My next class:

More MS06-042 woes

Published: 2006-08-22. Last Updated: 2006-08-22 23:35:49 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code. In particular, note that MSFT's advisory essentially tells you how to exploit the issue. Exploits will likely follow very soon (days?).


At this point, we recommend:
  • Keep MS06-042 applied if you can. It fixes more bugs than it creates.
  • If you are having problems with internal web sites that can no longer be used: Restrict MSIE to be used internally only.
  • Use Firefox/Opera or other browsers for now.
  • "SandboxIE" can be used to protect your system from damage caused via MSIE.
  • If you establish a "No MSIE" policy, you can use the snort rule below to detect accidental policy violations.
Snort Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(content: "|0D 0A|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0";)
Links:
http://isc.sans.org/diary.php?storyid=1611 (updated patch matrix)
http://research.eeye.com/html/alerts/AL20060822.html (EEye Alert regarding the code execution)
http://www.microsoft.com/technet/security/advisory/923762.mspx
http://blogs.technet.com/msrc/archive/2006/08/16/447023.aspx (MSRC blog article regarding MS06-042 issue, dated Aug. 16th).
http://blogs.technet.com/msrc/archive/2006/08/22/448689.aspx (latest MSRC blog)
Sandboxie
 

Keywords:
0 comment(s)
My next class:

Comments


Diary Archives