Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Bulletin MS06-037

Published: 2006-07-11
Last Updated: 2006-07-11 22:03:21 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)


Microsoft Security Bulletin MS06-037

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

This Security Bulletin covers multiple CVE items as indicated below:

CVE-2006-1301 - Microsoft Excel Malformed SELECTION record vulnerability
CVE-2006-1302 ? Microsoft Excel Malformed SELECTION record vulnerability
CVE-2006-1304 ? Microsoft Excel Malformed COLINFO record vulnerability
CVE-2006-1306 ? Microsoft Excel Malformed OBJECT record vulnerability
CVE-2006-1308 ? Microsoft Excel Malformed FNGROUPCOUNT Value vulnerability
CVE-2006-1309 ? Microsoft Excel Malformed LABEL record vulnerability
CVE-2006-2388 ? Microsoft Excel Rebuilding vulnerability
CVE-2006-3059 ? Microsoft Excel Malformed file vulnerability

This update resolves several public, privately reported, and newly discovered vulnerabilities.  All of these state that a remote code execution vulnerability exists in Excel dealing with each of the identified items. The only workaround suggested and tested is to NOT open attachments from untrusted sources.  I guess that means, PATCH.

Microsoft states:

When using vulnerable versions of Office, if a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Keywords:
0 comment(s)

MS06-036 - unchecked buffer Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

Published: 2006-07-11
Last Updated: 2006-07-11 22:03:06 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
MS06-036 has been issued, MS has said systems "Primarily" at risk are Microsoft Windows 2000, Windows XP and Windows Server 2003.

"How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by answering a client's DHCP request on the local subnet with malformed packets."

"Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet."

"Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, however the vulnerability is not critical."

CVE-2006-2372

Keywords:
0 comment(s)

MS06-035 - Patch now!

Published: 2006-07-11
Last Updated: 2006-07-11 22:02:49 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
MS06-035 (CVE-2006-1314) looks to be the most dangerous of the
vulnerabilities announced this month, specifically the Mailslot heap overflow. 
The vulnerability can be exploited remotely against the "Server" service.
So this would definitely be something that could be used for
widespread compromise with no user interaction, or a worm.

Looks like Windows 2000 SP4 is vulnerable by default.  Windows XP SP2
and Server 2003 don't appear to be vulnerable with a default
installation unless services are listening on Mailslots.  At this
point, it is unclear exactly what software would enable Mailslots to
create a vulnerable condition.

So how long before exploit code is available?  Well, clever readers
will have noticed that Pedram Amini and H D Moore are credited with
discovering this vulnerability (the Mailslot heap overflow).  Those
guys are some of the best in the business, so you do the math...  I'm
guessing that they have had reliable exploit code working for a while
now.  (I can just see all the script kiddies hitting refresh every ten
seconds on metasploit.com).

You should probably make this your top priority in patching.

Keywords:
0 comment(s)

MS06-034 - unchecked IIS buffer vulnerability in ASP files processing

Published: 2006-07-11
Last Updated: 2006-07-11 22:02:32 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files.

In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important.

In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don't know about any public exploits yet.

Microsoft's advisory is at http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx.
CVE at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0026.

Keywords:
0 comment(s)

Microsoft Security Bulletin MS06-038

Published: 2006-07-11
Last Updated: 2006-07-11 22:01:12 UTC
by Deborah Hale (Version: 2)
0 comment(s)

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)

Microsoft Bulletin MS06-038

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: None

This Security Bulletin covers multiple CVE items as indicated below:

CVE-2006-1316 ? Microsoft Office Parsing Vulnerability
CVE-2006-1540 ? Microsoft Office Malformed String Parsing Vulnerability
CVE-2006-2389 ? Microsoft Office Property Vulnerability

Software Affected:

It appears that all of the Microsoft Office 2000, 2002, 2003 programs are affected. Not affected is Works applications.

Summary

This is another remote code execution problem and appears to impact Office 2000 applications the worse lending to a critical assessment.  The other versions of Office identified as vulnerable are listed as important for all three of the CVE's. 

From Microsoft Bulletin

A remote code execution vulnerability exists in Office, and could be exploited when a malformed string included in an Office file was parsed by any of the affected Office applications.  Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious web site.  Viewing or previewing a malformed email message in an affected version of Outlook could not lead to exploitation of this vulnerability.  An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution.

In all three cases the only tested work around is NOT to open attachments from untrusted sources.  I guess that means to apply the patch ASAP.

Keywords:
0 comment(s)

MS06-039: vulnerabilities in Microsoft Office GIF and PNG parsers

Published: 2006-07-11
Last Updated: 2006-07-11 21:59:39 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
This patch fixes two vulnerabilities in all Microsoft Office products (Office 2000, XP, 2003 are affected, as well as Project 2000, 2002 and Microsoft Works 2004, 2005, 2006). Microsoft Office for Mac is not affected.

The vulnerabilities can be exploited by crafting a special GIF or PNG graphic files. In both cases the user needs to open the file so, while this vulnerability can not be exploited automatically through e-mail, it is still very easy to get user into opening a file.
It is worth mentioning that, when the file is hosted on a web site, Office 2000 does not prompt the user before opening the document (which means that it's enough for a user to click on a link leading to the file).

As the only workarounds are not to open or save files "you receive from un-trusted sources or that you received unexpectedly from trusted sources" you should patch as soon as possible.

MS advisory is at http://www.microsoft.com/technet/security/Bulletin/MS06-039.mspx.

CVEs are at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0033 and http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0007.

Keywords:
0 comment(s)

Microsoft Patches Released

Published: 2006-07-11
Last Updated: 2006-07-11 21:42:09 UTC
by Scott Fendley (Version: 1)
0 comment(s)
Good afternoon all from the SANSFire conference in Washington DC,

A bit earlier today Microsoft released a number of updates to address security issues in Windows systems, Office and IIS Server.  We are in the process of analyzing these bulletins to write up bulletins.  As many of the ISC handlers are in DC or are returning home presently, please bear with us as we are a bit slower on writing up diaries on these during the day.

In addition to these 7 bulletins located at http://www.microsoft.com/technet/security/bulletin/ms06-jul.mspx , Microsoft did release updates to the Malicious Software removal tool  ( KB890830 )   and the Outlook 2003 Junk Email Filter (  ).
Keywords:
0 comment(s)

Juniper IPv6 vulnerability

Published: 2006-07-11
Last Updated: 2006-07-11 21:41:54 UTC
by donald smith (Version: 1)
0 comment(s)
Specially crafted IPv6 packets can cause a kernel memory 
leak and eventually a reboot in ALL VERSIONS of JUNOS released before May 10 2006
From https://www.juniper.net/support/security/alerts/IPv6_bug.txt
"Issue:
This issue affects all releases of JUNOS Internet Software running
on M-series, T-series, and J-series routers and built prior to May 10, 2006.
Affected JUNOS routers, when receiving certain IPv6 packets,
do not release the memory buffer occupied by the IPv6 packet. 
Repeated reception of such packets can eventually consume all kernel packet
memory and cause the router to crash.
Solution:
The JUNOS IPv6 code has been corrected to release the memory occupied
by the invalid packet in all cases.  All releases of JUNOS software
built on or after May 10, 2006 include the corrected code.  Corrective
software is available for JUNOS releases 6.4 through 8.0 inclusive." 
You can get updated software at http://www.juniper.net. 
If your not already a registered juniper customer you will need to register first.
"Customers without a JUNOS support or maintenance contract can gain
access to corrective software by requesting a Juniper user account at
the following link: http://www.juniper.net/entitlement/setupAccountInfo.do
The account must be set up with Authorization Code: JNPRIPV6.  After
receiving the user account information via email, customers can then
contact Juniper Support at 1-800-638-8296 (US and Canada) or
+1-408-745-9500 (worldwide) in order to obtain the
links to the appropriate software image." 
Workaround: 
If you do not need to process IPv6 packets remove family inet6 from the interface configurations.
Detection:
After an attack:

You will see a kernel crash and you might see an "out of mbufs" message
in the sylog if the kernel had a chance to write that to syslog before it crashes.

During an attack:
Show system buffers will show the mbuf count getting smaller
Reference numbers:
JTAC bulletin PSN-2006-06-017
CVE# VU#294036

Additional references:
http://www.niscc.gov.uk/niscc/docs/br-20060711-00471.html?lang=en
http://www.kb.cert.org/vuls/id/294036
Keywords:
0 comment(s)
Diary Archives