2006 MS Alerts - Q4

Microsoft Security Advisory (928604)

FYI...

Microsoft Security Advisory (928604)
Exploit Code Published Affecting the Workstation Service on Windows 2000
- http://www.microsoft.com/technet/security/advisory/928604.mspx
Published: November 16, 2006
"Microsoft is aware of public proof of concept code targeting the vulnerability addressed by security update MS06-070. At this time Microsoft has not seen any indications of active exploitation of the vulnerability Microsoft has activated its emergency response process and is continuing to investigate this public report. Microsoft continues to recommend that customers apply the November updates as soon as possible with additional urgency and consideration given to the update detailed in MS06-070*..."
* http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx

:fear:

MS06-067 exploit out

(Addition to previous entry...MS06-066, MS06-070 exploits out)

Malicious Website / Malicious Code: MS06-067
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=698
November 14, 2006
"Websense® Security Labs™ received proof of concept code for a vulnerability in the "DirectAnimation ActiveX Control" in September 2006. Since that time our miners have been searching for sites that are exploiting this vulnerability. Multiple sites were discovered to be actively exploiting this in the wild. The majority of these sites have been installing a variant of the HaxDoor backdoor/keylogger..."

(Screenshots available at the URL above.)

> http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx

:fear: :spider:

Microsoft Security Advisory (929433)

FYI...

Microsoft Security Advisory (929433)
Vulnerability in Microsoft Word Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/929433.mspx
December 5, 2006
"Microsoft is investigating a new report of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006. In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker. As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs..."

> http://secunia.com/advisories/23232/
Last Update: 2006-12-17
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
===========================================
- http://blogs.technet.com/msrc/archive/2006/12/15/update-on-current-word-vulnerability-reports.aspx
December 15, 2006
"...Microsoft Security Advisory 929433 applies to all three issues..."

:fear:

MS Security Bulletin Advance Notification - December 2006

FYI...

- http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: December 7, 2006
"...On 12 December 2006 Microsoft is planning to release:

Security Updates
• -Five- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
• -One- Microsoft Security Bulletins affecting Microsoft Visual Studio. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.
Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release -four- NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release -10- NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."
---------------------------------------------------------------

- http://isc.sans.org/diary.php?storyid=1922
Last Updated: 2006-12-08 01:53:19 UTC
"...Note that there are no patches for Office, so the 2 new Word vulnerabilities reported earlier this week will remain unpatched. See the MSRC blog entry here*."

* http://blogs.technet.com/msrc/archive/2006/12/07/december-2006-advanced-notification.aspx

:sad:

Windows Media Player v9, v10 Vuln

FYI... http://secunia.com/advisories/22971/
Release Date: 2006-12-08
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Windows Media Player 10.x...
...Successful exploitation crashes the program and may potentially allow execution of arbitrary code, though this has not currently been proven. The vulnerability is reported in version 10.00.00.4036. Other versions may also be affected.
Solution: Do not open untrusted playlists..."

- http://www.computerworld.com/action...cleBasic&articleId=9005810&source=rss_topic85
December 08, 2006
"...Affects Windows Media Player Versions 9 and 10, could allow a malicious hacker to run unauthorized software on a victim's PC or cause a denial-of-service attack... The flaw is due to a buffer overflow error that can occur when Windows Media Player is used to run .asx media files, according to a warning from eEye Digital Security*. Such files open automatically in a Web browser, meaning a hacker would need only to post an infected .asx file in a Web page and then try to lure users to visit the page, eEye Digital said. An infected file could also be sent via e-mail, in which case users would need to be persuaded to open it..."
* http://research.eeye.com/html/alerts/zeroday/20061122.html
Common Name: ASX Playlist
Date Disclosed: 11/22/2006
Expected Patch Release: Unknown
Vendor: Microsoft
Application: Windows Media Player
Description: "...function at 7D7A8F27 in WMVCORE.DLL version 9.0.0.3250, and at 086E586E in WMVCORE.DLL version 10.0.0.3802..."
Severity: High ...

- http://blogs.technet.com/msrc/archi...-concept-code-for-asx-file-format-isssue.aspx
December 07, 2006

:fear:

Another new Word 0-day...

FYI...

Another new Word 0-day...
- http://isc.sans.org/diary.php?storyid=1925
Last Updated: 2006-12-10 22:03:23 UTC
"...McAfee* has released a dat today for protection against a buffer overflow attack in MS Word. The announcement says "Note: This vulnerability was first found through one of the samples that McAfee analyzed, and this vulnerability differs from the "Microsoft Word 0-Day Vulnerability I" that was published on December 5, 2006". Other vendors are expected to follow suit..."

* http://vil.nai.com/vil/content/v_vul27249.htm

- http://vil.nai.com/vil/content/v_127787.htm

- http://vil.nai.com/vil/content/v_141056.htm

- http://vil.nai.com/vil/content/v_141057.htm

> http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
December 10, 2006

- http://secunia.com/advisories/23205/
Release Date: 2006-12-12
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
...NOTE: The vulnerability is already being actively exploited.
Solution: Do not open untrusted Office documents...
- http://secunia.com/advisories/23232/
Last Update: 2006-12-17

:fear:

MS Security Bulletin Summary - December 2006

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx
December 12, 2006
"Summary

> Critical (3)

Microsoft Security Bulletin MS06-072
Cumulative Security Update for Internet Explorer (925454)
- http://www.microsoft.com/technet/security/bulletin/ms06-072.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Non-Affected Components: • Windows Internet Explorer 7...

Microsoft Security Bulletin MS06-073
Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)
- http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-078
Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)
- http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

> Important (4)

Microsoft Security Bulletin MS06-074
Vulnerability in SNMP Could Allow Remote Code Execution (926247)
- http://www.microsoft.com/technet/security/bulletin/ms06-074.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-075
Vulnerability in Windows Could Allow Elevation of Privilege (926255)
- http://www.microsoft.com/technet/security/bulletin/ms06-075.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege

Microsoft Security Bulletin MS06-076
Cumulative Security Update for Outlook Express (923694)
- http://www.microsoft.com/technet/security/bulletin/ms06-076.mspx
Maximum Severity Rating: Important
Impact of Vulnerability:Remote Code Execution

Microsoft Security Bulletin MS06-077
Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)
- http://www.microsoft.com/technet/security/bulletin/ms06-077.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...

Revisions:
• V1.0 (December 12, 2006): Bulletin published.
----------------------------------------------

Microsoft Black Tuesday - December 2006 overview
(ISC Analysis)
- http://isc.sans.org/diary.php?storyid=1928
----------------------------------------------

Microsoft Security Bulletin MS06-059
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)
- http://www.microsoft.com/technet/security/bulletin/ms06-059.mspx
Revisions:
• V1.0 (October 10, 2006): Bulletin published.
• V1.1 (November 29, 2006): Bulletin updated the Knowledge Base Article for “Microsoft Office Excel Viewer 2003“ in the “Affected Products” section.
• V2.0 (December 12, 2006): Bulletin updated has been revised and re-released for Microsoft Excel 2002 to address the issues identified in Microsoft Knowledge Base Article 924164.
------------------------------------------------

MS Office 2004 (Mac OS X) update was an accident...
- http://isc.sans.org/diary.php?storyid=1937
Last Updated: 2006-12-13 03:16:33 UTC
"Microsoft accidentally released an updated named 11.3.1 for Office 2004 (the Apple Mac version) today. It did contain an unspecified security fix and stability improvements. After asking what it fixed we got the reply it was actually a pre-release that was made available through auto-update.
http://www.microsoft.com/mac/autoupdate/description/AUOffice20041131EN.htm
This wasn't intended to be released and hence has been pulled. See the MSRC blog* for more details. Microsoft is also recommending to uninstall the patches..."

Information on accidental posting of pre-release security updates for Office for Mac
* http://tinyurl.com/ylao2u
December 13, 2006
"...The updates posted in error were pre-release binaries that had been staged internally as part of our testing for an upcoming release. Due to human error, they were accidentally published to the public websites before our full testing release process was complete... We recommend that anyone who may have installed these pre-release updates to uninstall them."

:spider:

MS06-078: -2- Windows Media Format Vulnerabilities

FYI...

- http://isc.sans.org/diary.php?storyid=1936
Last Updated: 2006-12-12 18:51:42 UTC
"This advisory addresses 2 vulnerabilities in the Windows "Media Format Runtime" which is utilized by applications using Windows Media Content. The unchecked buffer and URL parsing vulnerabilities could result in full system compromise if exploited. An attacker would create a malicious Advanced Streaming Format (.ASF) file or a malicious Advanced Stream Redirector (.ASX) file and present it to a vulnerable client through a malicious URL, an email attachment or perhaps through a malicious IFRAME or redirect. These vulnerabilities poses the most risk to systems which are used for web surfing or for checking email. Especially if the user is logged in as Administrator or if an unrestricted or lower than High zone Internet Explorer browser is being used. MS Outlook default restrictions might shield a user, but clicking on a URL within an email launches a browser outside of those restrictions....
Note that it may take several patches to update a system. Windows Media Player 6.4 is patched differently than the Media Format Runtime. It may be a challenge to assess the posture of any given system in regards to these two vulnerabilities...
Reference URLs:
http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
http://support.microsoft.com/kb/923689
http://support.microsoft.com/kb/925398 ..."

:spider:

MS Tweaks XP laptop Wireless Security

FYI...

- http://blog.washingtonpost.com/securityfix/2006/12/microsoft_fix_tweaks_xp_wirele.html
December 13, 2006
"Microsoft last month quietly issued a long-overdue update to fix a simple yet potentially dangerous security weakness in the way embedded wireless cards work on Windows XP laptops... This patch did -not- show up when I ran a Microsoft Update scan on my HP laptop (even under optional updates), but you can manually download and install it from here*."
* http://support.microsoft.com/kb/917021
Last Review: November 21, 2006
Revision: 3.2
...APPLIES TO:
• Microsoft Windows XP Service Pack 2, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional...

:fear: