Microsoft Patch Day for November
Microsoft released six security bulletins this morning, covering atotal of 11 distinct security vulnerabilities. In rough order of mosturgent to least, here we go:
Topping the list in raw urgency is MS06-066 (BID 21023 and BID 20984,CVE-2006-4688 and CVE-2006-4689). This affects everything from Win2KSP0 to XP SP2, provided that the systems have the Client Service forNetware enabled. This obviously reduces the population of vulnerablesystems, but for those systems this is where you want to start. Thisaddresses two vulnerabilities, the more severe of which is theMicrosoft Windows Client Service For Netware Remote Code ExecutionVulnerability. If your computers match that description, you are wideopen to remote attackers, who have the opportunity to run code of theirchoice on your machines – until you apply the patch, of course. Thevulnerable service is not installed by default, but if it has beeninstalled and is not needed it can (and should) be removed. BID 21023allows full compromise and working exploit code has been published, soif your network is affected this should be a priority for you.
Next up is MS06-067, a cumulative update that addresses three vulnerabilities in IE 5 and 6 (BID 19738/ CVE-2006-4446, BID 20047/CVE-2006-4777, and BID 21020/ CVE-2006-4687). The most urgent of these issues is the MicrosoftInternet Explorer Daxctle.OCX KeyFrame Method Heap Buffer OverflowVulnerability (BID 20047). This is a previously known issue disclosedin September, and allows malicious Web site operators or defacers torun code using the browser’s improper handling of malformed parametersto the KeyFrame method of the DirectAnimation.PathControl object.Limited exploitation of this issue has been seen in the wild. Exploitsfor two of the three resolved issue are known to exist. There aremultiple workarounds described in the MS Bulletin that should befollowed immediately if patching is not an option right away.
MS06-071 (BID 20915/ CVE-2006-5745), the Microsoft XML Core Service XMLHTTP ActiveXControl Remote Code Execution Vulnerability, addresses an issue in theXML core service of Windows 2000, 2003 and XP. Like the others, thiscan also allow attackers to run code of their choice on the affectedsystem. This was first publicly mentioned earlier in November whenexploitation of this issue was discovered in the wild by ISS xForce.Needless to say, multiple exploits for this vulnerability are nowavailable for download. The vector of attack is the XMLHTTP ActiveXcontrol. In the event that patching is not possible, the control can bedisabled via the kill bit – see the bulletin for complete details.
MS06-070 (BID 20985/ CVE-2006-4691), the Microsoft Windows Workstation ServiceNetpManageIPCConnect Remote Code Execution Vulnerability, had thepotential to be the most severe issue this month (initially).Longer-than-expected hostnames sent in RPC transactions to W2K and XPtargets could result in the execution of attacker-supplied code at theSYSTEM privilege level, making this a prime candidate for automated andself-replicating exploitation. However, (thankfully) it can only beexploited by users already possessing Administrator rights on XP.Windows 2000 machines can be compromised by anonymous attackershowever, so this is still a serious threat on that platform. Exploitsare not known to exist publicly at this time.
MS06-068 (BID 21034/ CVE-2006-3445) was published to address a vulnerability in theMicrosoft Agent ActiveX control. This vulnerability could allowarbitrary code to be run at the privilege level of the browser via amalicious ACF file. Exploits for this issue are not known to exist, andthe usual ActiveX workarounds apply.
And finally, we have MS06-069 (BID 19980 / CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640; BID 18894 / CVE-2006-3587, CVE-2006-3588), which details several issues in the Adobe Flash Player included in Windows XP.
All of the bulletins released today can be found at: http://www.microsoft.com/athome/security/update/bulletins/20061