMaster]

FYI...

- http://www.pcworld.com/printable/art...printable.html
October 30, 2006

- http://isc.sans.org/diary.php?storyid=1809
Last Updated: 2006-10-29 20:29:35 UTC
"We have received a report that a DoS exploit has been released that targets ipnathlp.dll, which is used by the Windows Firewall/Internet Connection Sharing (ICS) service. We also received a report that the exploit works against a fully patched XP SP2 system... The Windows Firewall/Internet Connection Sharing (ICS) service may be running even though Windows Firewall is disabled.
To determine if your system has the service running, type the following at a command prompt:
sc query sharedaccess
The short name of this service is SharedAccess, the full name is Windows Firewall/Internet Connection Sharing (ICS).
...Microsoft Error Message:
'Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.'
View What's in this report:
Error signature:
szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e ...
Other information;
UPDATE - 5:40 PM EDST - According to the MS Windows Compute Cluster Server 2003 Deployment website*, "Windows Compute Cluster Server 2003 relies on Internet Connection Sharing (ICS) to provide network address translation between the public and private networks. ICS also provides DHCP service for the private network. ICS is enabled during Compute Cluster Pack setup".
SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).
Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt
SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).
Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt
> msdn Diagram of Internet Connection Sharing and Internet Connection Firewall
> http://msdn.microsoft.com/library/en...n_firewall.asp

* http://technet2.microsoft.com/Window...3.mspx?pf=true

MS ICS DoS 0Day in the Wild - ICS DoS FAQ
** http://blog.ncircle.com/archives/200...soft_ics_d.htm

- http://secunia.com/advisories/22592/
Release Date: 2006-10-30
Critical: Less critical
Impact: DoS
Where: From local network
Solution Status: Unpatched
OS: Microsoft Windows XP Home, XP Professional
...The vulnerability is confirmed in a fully patched Windows XP SP2 system. Other versions may also be affected.
Solution: Use another way of sharing the Internet connection...
================================================
BTW...

- http://www.sans.org/newsletters/news...7&rss=Y#sID204

"...the attack would have no effect on a third-party firewall..."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (927709)
Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/927709.mspx
Published or Last Updated: 10/31/2006
"Microsoft is investigating public reports of a vulnerability in an ActiveX control in Visual Studio 2005 on Windows. We are aware of proof of concept code published publicly and of the possibility of limited attacks that are attempting to use the reported vulnerability. Customers who are running Visual Studio 2005 on Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Visual Studio 2005 customers who are running Internet Explorer 7 with default settings, are not at risk until this control has been activated through the ActiveX Opt-in Feature in the Internet Zone. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports. The ActiveX control is the WMI Object Broker control, which is included in WmiScriptUtils.dll.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs..."
(Also see "Mitigating Factors" at the URL above.)

- http://secunia.com/advisories/22603/
Release Date: 2006-11-01
Critical: Extremely critical
"...Solution: Microsoft has recommended various workarounds including setting the kill-bit for the affected ActiveX control (see the vendor's advisory for details)..."

EDIT/ADD:
- http://blogs.technet.com/msrc/archiv...09-posted.aspx
November 01, 2006
"...We are aware of the possibility of limited attacks that are attempting to use the reported vulnerability..."
- http://isc.sans.org/diary.php?storyid=1813
Last Updated: 2006-11-01 20:45:19 UTC
"...This vulnerability is being **actively exploited**. The advisory states that Microsoft is planning an update for this problem and it should go out in the next monthly patch cycle..."
- http://www.kb.cert.org/vuls/id/854856
Date Last Updated: 11/01/2006
"...Solution: ...Disable the WMI Object Broker ActiveX control in Internet Explorer. The WMI Object Broker ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
More information about how to set the kill bit is available in Microsoft Support Document 240797*."
* http://support.microsoft.com/kb/240797

.

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1816
Last Updated: 2006-11-02 14:04:01 UTC
"...Internet Explorer 7.0 is now a high priority update on Windows Update. Unless you setup the respective blocking script, expect IE 7 to be installed on your systems if they are configured to retrieve and install high priority updates from Windows Update..."

- http://update.microsoft.com/microsof....aspx?ln=en-us
"High-priority updates
Windows Internet Explorer 7.0 for Windows XP
Date last published: 11/1/2006
Download size: 14.8 MB
"Get help and support
http://go.microsoft.com/fwlink/?LinkId=71719
More information
http://go.microsoft.com/fwlink/?LinkId=71727 "
--------------------------------------------------------

- http://isc.sans.org/diary.php?compare=1&storyid=1816
Last Updated: 2006-11-02 16:30:24 UTC (Version: 2)
"...You will still have to accept the update, and MSIE 7 will not be installed fully automatically. For details see: http://www.microsoft.com/technet/upd...ouncement.mspx ..."
("Automatic Updates Delivery Experience Screenshots" shown there.)

[AplusWebMaster]

FYI...

Microsoft Security Advisory (927892)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/927892.mspx
Published: November 3, 2006
"Microsoft is investigating public reports of a vulnerability in the XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0 on Windows. We are aware of limited attacks that are attempting to use the reported vulnerability. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs..."

(Also see "Mitigating Factors" at the URL above.)

EDIT/ADD:
- http://secunia.com/advisories/22687/
Last update: 2006-11-06
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
Other References: US-CERT VU#585137: http://www.kb.cert.org/vuls/id/585137

- http://www.frsirt.com/english/advisories/2006/4334
Release Date: 2006-11-04
"...Solution:
Set a kill bit for the CLSID {88d969c5-f192-11d4-a65f-0040963251e5} :
http://support.microsoft.com/kb/240797
Or disable Active Scripting in the Internet and Local intranet security zones..."

EDIT/ADD:
- http://www.symantec.com/security_res...110611-5730-99
Updated: November 6, 2006
"...Type: Trojan Horse, Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
> Bloodhound.Exploit.96 is a heuristic detection for web pages attempting to exploit the Microsoft XML Core Services setRequestHeader Vulnerability (as described in Microsoft Security Advisory 927892)."

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1833
Last Updated: 2006-11-08 00:22:06 UTC
"We've received a report of the MSXML 0-day exploit being used in the wild... (also see http://isc.sans.org/diary.php?storyid=1825 ). The exploit does not seem to be in wide use just yet, but that can, of course (and we expect it to), change very quickly. For the exploit to work it *needs* Microsoft XML Core Services to be installed. Microsoft XML Core Services are not installed by default on Windows XP, but there seems to be a lot of packages using it, Visual Studio appears to be one common one. You can check in the Add or Remove Programs applet if you have it installed.
> The exploit works in both IE6 and IE7, which makes sense since it's exploiting a vulnerability in an ActiveX object, not in the browser itself. When executed the exploit creates an MSXML 4.0 ActiveX object (88d969c5-f192-11d4-a65f-0040963251e5). It then uses multiple setRequestHeader() method calls to execute shellcode which is included with the exploit. Once executed the shellcode (of course) first downloads the first stage downloader. At the moment it's a file called tester.dat:
16ac9982d177a47a20c4717183493e95 tester.dat
This downloader then downloads subsequent files (yet to be analysed). It looks like some AV vendors are beggining to detect the exploit. At this moment it is being detected by McAfee as Exploit-XMLCoreSrvcs and Symantec as Bloodhound.Exploit.96*. Microsoft also detects it as Exploit:HTML/Xmlreq.A. The best protection, is to prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer, as stated in Microsoft's advisory: http://www.microsoft.com/technet/sec...ry/927892.mspx ."
* http://www.symantec.com/security_res...110611-5730-99

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1837
Last Updated: 2006-11-08 18:53:37 UTC
"Rohit from Tippingpoint advised us that he is seeing a large number of attacks from Russia using an un-patched vulnerability in the WMIObjectBroker ActiveX control (CVE-2006-4704*). He is seeing it used as part of a drive-by download. Typically, the Trojan "Galopoper.A"** is loaded. There is no patch available at this point... The WMIObjectBroker ActiveX component is part of Visual Studio 2005 and associated with the WmiScriptUtils.dll . So you are only vulnerable if you find WmiScriptUtil.dll on your system. Also, by default this ActiveX component is not activated by default. For more details about this vulnerability see http://www.microsoft.com/technet/sec...ry/927709.mspx ."

* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4704

** http://www.symantec.com/security_res...042013-1813-99
"...Trojan.Galapoper.A is a Trojan horse contacts a remote Web site and downloads other risks onto the compromised computer..."

- http://isc.sans.org/diary.php?storyid=1813

- http://secunia.com/advisories/22603

- http://www.kb.cert.org/vuls/id/854856

[AplusWebMaster]

FYI...

- http://www.microsoft.com/technet/sec...n/advance.mspx
November 9, 2006
"...On 14 November 2006 Microsoft is planning to release:
Security Updates
• -One- Microsoft Security Bulletin affecting Microsoft XML Core Services. The highest Maximum Severity rating for this is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates will require a restart.
• -Five- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release No NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."

[AplusWebMaster]

FYI...

- http://www.microsoft.com/technet/sec.../ms06-nov.mspx
Published: November 14, 2006
Version: 1.0 ...

Summary...

Critical (5)

Microsoft Security Bulletin MS06-067
Cumulative Security Update for Internet Explorer (922760)
- http://www.microsoft.com/technet/sec.../MS06-067.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-068
Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)
- http://www.microsoft.com/technet/sec.../MS06-068.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-069
Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)
- http://www.microsoft.com/technet/sec.../MS06-069.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-070
Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)
- http://www.microsoft.com/technet/sec.../MS06-070.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-071
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
- http://www.microsoft.com/technet/sec.../MS06-071.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution


Important (1)

Microsoft Security Bulletin MS06-066
Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution (923980)
- http://www.microsoft.com/technet/sec.../MS06-066.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution ...


...The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:
• V1.0 (November 14, 2006): Bulletin published."
-------------------------------------------------

ISC Analysis:
- http://isc.sans.org/diary.php?storyid=1855
-------------------------------------------------

Microsoft Security Advisory (927892)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/927892.mspx
Last Updated: 11/14/2006
"...We have issued MS06-071* to address this issue...."
* http://www.microsoft.com/technet/sec.../MS06-071.mspx

Microsoft Security Advisory (925444)
Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/925444.mspx
Last Updated: 11/14/2006
"...We have issued MS06-067** to address this issue..."
** http://www.microsoft.com/technet/sec.../ms06-067.mspx

Microsoft Security Advisory (925143)
Adobe Security Bulletin: APSB06-11 Flash Player Update to Address Security Vulnerabilities
- http://www.microsoft.com/technet/sec...ry/925143.mspx
Last Updated: November 14, 2006
"...We have issued MS06-069*** to address these issues..."
*** http://www.microsoft.com/technet/sec.../ms06-069.mspx

.

[AplusWebMaster]

FYI...

- http://www.techweb.com/article/print...section=700027
November 16, 2006
"...Both proof-of-concept exploit code and a public exploit have popped up for the bug fixed in MS06-070, a security update that patched Windows 2000's and Windows XP's Workstation Service, a routing service used by the operating system to determine if file or print requests originate locally or remotely. Microsoft pegged MS06-070 with its "critical" ranking, the highest threat warning it assigns updates. "We've confirmed exploit code from two different sources," said Amol Sarwate, the manager of Qualys' vulnerability lab. "The window [of time] to exploit is definitely shrinking." It's become common for exploits to crop up within days of Microsoft's monthly patch release. The trend has become routine enough to get its own moniker: "Exploit Wednesday"... Blocking ports 139 and 445, one of the workarounds Microsoft offered Tuesday in the MS06-070 bulletin, isn't really feasible, said Sarwarte. "There are maybe 15 different services that won't work if you close those ports," he said. Symantec pegged another of the half-dozen updates -- the one spelled out in the MS06-066 bulletin -- as now sporting an exploit against the disclosed bug..."