Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: 2006 MS Alerts - Q4

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS DRM DoS vulnerability

    FYI...

    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5448
    Last revised: 10/24/2006
    Source: US-CERT/NIST
    Overview:
    The drmstor.dll ActiveX object in Microsoft Windows Digital Rights Management System (DRM) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long parameter to the StoreLicense function, which triggers "memory corruption" and possibly a buffer overflow.
    Impact:
    CVSS Severity: 8.0 (High)
    Range: Remotely exploitable
    Authentication: Not required to exploit
    Impact Type: Provides user account access , Allows disruption of service..."

    > http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-5448

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation XP ICS DoS 0-Day POC published

    FYI...

    - http://www.pcworld.com/printable/art...printable.html
    October 30, 2006

    - http://isc.sans.org/diary.php?storyid=1809
    Last Updated: 2006-10-29 20:29:35 UTC
    "We have received a report that a DoS exploit has been released that targets ipnathlp.dll, which is used by the Windows Firewall/Internet Connection Sharing (ICS) service. We also received a report that the exploit works against a fully patched XP SP2 system... The Windows Firewall/Internet Connection Sharing (ICS) service may be running even though Windows Firewall is disabled.
    To determine if your system has the service running, type the following at a command prompt:
    sc query sharedaccess
    The short name of this service is SharedAccess, the full name is Windows Firewall/Internet Connection Sharing (ICS).
    ...Microsoft Error Message:
    'Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.'
    View What's in this report:
    Error signature:
    szAppName: svchost.exe szAppVer: 5.1.2600.2180
    szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e ...
    Other information;
    UPDATE - 5:40 PM EDST - According to the MS Windows Compute Cluster Server 2003 Deployment website*, "Windows Compute Cluster Server 2003 relies on Internet Connection Sharing (ICS) to provide network address translation between the public and private networks. ICS also provides DHCP service for the private network. ICS is enabled during Compute Cluster Pack setup".
    SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).
    Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
    Start mode: Auto
    Login account: LocalSystem
    DLL file: ipnathlp.dll
    Dependencies: Netman, winmgmt
    SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).
    Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
    Start mode: Auto
    Login account: LocalSystem
    DLL file: ipnathlp.dll
    Dependencies: Netman, winmgmt
    > msdn Diagram of Internet Connection Sharing and Internet Connection Firewall
    > http://msdn.microsoft.com/library/en...n_firewall.asp

    * http://technet2.microsoft.com/Window...3.mspx?pf=true

    MS ICS DoS 0Day in the Wild - ICS DoS FAQ
    ** http://blog.ncircle.com/archives/200...soft_ics_d.htm

    - http://secunia.com/advisories/22592/
    Release Date: 2006-10-30
    Critical: Less critical
    Impact: DoS
    Where: From local network
    Solution Status: Unpatched
    OS: Microsoft Windows XP Home, XP Professional
    ...The vulnerability is confirmed in a fully patched Windows XP SP2 system. Other versions may also be affected.
    Solution: Use another way of sharing the Internet connection...
    ================================================
    BTW...

    - http://www.sans.org/newsletters/news...7&rss=Y#sID204

    "...the attack would have no effect on a third-party firewall..."

    Last edited by AplusWebMaster; 2006-11-03 at 21:40. Reason: Added info re: third-party firewall info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Vuln in Visual Studio 2005 Could Allow Remote Code Execution

    FYI...

    Microsoft Security Advisory (927709)
    Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/927709.mspx
    Published or Last Updated: 10/31/2006
    "Microsoft is investigating public reports of a vulnerability in an ActiveX control in Visual Studio 2005 on Windows. We are aware of proof of concept code published publicly and of the possibility of limited attacks that are attempting to use the reported vulnerability. Customers who are running Visual Studio 2005 on Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Visual Studio 2005 customers who are running Internet Explorer 7 with default settings, are not at risk until this control has been activated through the ActiveX Opt-in Feature in the Internet Zone. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports. The ActiveX control is the WMI Object Broker control, which is included in WmiScriptUtils.dll.
    Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs..."
    (Also see "Mitigating Factors" at the URL above.)

    - http://secunia.com/advisories/22603/
    Release Date: 2006-11-01
    Critical: Extremely critical
    "...Solution: Microsoft has recommended various workarounds including setting the kill-bit for the affected ActiveX control (see the vendor's advisory for details)..."

    EDIT/ADD:
    - http://blogs.technet.com/msrc/archiv...09-posted.aspx
    November 01, 2006
    "...We are aware of the possibility of limited attacks that are attempting to use the reported vulnerability..."
    - http://isc.sans.org/diary.php?storyid=1813
    Last Updated: 2006-11-01 20:45:19 UTC
    "...This vulnerability is being **actively exploited**. The advisory states that Microsoft is planning an update for this problem and it should go out in the next monthly patch cycle..."
    - http://www.kb.cert.org/vuls/id/854856
    Date Last Updated: 11/01/2006
    "...Solution: ...Disable the WMI Object Broker ActiveX control in Internet Explorer. The WMI Object Broker ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
    {7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
    More information about how to set the kill bit is available in Microsoft Support Document 240797*."
    * http://support.microsoft.com/kb/240797

    .
    Last edited by AplusWebMaster; 2006-11-01 at 23:06. Reason: Added ISC and U.S. CERT entries...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Windows Update shows IEv7 high priority update NOW

    FYI...

    - http://isc.sans.org/diary.php?storyid=1816
    Last Updated: 2006-11-02 14:04:01 UTC
    "...Internet Explorer 7.0 is now a high priority update on Windows Update. Unless you setup the respective blocking script, expect IE 7 to be installed on your systems if they are configured to retrieve and install high priority updates from Windows Update..."

    - http://update.microsoft.com/microsof....aspx?ln=en-us
    "High-priority updates
    Windows Internet Explorer 7.0 for Windows XP
    Date last published: 11/1/2006
    Download size: 14.8 MB
    "Get help and support
    http://go.microsoft.com/fwlink/?LinkId=71719
    More information
    http://go.microsoft.com/fwlink/?LinkId=71727 "
    --------------------------------------------------------

    - http://isc.sans.org/diary.php?compare=1&storyid=1816
    Last Updated: 2006-11-02 16:30:24 UTC (Version: 2)
    "...You will still have to accept the update, and MSIE 7 will not be installed fully automatically. For details see: http://www.microsoft.com/technet/upd...ouncement.mspx ..."
    ("Automatic Updates Delivery Experience Screenshots" shown there.)

    Last edited by AplusWebMaster; 2006-11-02 at 18:55. Reason: Added additional update info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Microsoft Security Advisory (927892)

    FYI...

    Microsoft Security Advisory (927892)
    Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/927892.mspx
    Published: November 3, 2006
    "Microsoft is investigating public reports of a vulnerability in the XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0 on Windows. We are aware of limited attacks that are attempting to use the reported vulnerability. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs..."

    (Also see "Mitigating Factors" at the URL above.)

    EDIT/ADD:
    - http://secunia.com/advisories/22687/
    Last update: 2006-11-06
    Critical: Extremely critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched...
    Other References: US-CERT VU#585137: http://www.kb.cert.org/vuls/id/585137

    - http://www.frsirt.com/english/advisories/2006/4334
    Release Date: 2006-11-04
    "...Solution:
    Set a kill bit for the CLSID {88d969c5-f192-11d4-a65f-0040963251e5} :
    http://support.microsoft.com/kb/240797
    Or disable Active Scripting in the Internet and Local intranet security zones..."

    EDIT/ADD:
    - http://www.symantec.com/security_res...110611-5730-99
    Updated: November 6, 2006
    "...Type: Trojan Horse, Worm
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
    > Bloodhound.Exploit.96 is a heuristic detection for web pages attempting to exploit the Microsoft XML Core Services setRequestHeader Vulnerability (as described in Microsoft Security Advisory 927892)."

    Last edited by AplusWebMaster; 2006-11-07 at 19:06. Reason: Added Trojan/worm info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MSXML 4.0 ActiveX exploit in the wild

    FYI...

    - http://isc.sans.org/diary.php?storyid=1833
    Last Updated: 2006-11-08 00:22:06 UTC
    "We've received a report of the MSXML 0-day exploit being used in the wild... (also see http://isc.sans.org/diary.php?storyid=1825 ). The exploit does not seem to be in wide use just yet, but that can, of course (and we expect it to), change very quickly. For the exploit to work it *needs* Microsoft XML Core Services to be installed. Microsoft XML Core Services are not installed by default on Windows XP, but there seems to be a lot of packages using it, Visual Studio appears to be one common one. You can check in the Add or Remove Programs applet if you have it installed.
    > The exploit works in both IE6 and IE7, which makes sense since it's exploiting a vulnerability in an ActiveX object, not in the browser itself. When executed the exploit creates an MSXML 4.0 ActiveX object (88d969c5-f192-11d4-a65f-0040963251e5). It then uses multiple setRequestHeader() method calls to execute shellcode which is included with the exploit. Once executed the shellcode (of course) first downloads the first stage downloader. At the moment it's a file called tester.dat:
    16ac9982d177a47a20c4717183493e95 tester.dat
    This downloader then downloads subsequent files (yet to be analysed). It looks like some AV vendors are beggining to detect the exploit. At this moment it is being detected by McAfee as Exploit-XMLCoreSrvcs and Symantec as Bloodhound.Exploit.96*. Microsoft also detects it as Exploit:HTML/Xmlreq.A. The best protection, is to prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer, as stated in Microsoft's advisory: http://www.microsoft.com/technet/sec...ry/927892.mspx ."
    * http://www.symantec.com/security_res...110611-5730-99

    Last edited by AplusWebMaster; 2006-11-08 at 23:24. Reason: Noted exploited component as "ActiveX" in title...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation WMIObjectBroker ActiveX 0-Day exploit in the wild

    FYI...

    - http://isc.sans.org/diary.php?storyid=1837
    Last Updated: 2006-11-08 18:53:37 UTC
    "Rohit from Tippingpoint advised us that he is seeing a large number of attacks from Russia using an un-patched vulnerability in the WMIObjectBroker ActiveX control (CVE-2006-4704*). He is seeing it used as part of a drive-by download. Typically, the Trojan "Galopoper.A"** is loaded. There is no patch available at this point... The WMIObjectBroker ActiveX component is part of Visual Studio 2005 and associated with the WmiScriptUtils.dll . So you are only vulnerable if you find WmiScriptUtil.dll on your system. Also, by default this ActiveX component is not activated by default. For more details about this vulnerability see http://www.microsoft.com/technet/sec...ry/927709.mspx ."

    * http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4704

    ** http://www.symantec.com/security_res...042013-1813-99
    "...Trojan.Galapoper.A is a Trojan horse contacts a remote Web site and downloads other risks onto the compromised computer..."

    - http://isc.sans.org/diary.php?storyid=1813

    - http://secunia.com/advisories/22603

    - http://www.kb.cert.org/vuls/id/854856

    Last edited by AplusWebMaster; 2006-11-08 at 23:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post MS Security Bulletin Advance Notification - November 2006

    FYI...

    - http://www.microsoft.com/technet/sec...n/advance.mspx
    November 9, 2006
    "...On 14 November 2006 Microsoft is planning to release:
    Security Updates
    -One- Microsoft Security Bulletin affecting Microsoft XML Core Services. The highest Maximum Severity rating for this is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates will require a restart.
    -Five- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
    Microsoft Windows Malicious Software Removal Tool
    Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).
    Non-security High Priority updates on MU, WU, WSUS and SUS
    Microsoft will release No NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
    Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

    Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS Security Bulletin Summary - November, 2006

    FYI...

    - http://www.microsoft.com/technet/sec.../ms06-nov.mspx
    Published: November 14, 2006
    Version: 1.0 ...

    Summary...

    Critical (5)

    Microsoft Security Bulletin MS06-067
    Cumulative Security Update for Internet Explorer (922760)
    - http://www.microsoft.com/technet/sec.../MS06-067.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-068
    Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)
    - http://www.microsoft.com/technet/sec.../MS06-068.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-069
    Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)
    - http://www.microsoft.com/technet/sec.../MS06-069.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-070
    Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)
    - http://www.microsoft.com/technet/sec.../MS06-070.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS06-071
    Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
    - http://www.microsoft.com/technet/sec.../MS06-071.mspx
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution


    Important (1)

    Microsoft Security Bulletin MS06-066
    Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution (923980)
    - http://www.microsoft.com/technet/sec.../MS06-066.mspx
    Maximum Severity Rating: Important
    Impact of Vulnerability: Remote Code Execution ...


    ...The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

    Revisions:
    V1.0 (November 14, 2006): Bulletin published."
    -------------------------------------------------

    ISC Analysis:
    - http://isc.sans.org/diary.php?storyid=1855
    -------------------------------------------------

    Microsoft Security Advisory (927892)
    Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/927892.mspx
    Last Updated: 11/14/2006
    "...We have issued MS06-071* to address this issue...."
    * http://www.microsoft.com/technet/sec.../MS06-071.mspx

    Microsoft Security Advisory (925444)
    Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/925444.mspx
    Last Updated: 11/14/2006
    "...We have issued MS06-067** to address this issue..."
    ** http://www.microsoft.com/technet/sec.../ms06-067.mspx

    Microsoft Security Advisory (925143)
    Adobe Security Bulletin: APSB06-11 Flash Player Update to Address Security Vulnerabilities
    - http://www.microsoft.com/technet/sec...ry/925143.mspx
    Last Updated: November 14, 2006
    "...We have issued MS06-069*** to address these issues..."
    *** http://www.microsoft.com/technet/sec.../ms06-069.mspx

    .
    Last edited by AplusWebMaster; 2006-11-15 at 03:26. Reason: Added MS advisories updates...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS06-066, MS06-070 exploits out

    FYI...

    - http://www.techweb.com/article/print...section=700027
    November 16, 2006
    "...Both proof-of-concept exploit code and a public exploit have popped up for the bug fixed in MS06-070, a security update that patched Windows 2000's and Windows XP's Workstation Service, a routing service used by the operating system to determine if file or print requests originate locally or remotely. Microsoft pegged MS06-070 with its "critical" ranking, the highest threat warning it assigns updates. "We've confirmed exploit code from two different sources," said Amol Sarwate, the manager of Qualys' vulnerability lab. "The window [of time] to exploit is definitely shrinking." It's become common for exploits to crop up within days of Microsoft's monthly patch release. The trend has become routine enough to get its own moniker: "Exploit Wednesday"... Blocking ports 139 and 445, one of the workarounds Microsoft offered Tuesday in the MS06-070 bulletin, isn't really feasible, said Sarwarte. "There are maybe 15 different services that won't work if you close those ports," he said. Symantec pegged another of the half-dozen updates -- the one spelled out in the MS06-066 bulletin -- as now sporting an exploit against the disclosed bug..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •