2006 MS Alerts - Q4

AplusWebMaster

AplusWebMaster

New member
Advisor Team
MSRT analysis report - 3.5M Trojans...

FYI...

- http://www.techweb.com/article/printableArticle.jhtml?articleID=189400396&site_section=700028
June 12, 2006
"Backdoor Trojans are a clear and present danger to Windows machines, Microsoft said Monday as it released the first-ever analysis of data collected by the 15-month run of its Malicious Software Removal Tool, a utility that seeks out and destroys over five-dozen malware families. According to Microsoft's anti-malware engineering team, Trojans that, once installed, give an attacker access and control of a PC, are a "significant and tangible threat to Windows users." Of the 5.7 million unique PCs from which the Malicious Software Removal Tool (MSRT) has deleted malware, 3.5 million of them -- 62 percent -- had at least one backdoor Trojan... Since it debuted in January 2005, the MSRT has been run some 2.7 billion times on an increasing number of PCs. In March 2006, the last month for which data was compiled, 270 million unique systems ran the tool, which is automatically downloaded and run on systems with Windows/Microsoft Update turned on. Over those 15 months, the MSRT found malware on one in every 311 computers..."
------------------------------------------------------------------
Full report URL: http://tinyurl.com/fy8x9
File Name: MSRT - Progress Made Lessons Learned.pdf
Version: 1.0
Date Published: 6/12/2006
Download Size: 843 KB

:fear: :( :spider:
 
Last edited:
W98, WinME, W2k -VML- patch from ZERT available

FYI...

Security pros patch older Windows versions
- http://news.com.com/2102-1002_3-6121559.html?tag=st.util.print
Sep 30, 2006
"...Microsoft no longer provides updates for its older operating systems. ZERT sought to fill that void. "A ZERT patch has just been made available for unsupported system versions," the group said on its Web site. The patch has been tested on Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 and Windows 2000 with Service Pack 3, the group said. ZERT is made up of security professionals from around the world who volunteer their time. Last week the group crafted a patch to plug the VML flaw ahead of Microsoft's fix, so IE users can protect themselves while Microsoft worked on an official patch..."

> http://isotf.org/zert/download.htm
"...A ZERT patch has just been made available for unsupported system versions (Windows 9x to 2000 SP3 and XP SP0). For our original patch, it is IMPORTANT to rollback the ZERT patch, before OR after the Microsoft patch for it to work. Enter our test page again through our download page to make sure you are secure..."

:cool:
 
MS Security Bulletin Advance Notification - October 2006

FYI...

Microsoft Security Bulletin Advance Notification
- http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: October 5, 2006
"...On 10 October 2006 Microsoft is planning to release:

Security Updates
• -Six- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.
• -Four- Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
• -One- Microsoft Security Bulletin affecting Microsoft .NET Framework. The highest Maximum Severity rating for this is Moderate. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.

Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release No NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."

.
 
MS Security Bulletin Summary - October, 2006

FYI...

Microsoft Security Bulletin Summary for October, 2006
- http://www.microsoft.com/technet/security/bulletin/ms06-oct.mspx
Published: October 10, 2006
"...Summary
Included in this advisory are updates for newly discovered vulnerabilities. These vulnerabilities, broken down by severity are:

- Critical (6)

Microsoft Security Bulletin MS06-057
Vulnerability in Windows Shell Could Allow Remote Code Execution (923191)
- http://www.microsoft.com/technet/security/Bulletin/MS06-057.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately

Microsoft Security Bulletin MS06-058
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)
- http://www.microsoft.com/technet/security/Bulletin/MS06-058.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-059
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)
- http://www.microsoft.com/technet/security/Bulletin/MS06-059.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-060
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554)
- http://www.microsoft.com/technet/security/Bulletin/MS06-060.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-061
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191)
- http://www.microsoft.com/technet/security/Bulletin/MS06-061.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-062
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581)
- http://www.microsoft.com/technet/security/Bulletin/MS06-062.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution


- Important (1)

Microsoft Security Bulletin MS06-063
Vulnerability in Server Service Could Allow Denial of Service (923414)
- http://www.microsoft.com/technet/security/Bulletin/MS06-063.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service


- Moderate (2)

Microsoft Security Bulletin MS06-056
Vulnerability in ASP.NET Could Allow Information Disclosure (922770)
- http://www.microsoft.com/technet/security/Bulletin/MS06-056.mspx
Maximum Severity Rating: Moderate
Impact of Vulnerability: Information Disclosure

Microsoft Security Bulletin MS06-065
Vulnerability In Windows Object Packager Could Allow Remote Code Execution (924496)
- http://www.microsoft.com/technet/security/Bulletin/MS06-065.mspx
Maximum Severity Rating: Moderate
Impact of Vulnerability: Remote Code Execution


- Low (1)

Microsoft Security Bulletin MS06-064
Vulnerabilities in TCP/IP Could Allow Denial of Service (922819)
- http://www.microsoft.com/technet/security/Bulletin/MS06-064.mspx
Maximum Severity Rating: Low
Impact of Vulnerability: Denial of Service

...Revisions:
• V1.0 (October 10, 2006): Bulletin published..."

------------------------------------------------

ISC Analysis
- http://isc.sans.org/diary.php?storyid=1770
Last Updated: 2006-10-10 18:40:00 UTC

:fear: :spider:

================================

- http://blogs.technet.com/msrc/archive/2006/10/10/October-2006-Bulletin-Release.aspx
October 10, 2006
"...Due to some network issues experienced on the Microsoft Update platform, the October security updates released today are not yet currently available via:
* Microsoft Update
* Automatic Updates
* Windows Server Update Services (WSUS)
* Windows Update v6
To be clear, it’s a delay due to the networking for these systems: there are no issues with the security updates themselves. Also, this issue doesn’t affect customers using Software Update Services (SUS), Windows Update v4 or Office Update. Those of you affected by this delay who want to deploy the updates immediately can go ahead and download and deploy these updates manually by visiting http://www.microsoft.com/technet/security for the list of bulletins released today and then downloading the updates directly from the links in the bulletin..."

- http://blogs.technet.com/msrc/archive/2006/10/10/October-2006-Bulletin-Release.aspx
October 10, 2006 7:16 PM
"...our teams have resolved the network issues with Microsoft Update. You should start seeing content replicated out to Microsoft Update, Automatic Updates, Windows Server Update Services (WSUS), Windows Update v6."
======================================

- http://www.microsoft.com/technet/security/bulletin/ms06-oct.mspx
• V1.1 (October 11, 2006): Bulletin revised to clarify impact associated with MS06-063 as Denial of Service and Remote Code Execution.

Microsoft Security Bulletin MS06-063
Vulnerability in Server Service Could Allow Denial of Service (923414)
- http://www.microsoft.com/technet/security/Bulletin/MS06-063.mspx
Updated: October 11, 2006
• V1.1 (October 11, 2006): Bulletin content updated to clarify security impact associated with the SMB Rename Vulnerability - CVE-2006-4696 as an authenticated remote code execution vulnerability. The guidance to block port 593 has also been removed from the “Mitigations and Workarounds” section of the bulletin for both vulnerabilities.
===============================================

- http://www.techweb.com/article/printableArticle.jhtml?articleID=193303003&site_section=700028
October 16, 2006
"...Security update MS06-061 -- one of five labeled "critical" by Microsoft -- may install multiple versions of the XML Parser or XML Core Services when it's downloaded manually or via an automatic update mechanism. But "if you install a version of MSXML after you install this security update, you may have to install an additional package for this security update," read a Microsoft support document*. That "additional package" can only be acquired by running Automatic Update a second time..."
* http://support.microsoft.com/default.aspx/kb/924191/en-us
Last Review: October 16, 2006
Revision: 2.1

:rolleyes:
 
Last edited:
MS PPT Unspecified Code Execution Vuln

FYI...

- http://secunia.com/advisories/22394/
Release Date: 2006-10-13
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
...According to Microsoft, the vulnerability may allow execution of arbitrary code. The vulnerability is reported in Microsoft PowerPoint 2003. Other versions may also be affected.
Solution: Do not open untrusted Office documents.
Original Advisory: Microsoft:
http://blogs.technet.com/msrc/archive/2006/10/12/poc-published-for-ms-office-2003-powerpoint.aspx ..."

:fear: :spider:
 
IEv7 released for download

FYI...

Internet Explorer 7
Select your operating system from the list:
- http://www.microsoft.com/windows/ie/downloads/default.mspx

Release Notes for Internet Explorer 7
- http://msdn.microsoft.com/ie/releasenotes/default.aspx

- http://blogs.msdn.com/ie/archive/2006/10/18/ie7-for-the-world.aspx
Published Wednesday, October 18, 2006

- http://www.techweb.com/article/printableArticle.jhtml?articleID=193400425&site_section=700027
October 18, 2006
"Microsoft on Wednesday launched the first major update to Internet Explorer in five years... IE 7 for Windows XP and Windows Server 2003 can be downloaded from here*... The most controversial aspect of IE 7 has been Microsoft's decision to push the update to all users who have Automatic Updates enabled. Although users can reject IE 7 -- and continue using their current edition of Internet Explorer -- Microsoft will begin rolling out the browser as a "High priority" update next month... Microsoft has made one change late in the game. After IE 7 has installed, it will tell the user which search engine is the current default -- grabbed from IE 5 or IE 6 -- and then ask if they want to make a new choice. The process is similar to, but not identical, to the choice that Windows Vista users will face when they upgrade from Windows XP..."
* http://www.microsoft.com/windows/ie/default.mspx
===================================================

- http://secunia.com/advisories/22477
Release Date: 2006-10-19
Critical: Less critical
Impact: Exposure of sensitive information
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 7.x ...
...The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.
Secunia has constructed a test, which is available at:
http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/
Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution: Disable active scripting support..."
=========================================

New Quick Reference Sheet Posted to the IE7 Site
- http://blogs.msdn.com/ie/archive/2006/10/19/new-quick-reference-sheet-posted-to-the-ie7-site.aspx
October 19, 2006

> http://www.microsoft.com/windows/ie/ie7/about/quickreference.mspx

> http://download.microsoft.com/downl...4912-AC6C-A5273F6B6677/IE7_QuickReference.pdf
=================================================

Information on Reports of IE 7 Vulnerability
- http://blogs.technet.com/msrc/archive/2006/10/19/information-on-reports-of-ie-7-vulnerability.aspx
October 19, 2006
"...The issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express. While we are aware that the issue has been publicly disclosed, we’re not aware of it being used in any attacks against customers. We do have this under investigation and are monitoring the situation closely and we’ll take appropriate action to protect our customers once we’ve completed the investigation..."
=======================================

- http://isc.sans.org/diary.php?storyid=1797
Last Updated: 2006-10-20 02:05:22 UTC
"...After analyzing this security vulnerability, we have to disappoint you – it's nothing new. Actually, this vulnerability was announced way back in April this year for Internet Explorer 6 ( http://secunia.com/advisories/19738 ). It is still not patched, so besides IE7, this vulnerability can be exploited in a fully patched IE6 installation as well.
So what's going on here, did Microsoft just use old code? Not really. The vulnerability exists in the MSXML ActiveX component which is actually part of Outlook Express (so it -is- installed on every machine as well). The exploit uses a "double" redirection trick – it will first create an Msxml2.XMLHTTP ActiveX object which is then used to retrieve a web page from the same server that the original web page is hosted on (one containing the exploit). This web page is actually just a redirection (302) which uses a mhtml: URI. This causes the ActiveX object to retrieve any other web page referenced by the mhtml: URI, which can be referenced from the original web page.
In other words, this exploit can be used by an attacker to possibly retrieve other data that your browser has access to. While stealing information like banking data is possible, our testing showed that only content of the web page can be retrieved by the attacker – they can not steal your credentials and they can not retrieve that data unless you are logged in to your bank account at the same time when you visit the web page hosting the exploit.
It looks like Microsoft once again got caught into "ancient" bugs which were already present on the machine (we do wonder why this hasn't been fixed before though). One thing worth noting is that Internet Explorer 7 has a native XMLHTTPRequest object implementation so theoretically it should be possible to disable the ActiveX object, but pages using it would have to be rewritten (hence support for the ActiveX object). Further testing will show if the native support implementation is also vulnerable – we'll post new information as we get it."

.
 
Last edited:
MS Security Report - Jan-Jun06

FYI...

- http://news.com.com/2102-7349_3-6129235.html?tag=st.util.print
Oct 24, 2006
"Malicious remote control software continues to be one of the biggest threats to Windows PCs, according to a new Microsoft security report*. More than 43,000 new variants of such insidious software were found in the first half of 2006, making them the most active category of malicious software, Microsoft said in a Security Intelligence Report published Monday. In June Microsoft also flagged zombies as the most prevalent threat to Windows PCs. "Attackers, with financial gain in mind, are clearly concentrating a significant amount of development focus on this category of malware," Microsoft said in the report. Of 4 million Windows PCs found to be infected with some kind of malicious software in the first half of this year, about 2 million were running malicious remote control software, Microsoft said. The data is collected by Microsoft's free Windows Malicious Software Removal Tool, which runs when security updates are installed on Windows PCs..."
* http://tinyurl.com/w6g9y
=====================================

- http://www.eweek.com/article2/0,1895,2036439,00.asp
October 24, 2006
"...Some highlights from the report:
# Backdoor Trojans: The first half of 2006 showed a significant number of new backdoor Trojans. A large number of those belong to bot families, such as Win32/Rbot and Win32/Sdbot. This trend is consistent with anecdotal industry knowledge; owners of bot networks are continually creating and delivering new variants of their bots to maintain their bot networks, and to evade detection by anti-malware products.
# Password stealers and key loggers: These make up the second-largest malware category, in terms of number of variants. Although this type of malware exists worldwide, the Microsoft anti-malware team has seen a high number of variants coming from Brazil. Several thousand new variants from the Win32/Banker and Win32/Bancos families were discovered during the first half of 2006. These mainly use Portuguese for their user interface and primarily serve as a tool to steal bank account information such as passwords.
# Downloaders and droppers: These make up the third-largest category and are used by the attackers to copy files to the victim's system that are necessary to complete the attack and control that system. Downloaders and droppers are also often used to distribute spyware and adware. Because of this, the presence of downloaders and droppers as part of malicious attacks is no surprise.
# Worms: The different types of worm families have a relatively low number of variants, although they remain prevalent. In fact, mass-mailing worms continue to be an effective way to infect a significant number of computers around the world..."

:fear: :spider:
 
Last edited:
MSIE IE7 Popup Address Bar Spoofing Vulnerability

FYI...

- http://isc.sans.org/diary.php?storyid=1804
Last Updated: 2006-10-26 04:49:56 UTC
"Secunia ( http://secunia.com/advisories/22542/ is reporting a new Microsoft Internet Explorer (MSIE) 7.0 vulnerability. This vulnerability allows a malicious site to spoof the content of the address bar. Instead of the actual URL, the user will see a "fake" URL. We tested the vulnerability and found it to work quite well.
As a quick workaround you may want to configure MSIE 7.0 to open new windows in a new tab. In order to do this, Tools -> Internet Options -> Tabs Settings -> When a pop-up is encountered: Always open pop-ups in a new tab.
The PoC exploit by Secunia is pushing the real URL off the screen to the left by adding multiple '%A0' characters between the real URL and the string 'www.microsoft.com'. It appears that the new window will only show right-most part of the URL. For tabs, the left most part is shown. This vulnerability has a lot of potential for phishers or others that attempt to trick the user into trusting the popup window as they trust the site displayed in the main window."
=========================

- http://blogs.technet.com/msrc/archive/2006/10/26/ie-address-bar-issue.aspx
October 26, 2006
"...This is an issue with how URLs are displayed in the address bar. Specifically, we’ve seen that this occurs in a pop-up window after a user clicks a specially formed link on an untrusted website or in an untrusted e-mail. Now, while the full URL is actually present in the address bar, the left part of the URL is not initially displayed. But, you can see the full URL if you either click in the browser window or in the address bar and then scroll within the address bar. We’re not aware of any attacks that are attempting to use this, but as always we will continue to monitor the situation throughout our investigation... We do have this issue under investigation and as always, once we complete our investigation we’ll take appropriate steps to protect our customers..."
============================================

> http://secunia.com/product/12366/?task=advisories
10.30.2006
"...Currently, 100% (3 out of 3) are marked as Unpatched with the most severe being rated Moderately critical.."

:spider:
 
Last edited:
ADODB.Connection POC published ..."ActiveX" again

FYI...

- http://isc.sans.org/diary.php?storyid=1807
Last Updated: 2006-10-27 18:50:51 UTC
"A recently discovered vulnerability in ADODB.connection has a proof of concept exploit. Microsoft has mentioned it in their blog*. (This may) be the 'drive by' threat vector of the next little while. This particular threat impact is remote code execution of choice. The code creates new ActiveXObject('ADODB.Connection.2.7') and then executes a number of times. The PoC is a Denial of Service, but it is just a question of time until a working version with shellcode is out (if not already).
> Mitigation: Disable ActiveX completely, or only allow it in trusted zones.
US-CERT has published a note here**. "The ADODB.Connection ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: {00000514-0000-0010-8000-00AA006D2EA4} "

* http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx
October 27, 2006
"...We are fully aware of the recent Proof of Concept (POC) code posting regarding ADODB.Connection. We have initiated our Software Security Incident Response Process to investigate this issue. Once we have completed the investigation and understand if there is a threat to customers we will take the appropriate action to protect and provide guidance – as required. As always we are working with our MSRA partners to monitor and secure the ecosystem. I'll do my best to keep everyone up to date as the investigation progresses."
** http://www.kb.cert.org/vuls/id/589272
Date Last Updated: 10/27/2006

:eek: ~ :sad: ~ :banghead:
 
MS DRM DoS vulnerability

FYI...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5448
Last revised: 10/24/2006
Source: US-CERT/NIST
Overview:
The drmstor.dll ActiveX object in Microsoft Windows Digital Rights Management System (DRM) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long parameter to the StoreLicense function, which triggers "memory corruption" and possibly a buffer overflow.
Impact:
CVSS Severity: 8.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides user account access , Allows disruption of service..."

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5448

:sad: :fear:
 
XP ICS DoS 0-Day POC published

FYI...

- http://www.pcworld.com/printable/article/id,127710/printable.html
October 30, 2006

- http://isc.sans.org/diary.php?storyid=1809
Last Updated: 2006-10-29 20:29:35 UTC
"We have received a report that a DoS exploit has been released that targets ipnathlp.dll, which is used by the Windows Firewall/Internet Connection Sharing (ICS) service. We also received a report that the exploit works against a fully patched XP SP2 system... The Windows Firewall/Internet Connection Sharing (ICS) service may be running even though Windows Firewall is disabled.
To determine if your system has the service running, type the following at a command prompt:
sc query sharedaccess
The short name of this service is SharedAccess, the full name is Windows Firewall/Internet Connection Sharing (ICS).
...Microsoft Error Message:
'Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.'
View What's in this report:
Error signature:
szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e ...
Other information;
UPDATE - 5:40 PM EDST - According to the MS Windows Compute Cluster Server 2003 Deployment website*, "Windows Compute Cluster Server 2003 relies on Internet Connection Sharing (ICS) to provide network address translation between the public and private networks. ICS also provides DHCP service for the private network. ICS is enabled during Compute Cluster Pack setup".
SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).
Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt
SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).
Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.
Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt
> msdn Diagram of Internet Connection Sharing and Internet Connection Firewall
> http://msdn.microsoft.com/library/e..._sharing_and_internet_connection_firewall.asp

* http://technet2.microsoft.com/Windo...-fd52-4a5d-aee0-2369505453db1033.mspx?pf=true

MS ICS DoS 0Day in the Wild - ICS DoS FAQ
** http://blog.ncircle.com/archives/2006/10/microsoft_ics_d.htm

- http://secunia.com/advisories/22592/
Release Date: 2006-10-30
Critical: Less critical
Impact: DoS
Where: From local network
Solution Status: Unpatched
OS: Microsoft Windows XP Home, XP Professional
...The vulnerability is confirmed in a fully patched Windows XP SP2 system. Other versions may also be affected.
Solution: Use another way of sharing the Internet connection...
================================================
BTW...

- http://www.sans.org/newsletters/newsbites/newsbites.php?vol=8&issue=87&rss=Y#sID204

"...the attack would have no effect on a third-party firewall..."

:spider:
 
Last edited:
Vuln in Visual Studio 2005 Could Allow Remote Code Execution

FYI...

Microsoft Security Advisory (927709)
Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/927709.mspx
Published or Last Updated: 10/31/2006
"Microsoft is investigating public reports of a vulnerability in an ActiveX control in Visual Studio 2005 on Windows. We are aware of proof of concept code published publicly and of the possibility of limited attacks that are attempting to use the reported vulnerability. Customers who are running Visual Studio 2005 on Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Visual Studio 2005 customers who are running Internet Explorer 7 with default settings, are not at risk until this control has been activated through the ActiveX Opt-in Feature in the Internet Zone. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports. The ActiveX control is the WMI Object Broker control, which is included in WmiScriptUtils.dll.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs..."
(Also see "Mitigating Factors" at the URL above.)

- http://secunia.com/advisories/22603/
Release Date: 2006-11-01
Critical: Extremely critical
"...Solution: Microsoft has recommended various workarounds including setting the kill-bit for the affected ActiveX control (see the vendor's advisory for details)..."

EDIT/ADD:
- http://blogs.technet.com/msrc/archive/2006/11/01/microsoft-security-advisory-927709-posted.aspx
November 01, 2006
"...We are aware of the possibility of limited attacks that are attempting to use the reported vulnerability..."
- http://isc.sans.org/diary.php?storyid=1813
Last Updated: 2006-11-01 20:45:19 UTC
"...This vulnerability is being **actively exploited**. The advisory states that Microsoft is planning an update for this problem and it should go out in the next monthly patch cycle..."
- http://www.kb.cert.org/vuls/id/854856
Date Last Updated: 11/01/2006
"...Solution: ...Disable the WMI Object Broker ActiveX control in Internet Explorer. The WMI Object Broker ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
More information about how to set the kill bit is available in Microsoft Support Document 240797*."
* http://support.microsoft.com/kb/240797

.
 
Last edited:
Windows Update shows IEv7 high priority update NOW

FYI...

- http://isc.sans.org/diary.php?storyid=1816
Last Updated: 2006-11-02 14:04:01 UTC
"...Internet Explorer 7.0 is now a high priority update on Windows Update. Unless you setup the respective blocking script, expect IE 7 to be installed on your systems if they are configured to retrieve and install high priority updates from Windows Update..."

- http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
"High-priority updates
Windows Internet Explorer 7.0 for Windows XP
Date last published: 11/1/2006
Download size: 14.8 MB
"Get help and support
http://go.microsoft.com/fwlink/?LinkId=71719
More information
http://go.microsoft.com/fwlink/?LinkId=71727 "
--------------------------------------------------------

- http://isc.sans.org/diary.php?compare=1&storyid=1816
Last Updated: 2006-11-02 16:30:24 UTC (Version: 2)
"...You will still have to accept the update, and MSIE 7 will not be installed fully automatically. For details see: http://www.microsoft.com/technet/updatemanagement/windowsupdate/ie7announcement.mspx ..."
("Automatic Updates Delivery Experience Screenshots" shown there.)

:spider:
 
Last edited:
Microsoft Security Advisory (927892)

FYI...

Microsoft Security Advisory (927892)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/927892.mspx
Published: November 3, 2006
"Microsoft is investigating public reports of a vulnerability in the XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0 on Windows. We are aware of limited attacks that are attempting to use the reported vulnerability. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Customers would need to visit an attacker’s Web site to be at risk. We will continue to investigate these public reports. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs..."

(Also see "Mitigating Factors" at the URL above.)

EDIT/ADD:
- http://secunia.com/advisories/22687/
Last update: 2006-11-06
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
Other References: US-CERT VU#585137: http://www.kb.cert.org/vuls/id/585137

- http://www.frsirt.com/english/advisories/2006/4334
Release Date: 2006-11-04
"...Solution:
Set a kill bit for the CLSID {88d969c5-f192-11d4-a65f-0040963251e5} :
http://support.microsoft.com/kb/240797
Or disable Active Scripting in the Internet and Local intranet security zones..."

EDIT/ADD:
- http://www.symantec.com/security_response/writeup.jsp?docid=2006-110611-5730-99
Updated: November 6, 2006
"...Type: Trojan Horse, Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
> Bloodhound.Exploit.96 is a heuristic detection for web pages attempting to exploit the Microsoft XML Core Services setRequestHeader Vulnerability (as described in Microsoft Security Advisory 927892)."

:fear:
 
Last edited:
MSXML 4.0 ActiveX exploit in the wild

FYI...

- http://isc.sans.org/diary.php?storyid=1833
Last Updated: 2006-11-08 00:22:06 UTC
"We've received a report of the MSXML 0-day exploit being used in the wild... (also see http://isc.sans.org/diary.php?storyid=1825 ). The exploit does not seem to be in wide use just yet, but that can, of course (and we expect it to), change very quickly. For the exploit to work it *needs* Microsoft XML Core Services to be installed. Microsoft XML Core Services are not installed by default on Windows XP, but there seems to be a lot of packages using it, Visual Studio appears to be one common one. You can check in the Add or Remove Programs applet if you have it installed.
> The exploit works in both IE6 and IE7, which makes sense since it's exploiting a vulnerability in an ActiveX object, not in the browser itself. When executed the exploit creates an MSXML 4.0 ActiveX object (88d969c5-f192-11d4-a65f-0040963251e5). It then uses multiple setRequestHeader() method calls to execute shellcode which is included with the exploit. Once executed the shellcode (of course) first downloads the first stage downloader. At the moment it's a file called tester.dat:
16ac9982d177a47a20c4717183493e95 tester.dat
This downloader then downloads subsequent files (yet to be analysed). It looks like some AV vendors are beggining to detect the exploit. At this moment it is being detected by McAfee as Exploit-XMLCoreSrvcs and Symantec as Bloodhound.Exploit.96*. Microsoft also detects it as Exploit:HTML/Xmlreq.A. The best protection, is to prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer, as stated in Microsoft's advisory: http://www.microsoft.com/technet/security/advisory/927892.mspx ."
* http://www.symantec.com/security_response/writeup.jsp?docid=2006-110611-5730-99

:fear: :fear:
 
Last edited:
WMIObjectBroker ActiveX 0-Day exploit in the wild

FYI...

- http://isc.sans.org/diary.php?storyid=1837
Last Updated: 2006-11-08 18:53:37 UTC
"Rohit from Tippingpoint advised us that he is seeing a large number of attacks from Russia using an un-patched vulnerability in the WMIObjectBroker ActiveX control (CVE-2006-4704*). He is seeing it used as part of a drive-by download. Typically, the Trojan "Galopoper.A"** is loaded. There is no patch available at this point... The WMIObjectBroker ActiveX component is part of Visual Studio 2005 and associated with the WmiScriptUtils.dll . So you are only vulnerable if you find WmiScriptUtil.dll on your system. Also, by default this ActiveX component is not activated by default. For more details about this vulnerability see http://www.microsoft.com/technet/security/advisory/927709.mspx ."

* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4704

** http://www.symantec.com/security_response/writeup.jsp?docid=2006-042013-1813-99
"...Trojan.Galapoper.A is a Trojan horse contacts a remote Web site and downloads other risks onto the compromised computer..."

- http://isc.sans.org/diary.php?storyid=1813

- http://secunia.com/advisories/22603

- http://www.kb.cert.org/vuls/id/854856

:fear:
 
Last edited:
MS Security Bulletin Advance Notification - November 2006

FYI...

- http://www.microsoft.com/technet/security/bulletin/advance.mspx
November 9, 2006
"...On 14 November 2006 Microsoft is planning to release:
Security Updates
• -One- Microsoft Security Bulletin affecting Microsoft XML Core Services. The highest Maximum Severity rating for this is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates will require a restart.
• -Five- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release No NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."
 
MS Security Bulletin Summary - November, 2006

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx
Published: November 14, 2006
Version: 1.0 ...

Summary...

Critical (5)

Microsoft Security Bulletin MS06-067
Cumulative Security Update for Internet Explorer (922760)
- http://www.microsoft.com/technet/security/Bulletin/MS06-067.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-068
Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)
- http://www.microsoft.com/technet/security/Bulletin/MS06-068.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-069
Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)
- http://www.microsoft.com/technet/security/Bulletin/MS06-069.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-070
Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)
- http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS06-071
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)
- http://www.microsoft.com/technet/security/Bulletin/MS06-071.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution


Important (1)

Microsoft Security Bulletin MS06-066
Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution (923980)
- http://www.microsoft.com/technet/security/Bulletin/MS06-066.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution ...


...The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:
• V1.0 (November 14, 2006): Bulletin published."
-------------------------------------------------

ISC Analysis:
- http://isc.sans.org/diary.php?storyid=1855
-------------------------------------------------

Microsoft Security Advisory (927892)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/927892.mspx
Last Updated: 11/14/2006
"...We have issued MS06-071* to address this issue...."
* http://www.microsoft.com/technet/security/Bulletin/MS06-071.mspx

Microsoft Security Advisory (925444)
Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/925444.mspx
Last Updated: 11/14/2006
"...We have issued MS06-067** to address this issue..."
** http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx

Microsoft Security Advisory (925143)
Adobe Security Bulletin: APSB06-11 Flash Player Update to Address Security Vulnerabilities
- http://www.microsoft.com/technet/security/advisory/925143.mspx
Last Updated: November 14, 2006
"...We have issued MS06-069*** to address these issues..."
*** http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx

.
 
Last edited:
MS06-066, MS06-070 exploits out

FYI...

- http://www.techweb.com/article/printableArticle.jhtml?articleID=194400671&site_section=700027
November 16, 2006
"...Both proof-of-concept exploit code and a public exploit have popped up for the bug fixed in MS06-070, a security update that patched Windows 2000's and Windows XP's Workstation Service, a routing service used by the operating system to determine if file or print requests originate locally or remotely. Microsoft pegged MS06-070 with its "critical" ranking, the highest threat warning it assigns updates. "We've confirmed exploit code from two different sources," said Amol Sarwate, the manager of Qualys' vulnerability lab. "The window [of time] to exploit is definitely shrinking." It's become common for exploits to crop up within days of Microsoft's monthly patch release. The trend has become routine enough to get its own moniker: "Exploit Wednesday"... Blocking ports 139 and 445, one of the workarounds Microsoft offered Tuesday in the MS06-070 bulletin, isn't really feasible, said Sarwarte. "There are maybe 15 different services that won't work if you close those ports," he said. Symantec pegged another of the half-dozen updates -- the one spelled out in the MS06-066 bulletin -- as now sporting an exploit against the disclosed bug..."

:fear: :spider:
 
You must log in or register to reply here.
Back
Top