Microsoft patch tuesday - October 2006 STATUS
Overview of the October 2006 Microsoft patches and their status.
IMPORTANT NOTE: There will be no more support for Windows XP Service Pack 1, after this month no patches will be released in support of that version.
Additional note: The reason for distinguishing between private and public disclosure is that potentially the "bad guys" have had more time to work on the vulnerabilities when the disclosure was public. In theory, and I realize that this is potential, private disclosure means the clock starts now for the "bad guys" to develop exploits. It has some impact on the severity of the problem in my opinion.
| # | Affected | Known Problems | Known Exploits | Microsoft rating | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS06-056 | ASP.NET cross-site scripting CVE-2006-3436 |
Information Disclosure KB 922770 |
No known exploits, privately reported to MS |
Moderate | Less Urgent |
Important |
| MS06-057 | WebFolderView ActiveX (setSlice) CVE-2006-3730 |
Remote code execution KB 923191 |
Exploits available, publicly reported |
Critical | PATCH NOW |
Important |
| MS06-058 | 4 remote code execution problems in PowerPoint CVE-2006-3435 CVE-2006-3876 CVE-2006-3877 CVE-2006-4694 |
Replaces MS06-028 KB 924163 |
Actively being exploited, privately reported to MS |
Critical | Critical | Less Urgent |
| MS06-059 | 4 remote code execution problems in Excel CVE-2006-2387 CVE-2006-3431 CVE-2006-3867 CVE-2006-3875 |
Replaces MS06-037 KB 924164 |
Proof of concept available, no exploits yet, publicly disclosed |
Important | Important | Less Urgent |
| MS06-060 | 4 remote code execution problems in Word CVE-2006-3651 CVE-2006-3647 CVE-2006-4534 CVE-2006-4693 |
Replaces MS06-027 KB 924554 |
Proof of concept available, no exploits yet, publicly disclosed | Important | Important | Less Urgent |
| MS06-061 | Remote code execution in XSLT (MSXML) CVE-2006-4685 CVE-2006-4686 |
Replaces MS02-008 KB 924191 |
No known exploits, privately reported to MS |
Critical | Critical | Less Urgent |
| MS06-062 | 3 remote code execution problems in Office & Publisher CVE-2006-3434 CVE-2006-3650 CVE-2006-3864 CVE-2006-3868 |
Replaces MS06-048 KB 922581 |
No known exploits, privately reported to MS |
Important (new versions) / Critical (old versions) |
Important | Less Urgent |
| MS06-063 | Buffer overflow / Denial of service in Server Service CVE-2006-4696 CVE-2006-3942 |
Replaces MS06-035 KB 923414 |
Proof of concept available, no exploits yet, publicly disclosed |
Important | Important |
Important |
| MS06-064 | Denial of service attacks in IPv6 CVE-2004-0230 CVE-2004-0790 CVE-2005-0688 |
Denial of Service in IPv6 KB 922819 |
Proof of concept available, no exploits yet, publicly disclosed |
Low | Less Urgent ** |
Less Urgent ** |
| MS06-065 | Remote code execution in Object Packager CVE-2006-4692 |
Remote code execution KB 924496 |
No known exploits, privately reported to MS |
Moderate | Important | Less Urgent |
We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
John Bambenek , bambenek/at/gmail/dot/com
with the help of: Johannes Ullrich, Joel Esler, Pedro Bueno, Kyle Haugsness
MS06-057: Vulnerability in Windows Shell Could Allow Remote Code Execution (926043)
https://www.microsoft.com/technet/security/bulletin/ms06-057.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4690
http://isc.sans.org/diary.php?storyid=1749
Affected Software:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1 and 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003 and WS 2003 Service Pack 1 (Mitigated)
- Microsoft Windows Server 2003 and WS 2003 w/ SP1 for Itanium-based Systems (Mitigated)
- Microsoft Windows Server 2003 x64 Edition (Mitigated)
Impact: Remote Code Execution
Severity: Critical
(This replaces 06-045 for XP SP 1)
Description: This is a remote code execution for Internet Explorer, that is caused by improper validation of the WebViewFolderIcon ActiveX object.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4690
http://isc.sans.org/diary.php?storyid=1749
Affected Software:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1 and 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003 and WS 2003 Service Pack 1 (Mitigated)
- Microsoft Windows Server 2003 and WS 2003 w/ SP1 for Itanium-based Systems (Mitigated)
- Microsoft Windows Server 2003 x64 Edition (Mitigated)
Impact: Remote Code Execution
Severity: Critical
(This replaces 06-045 for XP SP 1)
Description: This is a remote code execution for Internet Explorer, that is caused by improper validation of the WebViewFolderIcon ActiveX object.
Why do you have "Mitigated" in Yellow up above?
By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
To set the kill bits for CLSIDs with values of {e5df9d10-3b52-11d1-83e8-00a0c90dc849} and {844F4806-E8A8-11d2-9652-00C04FC30871}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400
Keywords:
0 comment(s)
IE7 to hit the streets -- Reloaded
I have pulled the article in it's original form because of feedback.
Thanks to one of our readers that wrote in to tell us that IE7, will be released this month via Automatic Update according to Microsoft's "IEBlog". Take a risk assessment of your organization to decide if you should globally deploy the browser, taking into account the pros and the cons of the software.
If you can take this moment to try and move your organization to a different browsing platform for normal daily browsing, that may be something you want to look into. We've said it before, and we'll say it again, diversity is good.
Reader Dan writes in to tell us:
"You may also want to note that Firefox even has a plug-in available to open certain links in IE. This makes it even easier to follow your advice of only using IE when you absolutely must." -- https://addons.mozilla.org/firefox/35/
Reader "Vision Jinx" writes in to tell us:
"I notice that IE View just opens the page in IE as a POP up type feature. IE Tabs (https://addons.mozilla.org/firefox/1419/) actually will load a FF Tab that uses IE therefore no need for all them extra Windows, as it just uses a tab in Firefox."
Joel Esler
Thanks to one of our readers that wrote in to tell us that IE7, will be released this month via Automatic Update according to Microsoft's "IEBlog". Take a risk assessment of your organization to decide if you should globally deploy the browser, taking into account the pros and the cons of the software.
If you can take this moment to try and move your organization to a different browsing platform for normal daily browsing, that may be something you want to look into. We've said it before, and we'll say it again, diversity is good.
Reader Dan writes in to tell us:
"You may also want to note that Firefox even has a plug-in available to open certain links in IE. This makes it even easier to follow your advice of only using IE when you absolutely must." -- https://addons.mozilla.org/firefox/35/
Reader "Vision Jinx" writes in to tell us:
"I notice that IE View just opens the page in IE as a POP up type feature. IE Tabs (https://addons.mozilla.org/firefox/1419/) actually will load a FF Tab that uses IE therefore no need for all them extra Windows, as it just uses a tab in Firefox."
Joel Esler
Keywords:
0 comment(s)
Delays on Windows Update & the Death of SUS
Windows Update is currently experiencing delays and not serving up all those happy patches. The MSRC is reporting some delays with getting the patches up. If you need them immediately you can download directly from the bulletins. ISC Reader Jim McCormick found that by clearing out C:\WINDOWS\SoftwareDistribution\DataStore and C:\WINDOWS\SoftwareDistribution\Download he was able to take care of business. Choice is yours. You could also always wait. :)
Alan Mercer sent in a reminder that Microsoft is discontinuing support for SUS on Dec. 6th, 2006. Because this is before the December patch cycle, it seems that November will be the last patch cycle that SUS will be supported. With the holidays coming up, it's time to think about upgrading to WSUS.
Alan Mercer sent in a reminder that Microsoft is discontinuing support for SUS on Dec. 6th, 2006. Because this is before the December patch cycle, it seems that November will be the last patch cycle that SUS will be supported. With the holidays coming up, it's time to think about upgrading to WSUS.
Keywords:
0 comment(s)
MS Office vulnerabilities (-058, -059, -060, -062)
There are four advisories for Microsoft Office this month. All of them appear to be standard client-side vulnerabilities. So the exploitation model is someone evil sends a document (of the affected type) with an exploit buried inside and if the exploit works, the attacker gets the privileges of the user opening the document. These types of bugs have been very popular lately.
MS06-058: Four vulnerabilities in PowerPoint. One of these vulnerabilities have been exploited in the wild (PowerPoint Malformed Record).
MS06-059: Four vulnerabilities in Excel. Two of these have had proof of concept exploit code posted publicly already; the other two vulnerabilities were privately reported to Microsoft.
MS06-060: Four vulnerabilities in Word. Two of these have been publicly disclosed already; the other two vulnerabilities were privately reported to Microsoft.
MS06-062: Three vulnerabilities in Office and Publisher that were reported privately. Exploit code and details have not been released yet.
MS06-058: Four vulnerabilities in PowerPoint. One of these vulnerabilities have been exploited in the wild (PowerPoint Malformed Record).
MS06-059: Four vulnerabilities in Excel. Two of these have had proof of concept exploit code posted publicly already; the other two vulnerabilities were privately reported to Microsoft.
MS06-060: Four vulnerabilities in Word. Two of these have been publicly disclosed already; the other two vulnerabilities were privately reported to Microsoft.
MS06-062: Three vulnerabilities in Office and Publisher that were reported privately. Exploit code and details have not been released yet.
Keywords:
0 comment(s)
MS06-064: Vulnerabilities in IPv6
According the advisory this one will fix a couple of
vulnerabilities. The vulnerabilities have the CVE numbers of CAN-2004-0790,
CAN-2004-0791 , CAN-2004-0230 and CAN-2005-0688.
The best way to understand the fixes is to think of them as an IPv6 version of
the same patch that fixed these same vulnerabilities last year with
MS05-019 (http://www.microsoft.com
Another thing is that it is a DoS condition remote attack, which could
make your system reboot or stop to repond, so I would recommed you to
follow the same procedures (test, test, test, deploy).
vulnerabilities. The vulnerabilities have the CVE numbers of CAN-2004-0790,
CAN-2004-0791 , CAN-2004-0230 and CAN-2005-0688.
The best way to understand the fixes is to think of them as an IPv6 version of
the same patch that fixed these same vulnerabilities last year with
MS05-019 (http://www.microsoft.com
Another thing is that it is a DoS condition remote attack, which could
make your system reboot or stop to repond, so I would recommed you to
follow the same procedures (test, test, test, deploy).
Keywords:
0 comment(s)
MS06-063: Server service (Mailslot DoS and SMB Rename)
There are two vulnerabilities in this advisory. The first is a simple Denial of Service against all Windows platforms. The attack vector is TCP ports 139 or 445. Apparently, there is an unitialized buffer that could be modified remotely to crash the box. Exploit code has been available for this bug since July 19, 2006. Famed handler Swa covered it in a diary entry last month: http://isc.sans.org/diary.php?storyid=1599
It looks like the Core Security folks found this after the MS06-035 in July (http://www1.corest.com/common/showdoc.php?idx=562. Microsoft also has a blog entry on it: http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx .
There probably isn't any need to freak out on this particular vulnerability. The exploit has been out in the wild for several months. If you are seeing some mysterious reboots on Windows machines and untrusted people can hit TCP 139 or 445 on those hosts, then this could potentially solve your problems (although Microsoft is claiming that it hasn't been used in the wild yet). Otherwise, there are no code execution possibilities with this vulnerability, so you don't need to be in "emergency mode" to patch it.
The second vulnerability (SMB Rename) is a remote code execution bug against the Server service, but it requires authentication. So this isn't readily wormable (except maybe in a corporate environment if a user with admin privileges was owned). This one is a little higher priority than the DoS above.
It looks like the Core Security folks found this after the MS06-035 in July (http://www1.corest.com/common/showdoc.php?idx=562. Microsoft also has a blog entry on it: http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx .
There probably isn't any need to freak out on this particular vulnerability. The exploit has been out in the wild for several months. If you are seeing some mysterious reboots on Windows machines and untrusted people can hit TCP 139 or 445 on those hosts, then this could potentially solve your problems (although Microsoft is claiming that it hasn't been used in the wild yet). Otherwise, there are no code execution possibilities with this vulnerability, so you don't need to be in "emergency mode" to patch it.
The second vulnerability (SMB Rename) is a remote code execution bug against the Server service, but it requires authentication. So this isn't readily wormable (except maybe in a corporate environment if a user with admin privileges was owned). This one is a little higher priority than the DoS above.
Keywords: MSFT1006
0 comment(s)
MS06-065: Remote Code Excution in Windows Object Packager
There exists a remote code execution vulnerability in Windows Object Packager (MS06-065) due to the way the application handles file extensions. A specially crafted file could be created that would execute code if a user was sent to a malicious website. However, there is quite a bit of user interaction required for this exploit to actually work. Enhanced Security Configuration for Windows 2003 will effectively mitigate this problem.
The CVE for this exploit is CVE-2006-4692 and will not likely see much action in the wild.
The CVE for this exploit is CVE-2006-4692 and will not likely see much action in the wild.
Keywords:
0 comment(s)
MS06-061: XSLT/MSXML Buffer Overflow Code Execution Vulnerability (moderate)
This vulnerability sounds like a classic parser buffer overflow. The advisory actually includes information regarding two distinct vulnerabilities. But only one of them allows arbitrary code execution.
As with similar vulnerablities, the user has to expose the browser to malicious XML code. This could happen by visiting a compromissed site. Once the browser is exposed to the exploit, it will inherit all the privileges of the user running the browser.
Mitigation steps: SandboxIE, do not run as administrator and similar steps will help limit the impact of the vulnerability. This vulnerability is first of all a client issue, less a server issue. You could also try the "Internet Explorer Enhanced Security Configuration". However, I find it a bit too strict most of the time (e.g. no Javascript).
As with similar vulnerablities, the user has to expose the browser to malicious XML code. This could happen by visiting a compromissed site. Once the browser is exposed to the exploit, it will inherit all the privileges of the user running the browser.
Mitigation steps: SandboxIE, do not run as administrator and similar steps will help limit the impact of the vulnerability. This vulnerability is first of all a client issue, less a server issue. You could also try the "Internet Explorer Enhanced Security Configuration". However, I find it a bit too strict most of the time (e.g. no Javascript).
Keywords: MSFT1006
0 comment(s)
MS06-056: ASP.NET XSS Information Disclosure Vulnerability (moderate)
A XSS vulnerabiity in ASP.NET could allow information disclosure. The bulletin is a bit vague on the details, but it does mention a problem with headers. Typically, cookie information could be disclosed using XSS attacks. In turn, the cookie information can be used to impersonate an authenticated user.
The script inserted with XSS will inherit all the capabilities the particular user has. For example, a user could be tricked into clicking a link that will escalate privileges for a malicious user. Exploitation typially requires intimate knowledge of the respective web based application.
XSS exploits are typically not browser specific. Any browser is "vulnerable" given that the actual problem is the web based application. Turning off javascript may help, but then again, you will hit this issue typically as you visit a trusted web site (for example you own web site written in ASP.NET).
You will probably consider this problem more severe ("critical") if you use ASP.NET extensively to manage internal applications. However, on the same note first test the page using your specific web based applications.
Other mitigation steps: Disable ASP.NET if not used on your web server.
This patch is not important for workstations and only applies to servers running web sites with ASP.NET support turned on.
The script inserted with XSS will inherit all the capabilities the particular user has. For example, a user could be tricked into clicking a link that will escalate privileges for a malicious user. Exploitation typially requires intimate knowledge of the respective web based application.
XSS exploits are typically not browser specific. Any browser is "vulnerable" given that the actual problem is the web based application. Turning off javascript may help, but then again, you will hit this issue typically as you visit a trusted web site (for example you own web site written in ASP.NET).
You will probably consider this problem more severe ("critical") if you use ASP.NET extensively to manage internal applications. However, on the same note first test the page using your specific web based applications.
Other mitigation steps: Disable ASP.NET if not used on your web server.
This patch is not important for workstations and only applies to servers running web sites with ASP.NET support turned on.
Keywords: MSFT1006
0 comment(s)
×
![modal content]()
Diary Archives
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 
Comments