Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reminder about MS06-025

Published: 2006-06-27
Last Updated: 2006-06-27 03:25:32 UTC
by Kevin Liston (Version: 5)
0 comment(s)

The original patch from Microsoft caused issues with dialup.  Revised  patch development was discussed by Microsoft.  Exploit code is available that leverages this issue.  This allows an authenticated attacker to execute arbitrary code on unpatched Win2k, Windows 2003 and XP SP2 systems.  On versions that still allow anonymous connections/null sessions,  an attacker could execute arbitrary code without authentication.

UPDATE: Microsoft has released on official comment at

The gist:
MS06-025 works to protect against the published exploit.
Un-patched Windows 2000 systems are primarily at risk from this vulnerability.
Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1 require the attcker to have a valid login.
Windows 98, 98SE and ME are not affected by this vulnerability.


To clarify things a bit with some extra information we received in the mean time.

Windows 2000 Service Pack 4 and Windows XP Service Pack 1 systems are primarily at risk as this vulnerability can be exploited by an anonymous user that needs to deliver a specially crafted message to the vulnerable system. If you are running any of these install the patch as soon as possible.

On Windows XP Service Pack 2 and Windows 2003 systems, a user has to be authenticated (has to have valid credentials) to the system to exploit the vulnerability.

Bojan Zdrnja <bzdrnja at isc dot sans dot org>

0 comment(s)

Excel Issue Scorecard

Published: 2006-06-25
Last Updated: 2006-06-25 01:00:02 UTC
by Kevin Liston (Version: 2)
0 comment(s)
To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation.  This information comes from Microsoft, Mitre, and vigilant readers sending in tips.  My thanks go to all.

CVE-2006-3059 aka "Excel Repair Mode"
Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B

CVE-2006-3086 aka "Long Hyperlink"
Exploited by: Urxcel.A, and three known public exploit code examples

CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A
The workaround is a killbit
0 comment(s)
Diary Archives