Update: Microsoft's fixes 23 flaws, DHS urges action

By Bill Brenner, Senior News Writer 08 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Update: IT administrators have a brutal month of patching thanks to Microsoft's Tuesday release of 12 security bulletins covering a range of problems in Windows, Office and Internet Explorer, and the government is urging quick action.

The biggest threat
Security experts agree the bulletin to take most seriously is MS06-040, which addresses a remotely exploitable buffer overrun flaw in the Windows Server Service.

In fact, even the U.S. Department of Homeland Security, which rarely involves itself in such minutiae, sent out a public advisory Wednesday urging those using Windows to install the MS06-040 patch as soon as possible. The U.S. Computer Emergency Readiness Team (US-CERT) , which is operated jointly by DHS and Carnegie-Mellon University, also has been briefing CIOs and CISOs on the severity of the flaw and is working with the industry ISACs to stress the importance of installing the fix.

On the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies LLC, Marc Maiffret, chief hacking officer of Aliso Viejo, Calif.-based eEye Digital Security Inc., said IT professionals should focus on getting this patch deployed before any others. "This vulnerability was being actively exploited in the wild," he said, "however no previous details had been released on it publicly."

Amol Sarwate, director of Qualys' vulnerability research lab, said the flaw addressed in MS06-040 is the only one in this month's batch that an attacker could exploit without user interaction. "This is the most critical and users should take it the most seriously," he said. "But all the other critical bulletins can't be taken lightly because they are spread all over the operating system."

Exploits circulating
In all, nine of the bulletins have been deemed critical and a total of 23 security holes have been fixed in this month's release, including previously exploited Windows and PowerPoint flaws.

"With 23 flaws, this is easily one of Microsoft's largest patch releases, and this batch covers a broad range of applications," said Jonathan Bitle, manager of the technical accounts team for Redwood Shores, Calif-based Qualys Inc. "Because we're seeing so many client-side flaws each month, we can't highlight enough the need for user education -- not just a need for patching, but for education among all employees on what kinds of Web sites and files are acceptable or not."

Microsoft described the critical flaws as those an attacker could exploit to take complete control of an affected system. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the vendor said in its advisories.

As expected, several examples of exploit code were already circulating Wednesday morning. The Bethesda, Md.-based SANS Internet Storm Center (ISC) noted on its Web site that the exploit code is designed to target the vulnerabilities described in MS06-040, MS06-042 and MS06-046.

"Those of you still testing patches ... better hurry up and get some of these fixed before you get hit," ISC handler Swa Frantzen wrote on the site.

A monster IE fix
One of the best examples is

MS06-042, the latest cumulative update for Internet Explorer (IE) that fixes eight different security holes, Sarwate said. According to Microsoft, the bulletin addresses:

Two flaws in how IE handles redirects. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page," Microsoft said. "An attacker who successfully exploited this vulnerability could read file data from a Web page in another IE domain."

Two flaws in how IE interprets HTML with certain layout positioning combinations. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page," Microsoft said.

A flaw in how IE handles chained Cascading Style Sheets (CSS). "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page," Microsoft said.

A flaw in how IE instantiates COM objects that are not intended to be instantiated in the browser. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page," Microsoft said.

Script can be used to access the location of a Window in another domain or Internet Explorer zone. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page," Microsoft said. "An attacker who successfully exploited this vulnerability could gain access to the Window location of a Web page in another domain or Internet Explorer zone."

A flaw in how IE handles specially crafted FTP links that contain line feeds. "An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow the attacker to issue FTP server commands if a user clicked on an FTP link," Microsoft said. "An attacker who successfully exploited this vulnerability could issue server commands as the user to servers."

Metasploit Framework creator H.D. Moore released at least one new browser flaw a day last month as part of his self-titled "Month of Browser Bugs" project, and Sarwate believes that's why the August IE update is so large. Plus, from what he can tell, this update didn't even address all the known IE flaws.

Inside MSRC In a special partnership with Microsoft, Christopher Budd, security program manager with the Microsoft Security Response Center (MSRC), offers SearchSecurity.com readers his exclusive detailed analysis of the software giant's monthly security bulletins. Inside MSRC: Time to rethink security workarounds

"It will probably take Microsoft two Patch Tuesdays to fix everything," he said.

Other critical fixes
The remaining critical fixes for August are:

MS06-043, which addresses a remote code execution vulnerability in Windows that results from incorrect parsing of the MHTML protocol. "An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML email that could potentially lead to remote code execution if a user visited a specially crafted Web site or clicked a link in a specially crafted email message," Microsoft said.

MS06-044, which addresses a remote code execution flaw in the Windows Management Console.

MS06-046, which addresses a flaw in the HTML Help ActiveX control. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page," Microsoft said.

MS06-047, which addresses a flaw in how Visual Basic for Applications (VBA) checks the document properties that a host application passes to it when opening a document. Microsoft Office applications are affected by this vulnerability, Microsoft said.

MS06-048, which addresses two Microsoft PowerPoint flaws that had already been disclosed in the past month. One flaw can be exploited when a file containing a malformed shape container is parsed by PowerPoint. The other flaw could be exploited when PowerPoint parses a file containing a malformed record.

MS06-051, which addresses two flaws: a privilege elevation vulnerability in how Windows 2000 starts applications, and a flaw in how exception handling is managed on multiple applications that are resident in memory.

Three 'important' fixes
Microsoft rated three security updates as "important" this month:

MS06-045, which addresses a flaw in how Windows Explorer handles drag-and-drop events. "An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow an attacker to save a file on the user's system if a user visited a malicious Web site or viewed a malicious email message," Microsoft said.

MS06-049, which addresses a privilege-elevation flaw in Windows 2000 caused by improper validation of system inputs.

MS06-050, which addresses two flaws: an unchecked buffer in the code that is used for handling hyperlinks, and a malformed function that appears when hyperlinks are handled. An attacker could exploit the flaws by constructing a malicious hyperlink that could potentially lead to remote code execution if a user clicks a malicious link within a Microsoft Office file or email message. While this bulletin technically addresses a flaw within Windows, it is the cause of a zero-day flaw in Microsoft Excel that attackers could exploit to launch malicious code.

Tags: Security Patch Management,  Securing Productivity Applications,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary