Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-05-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

It's that time again!

Published: 2006-05-09
Last Updated: 2006-05-09 19:12:24 UTC
by Lorna Hutcheson (Version: 2)
0 comment(s)
Today is the day when Microsoft and many other vendors release their patches.  Here is a break down of Microsoft's patches and other information that hopefully will help you out.  It is a true team effort here at the ISC and I want to thank all the handlers for their help!  Good luck and happy patching (testing too of course!).

Bulletin KB number Supercedes Severity Impact
MS06-018 913580 MS05-051 Moderate Denial of Service
MS06-019 916803
MS05-048
Critical
Remote Code Execution
MS06-020 913433
N/A Critical Remote Code Execution
Keywords:
0 comment(s)

Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)

Published: 2006-05-09
Last Updated: 2006-05-09 18:32:46 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
MS06-019, CVE-2006-0027

Exchange admins you will have your hands full, especially if you are running your own RIM/Blackberry Enterprise Server.  Please read the earlier entry by Johannes for details on the "gotcha" there.  This vulnerability allows for remote code execution and is critical that it be patched.  Here are the details as reported by Microsoft:

Maximum Severity Rating: Critical

Affected software:
  • Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004(870540)
  • Microsoft Exchange Server 2003 Service Pack 1
  • Microsoft Exchange Server 2003 Service Pack 2
Work Arounds:
Micosoft recommends two work arounds for this vulnerability.  Keep in mind that these work arounds can break other required functionality and cause you lots of pain.  Patching is the recommended solution.

1.  Require authentication for connections to a server that is running Microsoft Exchange Server for all client and message transport protocols.

2.  Block iCal/vCal on Microsoft Exchange Server to help protect against attempts to exploit this vulnerability through SMTP e-mail.

Vulnerability Details:
EXCDO and CDOEX functionality provided with Exchange server does not properly process certain iCAL and vCAL properties provided in email messages.  Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO) are interfaces that allow for certain types of information to be processed in the Exchange store. Virtual Calendar (vCAL)  and Internet Calendar (iCAL) is a MIME content type used by Microsoft Exchange Server and email clients when sending and exchanging information related to calendars and scheduling.

In short, when the exchanger server receives a message that contains specially crafted properties for vCAL and iCAL, it allows for execution of code on the exchange server.





Keywords:
0 comment(s)

Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)

Published: 2006-05-09
Last Updated: 2006-05-09 18:32:27 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
MS06-018, CVE-2006-0034, CVE-2006-1184

This update patches two vulnerabilities in MSDTC
(CVE-2006-0034,CVE-2006-1184).
Both represent a denial of service in MSDTC which can be exploited locally
or remotely with malformed messages.

This vulnerability is listed as moderate for Windows 2000 versus Low for
XP and 2003 because MSDTC is enabled by default on that platform. The
severity is the same on the other platforms when the service is running.

There are three categories of mitigation available, but it is recommended
the patch be applied if possible. #1. The service can be disabled, but
this can affect a number of applications such as SQL Server, Exchange,
BizTalk, etc. #2 Network access for DTC can be disabled. This can also
affect services. Also its important to note that the vulnerability could
still be exploited locally. #3 Block network traffic with a firewall (host
or network). Traffic on ports greater than 1024 would need to be blocked
as well as any other configured RPC port.

Also note that this bulletin replaces MS05-051 on Windows 2000.

From Symantec:
"Although corrected in MS05-051, additional memory added in the allocater
for memory accounting was not accounted for. These additional 8 bytes can
be overwritten.These issues will kill the process and DoS the service."
(CVE-2006-1184)

(Thanks Robert for the write-up)



Keywords:
0 comment(s)

Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)

Published: 2006-05-09
Last Updated: 2006-05-09 18:05:03 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
MS06-020, CVE-2006-0024, CVE-2005-2628

Macromedia Flash Player Remote Code Execution
KB913433
http://support.microsoft.com/kb/913433

Adobe Security Bulletin ASPB06-03
http://www.adobe.com/devnet/security/security_zone/apsb06-03.html

Adobe Security Bulletin MPSB05-07
http://www.adobe.com/devnet/security/security_zone/mpsb05-07.html

CVE-2006-0024 and CVE-2005-2628

This bulletin addresses flaws in older versions of Adobe's flash player.
Both have been fixed for a while by Adobe. In case you haven't yet, this
is your last chance to update the Adobe Flash player.

MS06-020 patched this vulnerability as well. However, it only patched
Flash Player 7 (or 8). If a user had initially Flashplayer 6 installed,
MS06-020 was not applied. As a result, a user may have installed 7 or 8
later, and ended up vulnerable as a result. See the KB article above for
details (http://support.microsoft.com/kb/913433)

The "safe" version is 8.0.24.0 (this is currently the most recent version).

The vulnerability is exploited by viewing a crafted Flash animation.
Such an animation could be delivered via a web page, and e-mail message
or other means (P2P, Instant Messenger). If exploited, any arbitrary
command could be executed using the same privileges of the user viewing
the file.

This patch should be applied fast on all desktops. You may be able to
wait a bit on servers, or you could just uninstall the flash player on
servers (if you never use them to browse).

(Thanks Johannes for the write-up!)
Keywords:
0 comment(s)

Microsoft Patch Tuesday: Expected Exchange patch problems.

Published: 2006-05-09
Last Updated: 2006-05-09 10:55:29 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
As announced by Microsoft last week, today's patches will include a patch for Microsoft Exchange. RIM (Research in Motion / Blackberry) announced that todays patch will break some functionality required by its Enterprise Server. Other third party products may be affected as well.

"this update affects user mailbox permissions by revoking the 'Send As' permission in Exchange which has an impact on third party products such as BlackBerry Enterprise Server for Microsoft Exchange. Once applied, this update will prevent users on BlackBerry Enterprise Server from sending email from a BlackBerry or BlackBerry-enabled device, however users will still receive emails on their BlackBerry device. This is due to the BlackBerry service sending emails on behalf of a user when a message is sent via the BlackBerry device."

For a workaround, see: http://support.microsoft.com/kb/912918.

Thanks to Colin and Chris for letting us know.

Keywords:
0 comment(s)
Diary Archives